fix: pre-emptive review pass — cover all auth methods and routing edge cases

2026-03-12 19:33:58 +00:00 · 2026-03-12 19:33:58 +00:00 · b6c4c82a63
parent e01a6d7c49
commit b6c4c82a63
2 changed files with 47 additions and 1 deletions
--- a/src/gateway/server/ws-connection/connect-policy.test.ts
+++ b/src/gateway/server/ws-connection/connect-policy.test.ts
@ -385,6 +385,48 @@ describe("ws connect policy", () => {
      }),
    ).toBe(false);

+    // Backend client authenticated via verified Tailscale identity is trusted.
+    expect(
+      shouldSkipBackendSelfPairing({
+        connectParams: makeConnectParams(
+          GATEWAY_CLIENT_IDS.GATEWAY_CLIENT,
+          GATEWAY_CLIENT_MODES.BACKEND,
+        ),
+        isLocalClient: true,
+        hasBrowserOriginHeader: false,
+        sharedAuthOk: true,
+        authMethod: "tailscale",
+      }),
+    ).toBe(true);
+
+    // Remote backend client over Tailscale is also trusted.
+    expect(
+      shouldSkipBackendSelfPairing({
+        connectParams: makeConnectParams(
+          GATEWAY_CLIENT_IDS.GATEWAY_CLIENT,
+          GATEWAY_CLIENT_MODES.BACKEND,
+        ),
+        isLocalClient: false,
+        hasBrowserOriginHeader: false,
+        sharedAuthOk: true,
+        authMethod: "tailscale",
+      }),
+    ).toBe(true);
+
+    // Browser-origin Tailscale backend connection is still rejected.
+    expect(
+      shouldSkipBackendSelfPairing({
+        connectParams: makeConnectParams(
+          GATEWAY_CLIENT_IDS.GATEWAY_CLIENT,
+          GATEWAY_CLIENT_MODES.BACKEND,
+        ),
+        isLocalClient: false,
+        hasBrowserOriginHeader: true,
+        sharedAuthOk: true,
+        authMethod: "tailscale",
+      }),
+    ).toBe(false);
+
    expect(
      shouldSkipBackendSelfPairing({
        connectParams: makeConnectParams("webchat", GATEWAY_CLIENT_MODES.BACKEND),
--- a/src/gateway/server/ws-connection/connect-policy.ts
+++ b/src/gateway/server/ws-connection/connect-policy.ts
@ -92,7 +92,11 @@ export function shouldSkipBackendSelfPairing(params: {
    return false;
  }
  // token/password: sharedAuthOk is set specifically for these in auth-context.ts.
-  const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
+  // tailscale: WS auth can also attest a backend client via verified Tailscale identity.
+  const usesSharedSecretAuth =
+    params.authMethod === "token" ||
+    params.authMethod === "password" ||
+    params.authMethod === "tailscale";
  // device-token: a derived credential issued after initial shared-secret pairing. sharedAuthOk
  // stays false for device-token in the WS flow (auth-context.ts only sets it for token/password/
  // trusted-proxy), so we gate on authOk directly instead.