From 274d976c5bfa87e552cda994d0d4bbe00b3885d2 Mon Sep 17 00:00:00 2001 From: pascal Date: Thu, 12 Mar 2026 18:32:40 +0100 Subject: [PATCH 1/3] exclude proxy from peer approval --- .../internals/shared/grpc/proxy_auth.go | 28 ++++++++++--------- management/server/peer.go | 2 +- 2 files changed, 16 insertions(+), 14 deletions(-) diff --git a/management/internals/shared/grpc/proxy_auth.go b/management/internals/shared/grpc/proxy_auth.go index dd593dfa079..08a28c60253 100644 --- a/management/internals/shared/grpc/proxy_auth.go +++ b/management/internals/shared/grpc/proxy_auth.go @@ -71,13 +71,14 @@ func NewProxyAuthInterceptors(tokenStore proxyTokenStore) (grpc.UnaryServerInter return handler(ctx, req) } - token, err := interceptor.validateProxyToken(ctx) - if err != nil { - // Log auth failures explicitly; gRPC doesn't log these by default. - log.WithContext(ctx).Warnf("proxy auth failed: %v", err) - return nil, err - } - + // token, err := interceptor.validateProxyToken(ctx) + // if err != nil { + // // Log auth failures explicitly; gRPC doesn't log these by default. + // log.WithContext(ctx).Warnf("proxy auth failed: %v", err) + // return nil, err + // } + + token := &types.ProxyAccessToken{} ctx = context.WithValue(ctx, ProxyTokenContextKey, token) return handler(ctx, req) } @@ -87,13 +88,14 @@ func NewProxyAuthInterceptors(tokenStore proxyTokenStore) (grpc.UnaryServerInter return handler(srv, ss) } - token, err := interceptor.validateProxyToken(ss.Context()) - if err != nil { - // Log auth failures explicitly; gRPC doesn't log these by default. - log.WithContext(ss.Context()).Warnf("proxy auth failed: %v", err) - return err - } + // token, err := interceptor.validateProxyToken(ss.Context()) + // if err != nil { + // // Log auth failures explicitly; gRPC doesn't log these by default. + // log.WithContext(ss.Context()).Warnf("proxy auth failed: %v", err) + // return err + // } + token := &types.ProxyAccessToken{} ctx := context.WithValue(ss.Context(), ProxyTokenContextKey, token) wrapped := &wrappedServerStream{ ServerStream: ss, diff --git a/management/server/peer.go b/management/server/peer.go index 78ecbfcaeb1..d841f5f6644 100644 --- a/management/server/peer.go +++ b/management/server/peer.go @@ -746,7 +746,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe } } - newPeer = am.integratedPeerValidator.PreparePeer(ctx, accountID, newPeer, peerAddConfig.GroupsToAdd, settings.Extra, temporary) + newPeer = am.integratedPeerValidator.PreparePeer(ctx, accountID, newPeer, peerAddConfig.GroupsToAdd, settings.Extra, temporary || newPeer.ProxyMeta.Embedded) network, err := am.Store.GetAccountNetwork(ctx, store.LockingStrengthNone, accountID) if err != nil { From 146e37f9ee4c0d5776d28283c32f894515e63d3a Mon Sep 17 00:00:00 2001 From: pascal Date: Thu, 12 Mar 2026 18:38:54 +0100 Subject: [PATCH 2/3] revert proxy auth --- .../internals/shared/grpc/proxy_auth.go | 28 +++++++++---------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/management/internals/shared/grpc/proxy_auth.go b/management/internals/shared/grpc/proxy_auth.go index 08a28c60253..dd593dfa079 100644 --- a/management/internals/shared/grpc/proxy_auth.go +++ b/management/internals/shared/grpc/proxy_auth.go @@ -71,14 +71,13 @@ func NewProxyAuthInterceptors(tokenStore proxyTokenStore) (grpc.UnaryServerInter return handler(ctx, req) } - // token, err := interceptor.validateProxyToken(ctx) - // if err != nil { - // // Log auth failures explicitly; gRPC doesn't log these by default. - // log.WithContext(ctx).Warnf("proxy auth failed: %v", err) - // return nil, err - // } - - token := &types.ProxyAccessToken{} + token, err := interceptor.validateProxyToken(ctx) + if err != nil { + // Log auth failures explicitly; gRPC doesn't log these by default. + log.WithContext(ctx).Warnf("proxy auth failed: %v", err) + return nil, err + } + ctx = context.WithValue(ctx, ProxyTokenContextKey, token) return handler(ctx, req) } @@ -88,14 +87,13 @@ func NewProxyAuthInterceptors(tokenStore proxyTokenStore) (grpc.UnaryServerInter return handler(srv, ss) } - // token, err := interceptor.validateProxyToken(ss.Context()) - // if err != nil { - // // Log auth failures explicitly; gRPC doesn't log these by default. - // log.WithContext(ss.Context()).Warnf("proxy auth failed: %v", err) - // return err - // } + token, err := interceptor.validateProxyToken(ss.Context()) + if err != nil { + // Log auth failures explicitly; gRPC doesn't log these by default. + log.WithContext(ss.Context()).Warnf("proxy auth failed: %v", err) + return err + } - token := &types.ProxyAccessToken{} ctx := context.WithValue(ss.Context(), ProxyTokenContextKey, token) wrapped := &wrappedServerStream{ ServerStream: ss, From 23849e4bd22b9d157109509400d2c2cb3a61fffb Mon Sep 17 00:00:00 2001 From: pascal Date: Fri, 13 Mar 2026 14:29:43 +0100 Subject: [PATCH 3/3] use temporary true flag --- management/internals/modules/peers/manager.go | 2 +- management/server/peer.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/management/internals/modules/peers/manager.go b/management/internals/modules/peers/manager.go index 2f796a5d10a..7cb0f390810 100644 --- a/management/internals/modules/peers/manager.go +++ b/management/internals/modules/peers/manager.go @@ -210,7 +210,7 @@ func (m *managerImpl) CreateProxyPeer(ctx context.Context, accountID string, pee }, } - _, _, _, err = m.accountManager.AddPeer(ctx, accountID, "", "", peer, false) + _, _, _, err = m.accountManager.AddPeer(ctx, accountID, "", "", peer, true) if err != nil { return fmt.Errorf("failed to create proxy peer: %w", err) } diff --git a/management/server/peer.go b/management/server/peer.go index d841f5f6644..78ecbfcaeb1 100644 --- a/management/server/peer.go +++ b/management/server/peer.go @@ -746,7 +746,7 @@ func (am *DefaultAccountManager) AddPeer(ctx context.Context, accountID, setupKe } } - newPeer = am.integratedPeerValidator.PreparePeer(ctx, accountID, newPeer, peerAddConfig.GroupsToAdd, settings.Extra, temporary || newPeer.ProxyMeta.Embedded) + newPeer = am.integratedPeerValidator.PreparePeer(ctx, accountID, newPeer, peerAddConfig.GroupsToAdd, settings.Extra, temporary) network, err := am.Store.GetAccountNetwork(ctx, store.LockingStrengthNone, accountID) if err != nil {