client/web: restrict full management client behind browser sessions

Adds `getTailscaleBrowserSession` to pull the user's session out of
api requests, and `serveTailscaleAuth` to provide the "/api/auth"
endpoint for browser to request auth status and new sessions.

Updates tailscale/corp#14335

Signed-off-by: Sonia Appasamy <sonia@tailscale.com>

ipn/ipnstate/ipnstate.go

@@ -299,6 +299,11 @@ func (ps *PeerStatus) HasCap(cap tailcfg.NodeCapability) bool {
 	return ps.CapMap.Contains(cap) || slices.Contains(ps.Capabilities, cap)
 }
 
+// IsTagged reports whether ps is tagged.
+func (ps *PeerStatus) IsTagged() bool {
+	return ps.Tags != nil && ps.Tags.Len() > 0
+}
+
 // StatusBuilder is a request to construct a Status. A new StatusBuilder is
 // passed to various subsystems which then call methods on it to populate state.
 // Call its Status method to return the final constructed Status.