Synology and QNAP both run the web client as a CGI script. The old web
client didn't care too much about requests paths, since there was only a
single GET and POST handler. The new client serves assets on different
paths, so now we need to care.
First, enforce that the CGI script is always accessed from its full
path, including a trailing slash (e.g. /cgi-bin/tailscale/index.cgi/).
Then, strip that prefix off before passing the request along to the main
serve handler. This allows for properly serving both static files and
the API handler in a CGI environment. Also add a CGIPath option to allow
other CGI environments to specify a custom path.
Finally, update vite and one "api/data" call to no longer assume that we
are always serving at the root path of "/".
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
Add separate server methods for synology and qnap, and enforce
authentication and authorization checks before calling into the actual
serving handlers. This allows us to remove all of the auth logic from
those handlers, since all requests will already be authenticated by that
point.
Also simplify the Synology token redirect handler by using fetch.
Remove the SynologyUser from nodeData, since it was never used in the
frontend anyway.
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
This commit doesn't change any of the logic, but just organizes the code
a little to prepare for future changes.
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
Indicate to the web client when it is running in CGI mode, and if it is
then cache the csrf key between requests.
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
Under normal circumstances, you would typically want to keep the default
behavior of requiring secure cookies. In the case of the Tailscale web
client, we are regularly serving on localhost (where secure cookies
don't really matter), and/or we are behind a reverse proxy running on a
network appliance like a NAS or Home Assistant. In those cases, those
devices are regularly accessed over local IP addresses without https
configured, so would not work with secure cookies.
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
I thought this had something to do with Synology or QNAP support, since
they both have specific authentication logic. But it turns out this was
part of the original web client added in #1621, and then refactored as
part of #2093. But with how we handle logging in now, it's never
called.
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
src/**/* was only grabbing files in subdirectories, but not in the src
directory itself.
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
instead of embedding each file individually, embed them all into a
single embed filesystem. This is basically a noop for the current
frontend, but sets things up a little cleaner for the new frontend.
Also added an embed.FS for the source files needed to build the new
frontend. These files are not actually embedded into the binary (since
it is a blank identifier), but causes `go mod vendor` to copy them into
the vendor directory.
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>
Adds csrf protection and hooks up an initial POST request from
the React web client.
Updates tailscale/corp#13775
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Currently just serving a "Hello world" page when running the web
cli in --dev mode.
Updates tailscale/corp#13775
Co-authored-by: Will Norris <will@tailscale.com>
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
move the tailscale web client out of the cmd/tailscale/cli package, into
a new client/web package. The remaining cli/web.go file is still
responsible for parsing CLI flags and such, and then calls into
client/web. This will allow the web client to be hooked into from other
contexts (for example, from a tsnet server), and provide a dedicated
space to add more functionality to this client.
Updates tailscale/corp#13775
Signed-off-by: Will Norris <will@tailscale.com>