Tailscale Authentication: if we're connecting within the tailnet, use that

config/dev.exs

@@ -16,7 +16,7 @@ config :sso_bsn, SsoBsn.Repo,
 config :sso_bsn, SsoBsnWeb.Endpoint,
   # Binding to loopback ipv4 address prevents access from other machines.
   # Change to `ip: {0, 0, 0, 0}` to allow access from other machines.
-  http: [ip: {127, 0, 0, 1}, port: 4000],
+  http: [ip: {0, 0, 0, 0}, port: 4000],
   check_origin: false,
   code_reloader: true,
   debug_errors: true,

flake.nix

@@ -90,6 +90,7 @@
         };
         config.systemd.services.sso-bsn = lib.mkIf cfg.enable {
           description = "sso-bsn";
+          path = [pkgs.tailscale];
           environment = {
             SERVER = "true";
             DATABASE_PATH = "/var/lib/sso-bsn/db.sqlite";

lib/sso_bsn_web/router.ex

@@ -1,5 +1,6 @@
 defmodule SsoBsnWeb.Router do
   use SsoBsnWeb, :router
+  use SsoBsnWeb, :verified_routes
 
   import SsoBsnWeb.UserAuth
 
@@ -47,9 +48,21 @@ defmodule SsoBsnWeb.Router do
   end
 
   ## Authentication routes
+  defp ts_auth(conn, _) do
+    ip = conn.req_headers |> Map.new |> Map.get("x-real-ip")
+    case System.cmd("tailscale", ["whois", "--json", ip], stderr_to_stdout: true) do
+      {json, 0} ->
+        username = Jason.decode!(json)["UserProfile"]["DisplayName"]
+        user = SsoBsn.Accounts.get_user_by_username(username)
+        login_token = SsoBsn.Accounts.generate_user_login_token(user)
+        conn |> redirect(to: if next = conn.query_params["next"] do ~p"/users/log_in/#{login_token}?next=#{next}" else ~p"/users/log_in/#{login_token}" end) |> halt()
+      {_, 1} ->
+        conn
+    end
+  end
 
   scope "/", SsoBsnWeb do
-    pipe_through [:browser, :redirect_if_user_is_authenticated]
+    pipe_through [:browser, :redirect_if_user_is_authenticated, :ts_auth]
 
     live_session :redirect_if_user_is_authenticated,
       on_mount: [{SsoBsnWeb.UserAuth, :redirect_if_user_is_authenticated}] do