From bcfe9904b17b7f146e3a602edd8e81b197d928c4 Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Mon, 17 Nov 2025 16:47:29 -0800
Subject: [PATCH 1/2] add --tsnet-dir flag

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 hallpass.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hallpass.go b/hallpass.go
index 3738a58..925dec3 100644
--- a/hallpass.go
+++ b/hallpass.go
@@ -43,6 +43,7 @@ var (
 	secretServer  = flag.String("secret-server", "", "setec secret server base URL; if empty, setec is not used")
 	oauthSecret   = flag.String("oauth-secret", keyPath("hallpass-key"), "name of setec secret containing Tailscale OAuth ClientSecret; if --secret-server is empty, ignored and reads from $HOME/keys/hallpass-key")
 	webhookSecret = flag.String("webhook-secret", keyPath("hallpass-webhook"), "name of setec secret containing the Slack webhook URL; if --secret-server is empty, ignored and reads from $HOME/keys/hallpass-webhook")
+	configDir     = flag.String("tsnet-dir", "", "tsnet server directory; if empty, tsnet uses an automatic config directory based on the binary name")
 )
 
 func main() {
@@ -53,6 +54,7 @@ func main() {
 
 	ts := &tsnet.Server{
 		Hostname: "hallpass",
+		Dir:      *configDir,
 	}
 	js := &Server{ts: ts}
 	if err := ts.Start(); err != nil {

From 67c49dbde93cf764df32d90c2a376ac3a0668d2f Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@tailscale.com>
Date: Mon, 17 Nov 2025 16:55:58 -0800
Subject: [PATCH 2/2] trim whitespace from setec secret values

Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
---
 hallpass.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/hallpass.go b/hallpass.go
index 925dec3..f636249 100644
--- a/hallpass.go
+++ b/hallpass.go
@@ -107,8 +107,8 @@ func main() {
 			log.Fatalf("failed to create setec store: %v", err)
 		}
 		defer ss.Close()
-		js.oauthClientSecret = ss.Secret(*oauthSecret)
-		js.webhookURL = ss.Secret(*webhookSecret)
+		js.oauthClientSecret = whitespaceTrimmingSecret(ss.Secret(*oauthSecret))
+		js.webhookURL = whitespaceTrimmingSecret(ss.Secret(*webhookSecret))
 	} else {
 		log.Printf("Using secrets from disk")
 		js.oauthClientSecret = setec.StaticSecret(readFile(*oauthSecret))
@@ -132,6 +132,10 @@ func main() {
 	log.Fatal(http.Serve(ln, protect(js)))
 }
 
+func whitespaceTrimmingSecret(s setec.Secret) setec.Secret {
+	return func() []byte { return bytes.TrimSpace(s()) }
+}
+
 func keyPath(name string) string {
 	home, err := os.UserHomeDir()
 	if err != nil {