tailscale/client/web/src/api.ts

let csrfToken: string
let unraidCsrfToken: string | undefined // required for unraid POST requests (#8062)

// apiFetch wraps the standard JS fetch function with csrf header
// management and param additions specific to the web client.
//
// apiFetch adds the `api` prefix to the request URL,
// so endpoint should be provided without the `api` prefix
// (i.e. provide `/data` rather than `api/data`).
export function apiFetch(
  endpoint: string,
  method: "GET" | "POST",
  body?: any,
  params?: Record<string, string>
): Promise<Response> {
  const urlParams = new URLSearchParams(window.location.search)
  const nextParams = new URLSearchParams(params)
  const token = urlParams.get("SynoToken")
  if (token) {
    nextParams.set("SynoToken", token)
  }
  const search = nextParams.toString()
  const url = `api${endpoint}${search ? `?${search}` : ""}`

  var contentType: string
  if (unraidCsrfToken && method === "POST") {
    const params = new URLSearchParams()
    params.append("csrf_token", unraidCsrfToken)
    if (body) {
      params.append("ts_data", JSON.stringify(body))
    }
    body = params.toString()
    contentType = "application/x-www-form-urlencoded;charset=UTF-8"
  } else {
    body = body ? JSON.stringify(body) : undefined
    contentType = "application/json"
  }

  return fetch(url, {
    method: method,
    headers: {
      Accept: "application/json",
      "Content-Type": contentType,
      "X-CSRF-Token": csrfToken,
    },
    body,
  }).then((r) => {
    updateCsrfToken(r)
    if (!r.ok) {
      return r.text().then((err) => {
        throw new Error(err)
      })
    }
    return r
  })
}

function updateCsrfToken(r: Response) {
  const tok = r.headers.get("X-CSRF-Token")
  if (tok) {
    csrfToken = tok
  }
}

export function setUnraidCsrfToken(token?: string) {
  unraidCsrfToken = token
}
client/web: add csrf protection to web client api Adds csrf protection and hooks up an initial POST request from the React web client. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-16 22:52:31 +00:00			`let csrfToken: string`
client/web: pipe unraid csrf token through apiFetch Ensures that we're sending back the csrf token for all requests made back to unraid clients. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-29 22:02:01 +00:00			`let unraidCsrfToken: string \| undefined // required for unraid POST requests (#8062)`
client/web: add csrf protection to web client api Adds csrf protection and hooks up an initial POST request from the React web client. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-16 22:52:31 +00:00
client/web: pull SynoToken logic into apiFetch Updates tailscale/corp#13775 2023-08-29 17:20:25 +00:00			`// apiFetch wraps the standard JS fetch function with csrf header`
			`// management and param additions specific to the web client.`
			`//`
			// apiFetch adds the `api` prefix to the request URL,
			// so endpoint should be provided without the `api` prefix
			// (i.e. provide `/data` rather than `api/data`).
client/web: add csrf protection to web client api Adds csrf protection and hooks up an initial POST request from the React web client. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-16 22:52:31 +00:00			`export function apiFetch(`
client/web: pull SynoToken logic into apiFetch Updates tailscale/corp#13775 2023-08-29 17:20:25 +00:00			`endpoint: string,`
client/web: pipe unraid csrf token through apiFetch Ensures that we're sending back the csrf token for all requests made back to unraid clients. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-29 22:02:01 +00:00			`method: "GET" \| "POST",`
			`body?: any,`
			`params?: Record<string, string>`
client/web: add csrf protection to web client api Adds csrf protection and hooks up an initial POST request from the React web client. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-16 22:52:31 +00:00			`): Promise<Response> {`
client/web: pull SynoToken logic into apiFetch Updates tailscale/corp#13775 2023-08-29 17:20:25 +00:00			`const urlParams = new URLSearchParams(window.location.search)`
client/web: pipe unraid csrf token through apiFetch Ensures that we're sending back the csrf token for all requests made back to unraid clients. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-29 22:02:01 +00:00			`const nextParams = new URLSearchParams(params)`
client/web: pull SynoToken logic into apiFetch Updates tailscale/corp#13775 2023-08-29 17:20:25 +00:00			`const token = urlParams.get("SynoToken")`
			`if (token) {`
			`nextParams.set("SynoToken", token)`
			`}`
			`const search = nextParams.toString()`
			const url = `api${endpoint}${search ? `?${search}` : ""}`

client/web: pipe unraid csrf token through apiFetch Ensures that we're sending back the csrf token for all requests made back to unraid clients. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-29 22:02:01 +00:00			`var contentType: string`
client/web,cmd/tailscale: add prefix flag for web command We already had a path on the web client server struct, but hadn't plumbed it through to the CLI. Add that now and use it for Synology and QNAP instead of hard-coding the path. (Adding flag for QNAP is tailscale/tailscale-qpkg#112) This will allow supporting other environments (like unraid) without additional changes to the client/web package. Also fix a small bug in unraid handling to only include the csrf token on POST requests. Updates tailscale/corp#13775 Signed-off-by: Will Norris <will@tailscale.com> 2023-08-31 21:27:41 +00:00			`if (unraidCsrfToken && method === "POST") {`
client/web: pipe unraid csrf token through apiFetch Ensures that we're sending back the csrf token for all requests made back to unraid clients. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-29 22:02:01 +00:00			`const params = new URLSearchParams()`
			`params.append("csrf_token", unraidCsrfToken)`
			`if (body) {`
			`params.append("ts_data", JSON.stringify(body))`
			`}`
			`body = params.toString()`
			`contentType = "application/x-www-form-urlencoded;charset=UTF-8"`
			`} else {`
			`body = body ? JSON.stringify(body) : undefined`
			`contentType = "application/json"`
			`}`

client/web: pull SynoToken logic into apiFetch Updates tailscale/corp#13775 2023-08-29 17:20:25 +00:00			`return fetch(url, {`
client/web: pipe unraid csrf token through apiFetch Ensures that we're sending back the csrf token for all requests made back to unraid clients. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-29 22:02:01 +00:00			`method: method,`
			`headers: {`
			`Accept: "application/json",`
			`"Content-Type": contentType,`
			`"X-CSRF-Token": csrfToken,`
			`},`
			`body,`
client/web: add csrf protection to web client api Adds csrf protection and hooks up an initial POST request from the React web client. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-16 22:52:31 +00:00			`}).then((r) => {`
			`updateCsrfToken(r)`
			`if (!r.ok) {`
			`return r.text().then((err) => {`
			`throw new Error(err)`
			`})`
			`}`
			`return r`
			`})`
			`}`

			`function updateCsrfToken(r: Response) {`
			`const tok = r.headers.get("X-CSRF-Token")`
			`if (tok) {`
			`csrfToken = tok`
			`}`
			`}`
client/web: pipe unraid csrf token through apiFetch Ensures that we're sending back the csrf token for all requests made back to unraid clients. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com> 2023-08-29 22:02:01 +00:00
			`export function setUnraidCsrfToken(token?: string) {`
			`unraidCsrfToken = token`
			`}`