[client,management] Feature/client service expose (#5411)

CLI: new expose command to publish a local port with flags for PIN, password, user groups, custom domain, name prefix and protocol (HTTP default). Management/API: create/renew/stop expose sessions (streamed status), automatic naming/domain, TTL renewals, background expiration, new management RPCs and client methods. UI/API: account settings now include peer_expose_enabled and peer_expose_groups; new activity codes for peer expose events.
2026-04-18 00:06:38 +00:00 · 2026-02-24 10:02:16 +01:00
parent 37f025c966
commit 63c83aa8d2
44 changed files with 3867 additions and 422 deletions
--- a/shared/management/http/api/openapi.yml
+++ b/shared/management/http/api/openapi.yml
@@ -326,6 +326,16 @@ components:
          type: string
          format: cidr
          example: 100.64.0.0/16
+        peer_expose_enabled:
+          description: Enables or disables peer expose. If enabled, peers can expose local services through the reverse proxy using the CLI.
+          type: boolean
+          example: false
+        peer_expose_groups:
+          description: Limits which peer groups are allowed to expose services. If empty, all peers are allowed when peer expose is enabled.
+          type: array
+          items:
+            type: string
+            example: ch8i4ug6lnn4g9hqv7m0
        extra:
          $ref: '#/components/schemas/AccountExtraSettings'
        lazy_connection_enabled:
@@ -353,6 +363,8 @@ components:
        - peer_inactivity_expiration_enabled
        - peer_inactivity_expiration
        - regular_users_view_blocked
+        - peer_expose_enabled
+        - peer_expose_groups
    AccountExtraSettings:
      type: object
      properties:
--- a/shared/management/http/api/types.gen.go
+++ b/shared/management/http/api/types.gen.go
@@ -512,6 +512,12 @@ type AccountSettings struct {
 	// NetworkRange Allows to define a custom network range for the account in CIDR format
 	NetworkRange *string `json:"network_range,omitempty"`

+	// PeerExposeEnabled Enables or disables peer expose. If enabled, peers can expose local services through the reverse proxy using the CLI.
+	PeerExposeEnabled bool `json:"peer_expose_enabled"`
+
+	// PeerExposeGroups Limits which peer groups are allowed to expose services. If empty, all peers are allowed when peer expose is enabled.
+	PeerExposeGroups []string `json:"peer_expose_groups"`
+
 	// PeerInactivityExpiration Period of time of inactivity after which peer session expires (seconds).
 	PeerInactivityExpiration int `json:"peer_inactivity_expiration"`