Authentication - A must?

[klinkeye]

Hi,

Am I missing something or is there no authentication for access to this? It seems a little dangerous to have a management interface that can grant access to a network/connectivity platform.

[GoodiesHQ]

The key thing you are missing is that the final built application is only a collection of static HTML, JS, and CSS files that provides the scaffolding for the web layout, data typing, local storage, and the behavior of the application within the browser. That is the extent of interaction between the browser and the server which hosts this project: to receive the scaffolding. The actual headscale upstream URL and API Key are both stored within your browser in local storage and are used by functions in the scaffolding to craft requests from the client's (your) browser directly to the headscale API of your choosing (which should of course be protected with a TLS cert, as should every application to prevent general HTML attacks like script injection). No API information is transmitted anywhere but the headscale server, no sessions are tracked (if you clear your browsers local storage, you must retrieve or generate a new API key from headscale server), and being static HTML files, they couldn't inherently do anything with that information even if they were (that data would be processed by whatever webserver you host it on, e.g. caddy or apache2 or nginx).

tl;dr: nothing about this application or the requests to the Caddy server which serves it are sensitive in nature. This application doesn't do anything that can't be done wit cURL. Your security is in your API key not being compromised, and at no point is it stored on, or transmitted to, anywhere but your browser and the headscale API you choose.