Limit cookies to HTTP requests (not accessible from javascript).
Set SameSite to "Lax", which is similar to "Strict" but allows for
cookies to be included in requests that come from offsite links. This
will be necessary when we link to the web client from the admin console.
Updates #10261Fixestailscale/corp#16265
Signed-off-by: Will Norris <will@tailscale.com>
The client has changed a bit since we introduced the path prefix. It is
now used for two things:
- its original purpose, of ensuring that when the client is run in CGI
mode at arbitrary paths, then relative paths for assets continue to
work
- we also now pass the path to the frontend and use wouter to manage
routes for the various subpages of the client.
When the client is run behind a reverse proxy (as it is in Home
Assistant), it is common for the proxy to rewrite the request so that
the backend application doesn't see the path it's being served at. In
this case, we don't need to call enforcePrefix, since it's already
stripped before it reaches us. However, wouter (or react router
library) still sees the original path in the browser, and needs to know
what part of it is the prefix that needs to be stripped off.
We're handling this by now only calling enforcePrefix when run in CGI
mode. For Home Assistant, or any other platform that runs the client
behind a reverse proxy with a custom path, they will still need to pass
the `-prefix` flag to `tailscale web`, but we will only use it for route
handling in the frontend.
Updates #10261
Signed-off-by: Will Norris <will@tailscale.com>
In Login mode, must first run system auth. But once authorized,
should be able to reach rest of auth logic to check whether the
user can manage the node. This results in showing/hiding the
sign in button in the frontend login toggle.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Calling DebugPacketFilterRules fails when the node is not logged
in, which was causing 500 errors on the node data endpoint after
logging the node out.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Add logging of device management type for the web client auth flow. Namely,
this differentiates between viewing a node you do not own, viewing a local
tagged node, viewing a remote tagged node, managing a local node, and
managing a remote node.
Updates https://github.com/tailscale/tailscale/issues/10261
Signed-off-by: Mario Minardi <mario@tailscale.com>
Even if connected to the login client over tailscale, still check
platform auth so the browser can obtain the tokens it needs to make
platform requests complete successfully.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
This commit makes some restructural changes to how we handle api
posting from the web client frontend.
Now that we're using SWR, we have less of a need for hooks like
useNodeData that return a useSWR response alongside some mutation
callbacks. SWR makes it easy to mutate throughout the UI without
needing access to the original data state in order to reflect
updates. So, we can fetch data without having to tie it to post
callbacks that have to be passed around through components.
In an effort to consolidate our posting endpoints, and make it
easier to add more api handlers cleanly in the future, this change
introduces a new `useAPI` hook that returns a single `api` callback
that can make any changes from any component in the UI. The hook
itself handles using SWR to mutate the relevant data keys, which
get globally reflected throughout the UI.
As a concurrent cleanup, node types are also moved to their own
types.ts file, to consolidate data types across the app.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Updates the IP address on home view to open a copyable list of node
addresses on click. And makes various values on the details view
copyable text items, mirroring the machine admin panel table.
As part of these changes, pulls the AddressCard, NiceIP and QuickCopy
components from the admin panel, with the AddressCard slightly modified
to avoid needing to also pull in the CommandLine component.
A new toaster interface is also added, allowing us to display success
and failure toasts throughout the UI. The toaster code is slightly
modified from it's admin form to avoid the need for some excess
libraries.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Add metric logging logic for the web client frontend. This is an initial
pass of adding the base logic, plus a single point where it is used for
validation that the logging is working correctly. More metric logging
calls will follow in subsquent PRs.
Updates https://github.com/tailscale/tailscale/issues/10261
Signed-off-by: Mario Minardi <mario@tailscale.com>
If the currently selected exit node is offline, render the exit node
selector in red with an error message. Update exit nodes in the dropdown
to indicate if they are offline, and don't allow them to be selected.
This also updates some older color values to use the new colors.
Updates #10261
Signed-off-by: Will Norris <will@tailscale.com>
Use the packet filter rules to determine if any device is allowed to
connect on port 5252. This does not check whether a specific device can
connect (since we typically don't know the source device when this is
used). Nor does it specifically check for wide-open ACLs, which is
something we may provide a warning about in the future.
Update the login popover content to display information when the src
device is unable to connect to the dst device over its Tailscale IP. If
we know it's an ACL issue, mention that, otherwise list a couple of
things to check. In both cases, link to a placeholder URL to get more
information about web client connection issues.
Updates #10261
Signed-off-by: Will Norris <will@tailscale.com>
Fixes a TODO in web.authorizeRequest.
`getSession` calls `WhoIs` already. Call `getSession` earlier in
`authorizeRequest` so we can avoid the duplicate `WhoIs` check on
the same request.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
This adds an expandable section of the login view to allow users to
specify an auth key and an alternate control URL.
Input and Collapsible components and accompanying styles were brought
over from the adminpanel.
Updates #10261
Signed-off-by: Will Norris <will@tailscale.com>
Add exit node selector (in full management client only) that allows
for advertising as an exit node, or selecting another exit node on
the Tailnet for use.
Updates #10261
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
This creates a new /api/up endpoint which is exposed in the login
client, and is solely focused on logging in. Login has been removed from
the nodeUpdate endpoint.
This also adds support in the LoginClientView for a stopped node that
just needs to reconnect, but not necessarily reauthenticate. This
follows the same pattern in `tailscale up` of just setting the
WantRunning user pref.
Updates tailscale/corp#14335
Signed-off-by: Will Norris <will@tailscale.com>
This change removes the existing debug-web-client localapi endpoint
and replaces it with functions passed directly to the web.ServerOpts
when constructing a web.ManageServerMode client.
The debug-web-client endpoint previously handled making noise
requests to the control server via the /machine/webclient/ endpoints.
The noise requests must be made from tailscaled, which has the noise
connection open. But, now that the full client is served from
tailscaled, we no longer need to proxy this request over the localapi.
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
I don't believe this has ever worked, since we didn't allow POST
requests in the login client. But previously, we were primarily using
the legacy client, so it didn't really matter. Now that we've removed
the legacy client, we have no way to login.
This fixes the login client, allowing it to login, but it still needs to
be refactored to expose a dedicated login method, without exposing all
the node update functionality.
Updates tailscale/corp#14335
Signed-off-by: Will Norris <will@tailscale.com>
No longer using this! Readonly state fully managed via auth endpoint.
Also getting rid of old Legacy server mode.
A #cleanup
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Fills /details page with real values, passed back from the /data
endpoint.
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Don't return CSP headers in dev mode, since that includes a bunch of
extra things like the vite server.
Allow images from any source, which is needed to load user profile
images.
Allow 'unsafe-inline' for various inline scripts and style react uses.
We can eliminate this by using CSP nonce or hash values, but we'll need
to look into the best way to handle that. There appear to be several
react plugins for this, but I haven't evaluated any of them.
Updates tailscale/corp#14335
Signed-off-by: Will Norris <will@tailscale.com>
Require that requests to servers in manage mode are made to the
Tailscale IP (either ipv4 or ipv6) or quad-100. Also set various
security headers on those responses. These might be too restrictive,
but we can relax them as needed.
Allow requests to /ok (even in manage mode) with no checks. This will be
used for the connectivity check from a login client to see if the
management client is reachable.
Updates tailscale/corp#14335
Signed-off-by: Will Norris <will@tailscale.com>
Splits auth session creation into two new endpoints:
/api/auth/session/new - to request a new auth session
/api/auth/session/wait - to block until user has completed auth url
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Avoids the need to pipe a web client dev flag through the tailscaled
command.
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Adds a new Mode to the web server, indicating the specific
scenario the constructed server is intended to be run in. Also
starts filling this from the cli/web and ipn/ipnlocal callers.
From cli/web this gets filled conditionally based on whether the
preview web client node cap is set. If not set, the existing
"legacy" client is served. If set, both a login/lobby and full
management client are started (in "login" and "manage" modes
respectively).
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
This completes the migration to setting up authentication state in the
client first before fetching any node data or rendering the client view.
Notable changes:
- `authorizeRequest` is now only enforced on `/api/*` calls (with the
exception of /api/auth, which is handled early because it's needed to
initially setup auth, particularly for synology)
- re-separate the App and WebClient components to ensure that auth is
completed before moving on
- refactor platform auth (synology and QNAP) to fit into this new
structure. Synology no longer returns redirect for auth, but returns
authResponse instructing the client to fetch a SynoToken
Updates tailscale/corp#14335
Signed-off-by: Will Norris <will@tailscale.com>
When the /api/auth response indicates that synology auth is needed,
fetch the SynoToken and store it for future API calls. This doesn't yet
update the server-side code to set the new SynoAuth field.
Updates tailscale/corp#14335
Signed-off-by: Will Norris <will@tailscale.com>
For now this is effectively a noop, since only the ManagementClientView
uses the auth data. That will change soon.
Updates tailscale/corp#14335
Signed-off-by: Will Norris <will@tailscale.com>
Allows for serving the web interface from tailscaled, with the
ability to start and stop the server via localapi endpoints
(/web/start and /web/stop).
This will be used to run the new full management web client,
which will only be accessible over Tailscale (with an extra auth
check step over noise) from the daemon. This switch also allows
us to run the web interface as a long-lived service in environments
where the CLI version is restricted to CGI, allowing us to manage
certain auth state in memory.
ipn/ipnlocal/web is stubbed out in ipn/ipnlocal/web_stub for
ios builds to satisfy ios restriction from adding "text/template"
and "html/template" dependencies.
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Previously returned errTaggedSource in the case that of any tagged
source. Now distinguishing whether the source was local or remote.
We'll be presenting the two cases with varying copy on the frontend.
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
This commit makes two changes to the web client auth flow error
handling:
1. Properly passes back the error code from the noise request from
the localapi. Previously we were using io.Copy, which was always
setting a 200 response status code.
2. Clean up web client browser sessions on any /wait endpoint error.
This avoids the user getting in a stuck state if something goes
wrong with their auth path.
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Stores ID from tailcfg.WebClientAuthResponse in browser session
data, and uses ID to hit control server /wait endpoint.
No longer need the control url cached, so removed that from Server.
Also added optional timeNow field, initially to manage time from
tests.
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Connects serveTailscaleAuth to the localapi webclient endpoint
and pipes auth URLs and session cookies back to the browser to
redirect users from the frontend.
All behind debug flags for now.
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>
Moves request authorization back into Server.serve to be run at
the start of any request. Fixes Synology unstable track bug where
client would get stuck unable to auth due to not rendering the
Synology redirect auth html on index.html load.
Updates tailscale/corp#14335
Signed-off-by: Sonia Appasamy <sonia@tailscale.com>