client/web: move api handler into web.go

Also uses `http.HandlerFunc` to pass the handler into `csrfProtect` so we can get rid of the extraneous `api` struct. Updates tailscale/corp#13775 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
2025-02-18 02:48:40 +00:00 · 2023-08-25 11:27:22 -04:00 · 2023-08-25 11:27:22 -04:00 · 4828e4c2db
commit 4828e4c2db
parent 7b18ed293b
2 changed files with 23 additions and 38 deletions
--- a/client/web/api.go
+++ b/client/web/api.go
@ -1,37 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package web
-
-import (
-	"net/http"
-	"strings"
-
-	"github.com/gorilla/csrf"
-	"tailscale.com/util/httpm"
-)
-
-type api struct {
-	s *Server
-}
-
-// ServeHTTP serves requests for the web client api.
-// It should only be called by Server.ServeHTTP, via Server.apiHandler,
-// which protects the handler using gorilla csrf.
-func (a *api) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("X-CSRF-Token", csrf.Token(r))
-	path := strings.TrimPrefix(r.URL.Path, "/api")
-	switch path {
-	case "/data":
-		switch r.Method {
-		case httpm.GET:
-			a.s.serveGetNodeDataJSON(w, r)
-		case httpm.POST:
-			a.s.servePostNodeUpdate(w, r)
-		default:
-			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
-		}
-		return
-	}
-	http.Error(w, "invalid endpoint", http.StatusNotFound)
-}
--- a/client/web/web.go
+++ b/client/web/web.go
@ -30,6 +30,7 @@ import (
 	"tailscale.com/licenses"
 	"tailscale.com/net/netutil"
 	"tailscale.com/tailcfg"
+	"tailscale.com/util/httpm"
 	"tailscale.com/version/distro"
 )

@ -109,7 +110,7 @@ func NewServer(ctx context.Context, opts ServerOpts) (s *Server, cleanup func())
 		// The client is secured by limiting the interface it listens on,
 		// or by authenticating requests before they reach the web client.
 		csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
-		s.apiHandler = csrfProtect(&api{s: s})
+		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveAPI))
 	}

 	var wg sync.WaitGroup
@ -239,6 +240,27 @@ func (s *Server) serve(w http.ResponseWriter, r *http.Request) {
 	}
 }

+// serveAPI serves requests for the web client api.
+// It should only be called by Server.ServeHTTP, via Server.apiHandler,
+// which protects the handler using gorilla csrf.
+func (s *Server) serveAPI(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("X-CSRF-Token", csrf.Token(r))
+	path := strings.TrimPrefix(r.URL.Path, "/api")
+	switch path {
+	case "/data":
+		switch r.Method {
+		case httpm.GET:
+			s.serveGetNodeDataJSON(w, r)
+		case httpm.POST:
+			s.servePostNodeUpdate(w, r)
+		default:
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		}
+		return
+	}
+	http.Error(w, "invalid endpoint", http.StatusNotFound)
+}
+
 type nodeData struct {
 	Profile           tailcfg.UserProfile
 	Status            string