Starts using peer capabilities to restrict the management client
on a per-view basis. This change also includes a bulky cleanup
of the login-toggle.tsx file, which was getting pretty unwieldy
in its previous form.
Updates tailscale/corp#16695
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
This change adds a new apiHandler struct for use from serveAPI
to aid with restricting endpoints to specific peer capabilities.
Updates tailscale/corp#16695
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
For user-owned nodes, only the owner is ever allowed to manage the
node.
Updates tailscale/corp#16695
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Sets up peer capability types for future use within the web client
views and APIs.
Updates tailscale/corp#16695
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
To be safe, use `prefs.ControlURLOrDefault()` rather than the current
`prefs.ControlURL` directly.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Add logging of device management type for the web client auth flow. Namely,
this differentiates between viewing a node you do not own, viewing a local
tagged node, viewing a remote tagged node, managing a local node, and
managing a remote node.
Updates https://github.com/tailscale/tailscale/issues/10261
Signed-off-by: Mario Minardi <mario@tailscale.com>
client/web: skip check mode for non-tailscale.com control servers
Only enforce check mode if the control server URL ends in
".tailscale.com". This allows the web client to be used with headscale
(or other) control servers while we work with the project to add check
mode support (tracked in juanfont/headscale#1623).
Updates #10261
Co-authored-by: Sonia Appasamy <sonia@tailscale.com>
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Signed-off-by: Will Norris <will@tailscale.com>
This change removes the existing debug-web-client localapi endpoint
and replaces it with functions passed directly to the web.ServerOpts
when constructing a web.ManageServerMode client.
The debug-web-client endpoint previously handled making noise
requests to the control server via the /machine/webclient/ endpoints.
The noise requests must be made from tailscaled, which has the noise
connection open. But, now that the full client is served from
tailscaled, we no longer need to proxy this request over the localapi.
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
