Peter Steinberger
3a74dc00bf
fix(gateway): land #38725 from @ademczuk
...
Source: #38725 / 533ff3e70bdb9fd184392935e8b2f5043b176fca by @ademczuk.
Thanks @ademczuk.
Co-authored-by: ademczuk <andrew.demczuk@gmail.com>
2026-03-07 22:35:38 +00:00
Vincent Koc
e4d80ed556
CI: restore main detect-secrets scan ( #38438 )
...
* Tests: stabilize detect-secrets fixtures
* Tests: fix rebased detect-secrets false positives
* Docs: keep snippets valid under detect-secrets
* Tests: finalize detect-secrets false-positive fixes
* Tests: reduce detect-secrets false positives
* Tests: keep detect-secrets pragmas inline
* Tests: remediate next detect-secrets batch
* Tests: tighten detect-secrets allowlists
* Tests: stabilize detect-secrets formatter drift
2026-03-07 10:06:35 -08:00
Josh Avant
72cf9253fc
Gateway: add SecretRef support for gateway.auth.token with auth-mode guardrails ( #35094 )
2026-03-05 12:53:56 -06:00
Peter Steinberger
08431da5d5
refactor(gateway): unify credential precedence across entrypoints
2026-02-22 18:55:44 +01:00
Peter Steinberger
b109fa53ea
refactor(core): dedupe gateway runtime and config tests
2026-02-22 07:44:57 +00:00
Peter Steinberger
16f6b55cd4
test(gateway): dedupe tailscale header auth fixtures
2026-02-22 07:44:57 +00:00
Peter Steinberger
be7f825006
refactor(gateway): harden proxy client ip resolution
2026-02-21 13:36:23 +01:00
Peter Steinberger
36a0df423d
refactor(gateway): make ws and http auth surfaces explicit
2026-02-21 13:33:09 +01:00
Peter Steinberger
356d61aacf
fix(gateway): scope tailscale tokenless auth to websocket
2026-02-21 13:03:13 +01:00
Gustavo Madeira Santana
c5698caca3
Security: default gateway auth bootstrap and explicit mode none ( #20686 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: be1b73182cdca9c2331e2113bd1a08b977181974
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
2026-02-19 02:35:50 -05:00
cpojer
084e39b519
chore: Fix types in tests 38/N.
2026-02-17 15:50:07 +09:00
Peter Steinberger
9b70849567
refactor(test): dedupe trusted-proxy auth test setup
2026-02-16 18:31:37 +00:00
Nick Taylor
1fb52b4d7b
feat(gateway): add trusted-proxy auth mode ( #15940 )
...
Merged via /review-pr -> /prepare-pr -> /merge-pr.
Prepared head SHA: 279d4b304f83186fda44dfe63a729406a835dafa
Co-authored-by: nickytonline <833231+nickytonline@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
2026-02-14 12:32:17 +01:00
Harald Buerbaumer
30b6eccae5
feat(gateway): add auth rate-limiting & brute-force protection ( #15035 )
...
* feat(gateway): add auth rate-limiting & brute-force protection
Add a per-IP sliding-window rate limiter to Gateway authentication
endpoints (HTTP, WebSocket upgrade, and WS message-level auth).
When gateway.auth.rateLimit is configured, failed auth attempts are
tracked per client IP. Once the threshold is exceeded within the
sliding window, further attempts are blocked with HTTP 429 + Retry-After
until the lockout period expires. Loopback addresses are exempt by
default so local CLI sessions are never locked out.
The limiter is only created when explicitly configured (undefined
otherwise), keeping the feature fully opt-in and backward-compatible.
* fix(gateway): isolate auth rate-limit scopes and normalize 429 responses
---------
Co-authored-by: buerbaumer <buerbaumer@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-02-13 15:32:38 +01:00
cpojer
f06dd8df06
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts.
2026-02-01 10:03:47 +09:00
Peter Steinberger
3314b3996e
fix: harden gateway auth defaults
2026-01-26 18:24:26 +00:00
Peter Steinberger
fd9be79be1
fix: harden tailscale serve auth
2026-01-26 12:49:19 +00:00
Peter Steinberger
e6e71457e0
fix: honor trusted proxy client IPs (PR #1654 )
...
Thanks @ndbroadbent.
Co-authored-by: Nathan Broadbent <git@ndbroadbent.com>
2026-01-25 01:52:19 +00:00
Palash Oswal
d43d4fcced
Gateway auth: accept local Tailscale Serve hostnames and tailnet IPs ( #885 )
...
* Gateway auth: accept local Tailscale Serve hostnames and tailnet IPs
* fix: allow local Tailscale Serve hostnames (#885 ) (thanks @oswalpalash)
---------
Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-01-16 07:51:25 +00:00
Roshan Singh
7616b02bb1
Fix tailscale allowTailscale bypass in token mode
2026-01-13 04:34:28 +00:00
Peter Steinberger
36fa3c3cd3
fix: improve ws close diagnostics
2026-01-08 22:18:07 +00:00
Peter Steinberger
d69064f364
fix(gateway): avoid crash in handshake auth
2025-12-21 00:41:06 +00:00
