From d50e846747ec552349a2586b5424451342864578 Mon Sep 17 00:00:00 2001
From: Ethan <39577870+ethanndickson@users.noreply.github.com>
Date: Fri, 21 Feb 2025 12:21:20 +1100
Subject: [PATCH] fix: block vpn tailnet endpoint when `--browser-only` is set
 (#16647)

The work on CoderVPN required a new user-scoped `/tailnet` endpoint for
coordinating with multiple workspace agents, and receiving workspace
updates. Much like the `/coordinate` endpoint, this needs to respect the
`CODER_BROWSER_ONLY`/`--browser-only` deployment config value.
---
 coderd/workspaceagents.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
index 8132da9bd7..ddfb21a751 100644
--- a/coderd/workspaceagents.go
+++ b/coderd/workspaceagents.go
@@ -906,6 +906,7 @@ func (api *API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r *http.R
 	}
 
 	// This is used by Enterprise code to control the functionality of this route.
+	// Namely, disabling the route using `CODER_BROWSER_ONLY`.
 	override := api.WorkspaceClientCoordinateOverride.Load()
 	if override != nil {
 		overrideFunc := *override
@@ -1576,6 +1577,16 @@ func (api *API) workspaceAgentsExternalAuthListen(ctx context.Context, rw http.R
 func (api *API) tailnetRPCConn(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
+	// This is used by Enterprise code to control the functionality of this route.
+	// Namely, disabling the route using `CODER_BROWSER_ONLY`.
+	override := api.WorkspaceClientCoordinateOverride.Load()
+	if override != nil {
+		overrideFunc := *override
+		if overrideFunc != nil && overrideFunc(rw) {
+			return
+		}
+	}
+
 	version := "2.0"
 	qv := r.URL.Query().Get("version")
 	if qv != "" {