From 2de65a0f665c738e6d0985ede6c908885d939c85 Mon Sep 17 00:00:00 2001
From: Ethan Dickson <ethan@coder.com>
Date: Fri, 21 Feb 2025 01:07:36 +0000
Subject: [PATCH] fix: block vpn tailnet endpoint when `--browser-only` is set

---
 coderd/workspaceagents.go | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/coderd/workspaceagents.go b/coderd/workspaceagents.go
index 8132da9bd7bfa..ddfb21a751671 100644
--- a/coderd/workspaceagents.go
+++ b/coderd/workspaceagents.go
@@ -906,6 +906,7 @@ func (api *API) workspaceAgentClientCoordinate(rw http.ResponseWriter, r *http.R
 	}
 
 	// This is used by Enterprise code to control the functionality of this route.
+	// Namely, disabling the route using `CODER_BROWSER_ONLY`.
 	override := api.WorkspaceClientCoordinateOverride.Load()
 	if override != nil {
 		overrideFunc := *override
@@ -1576,6 +1577,16 @@ func (api *API) workspaceAgentsExternalAuthListen(ctx context.Context, rw http.R
 func (api *API) tailnetRPCConn(rw http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
+	// This is used by Enterprise code to control the functionality of this route.
+	// Namely, disabling the route using `CODER_BROWSER_ONLY`.
+	override := api.WorkspaceClientCoordinateOverride.Load()
+	if override != nil {
+		overrideFunc := *override
+		if overrideFunc != nil && overrideFunc(rw) {
+			return
+		}
+	}
+
 	version := "2.0"
 	qv := r.URL.Query().Get("version")
 	if qv != "" {