@ -292,7 +292,6 @@ var (
errNotUsingTailscale = errors . New ( "not-using-tailscale" )
errNotUsingTailscale = errors . New ( "not-using-tailscale" )
errTaggedSource = errors . New ( "tagged-source" )
errTaggedSource = errors . New ( "tagged-source" )
errNotOwner = errors . New ( "not-owner" )
errNotOwner = errors . New ( "not-owner" )
errFailedAuth = errors . New ( "failed-auth" )
)
)
// getTailscaleBrowserSession retrieves the browser session associated with
// getTailscaleBrowserSession retrieves the browser session associated with
@ -413,12 +412,12 @@ func (s *Server) serveTailscaleAuth(w http.ResponseWriter, r *http.Request) {
if r . URL . Query ( ) . Get ( "wait" ) == "true" {
if r . URL . Query ( ) . Get ( "wait" ) == "true" {
// Client requested we block until user completes auth.
// Client requested we block until user completes auth.
d , err := s . getOrAwaitAuth ( r . Context ( ) , session . AuthID , whois . Node . ID )
d , err := s . getOrAwaitAuth ( r . Context ( ) , session . AuthID , whois . Node . ID )
if err ors. Is ( err , errFailedAuth ) {
if err != nil {
http . Error ( w , "user is unauthorized" , http . StatusUnauthorized )
http . Error ( w , err . Error ( ) , http . StatusUnauthorized )
s . browserSessions . Delete ( session . ID ) // clean up the failed session
// Clean up the session. Doing this on any error from control
return
// server to avoid the user getting stuck with a bad session
} else if err != nil {
// cookie.
http. Error ( w , err . Error ( ) , http . StatusInternalServerError )
s. browserSessions . Delete ( session . ID )
return
return
}
}
if d . Complete {
if d . Complete {
@ -485,11 +484,7 @@ func (s *Server) getOrAwaitAuth(ctx context.Context, authID string, src tailcfg.
}
}
body , _ := io . ReadAll ( resp . Body )
body , _ := io . ReadAll ( resp . Body )
resp . Body . Close ( )
resp . Body . Close ( )
if resp . StatusCode == http . StatusUnauthorized {
if resp . StatusCode != http . StatusOK {
// User completed auth, but control server reported
// them unauthorized to manage this node.
return nil , errFailedAuth
} else if resp . StatusCode != http . StatusOK {
return nil , fmt . Errorf ( "failed request: %s" , body )
return nil , fmt . Errorf ( "failed request: %s" , body )
}
}
var authResp * tailcfg . WebClientAuthResponse
var authResp * tailcfg . WebClientAuthResponse