control/controlclient,ipn/ipnlocal: replace State enum with boolean flags

Remove the State enum (StateNew, StateNotAuthenticated, etc.) from
controlclient and replace it with two explicit boolean fields:
- LoginFinished: indicates successful authentication
- Synced: indicates we've received at least one netmap

This makes the state more composable and easier to reason about, as
multiple conditions can be true independently rather than being
encoded in a single enum value.

The State enum was originally intended as the state machine for the
whole client, but that abstraction moved to ipn.Backend long ago.
This change continues moving away from the legacy state machine by
representing state as a combination of independent facts.

Also adds test helpers in ipnlocal that check independent, observable
facts (hasValidNetMap, needsLogin, etc.) rather than relying on
derived state enums, making tests more robust.

Updates #12639

Signed-off-by: James Tucker <james@tailscale.com>

control/controlclient/auto.go

@@ -138,7 +138,6 @@ type Auto struct {
 	loggedIn       bool        // true if currently logged in
 	loginGoal      *LoginGoal  // non-nil if some login activity is desired
 	inMapPoll      bool        // true once we get the first MapResponse in a stream; false when HTTP response ends
-	state          State       // TODO(bradfitz): delete this, make it computed by method from other state
 
 	authCtx    context.Context // context used for auth requests
 	mapCtx     context.Context // context used for netmap and update requests
@@ -296,10 +295,11 @@ func (c *Auto) authRoutine() {
 		c.mu.Lock()
 		goal := c.loginGoal
 		ctx := c.authCtx
+		loggedIn := c.loggedIn
 		if goal != nil {
-			c.logf("[v1] authRoutine: %s; wantLoggedIn=%v", c.state, true)
+			c.logf("[v1] authRoutine: loggedIn=%v; wantLoggedIn=%v", loggedIn, true)
 		} else {
-			c.logf("[v1] authRoutine: %s; goal=nil paused=%v", c.state, c.paused)
+			c.logf("[v1] authRoutine: loggedIn=%v; goal=nil paused=%v", loggedIn, c.paused)
 		}
 		c.mu.Unlock()
 
@@ -322,11 +322,6 @@ func (c *Auto) authRoutine() {
 
 		c.mu.Lock()
 		c.urlToVisit = goal.url
-		if goal.url != "" {
-			c.state = StateURLVisitRequired
-		} else {
-			c.state = StateAuthenticating
-		}
 		c.mu.Unlock()
 
 		var url string
@@ -360,7 +355,6 @@ func (c *Auto) authRoutine() {
 				flags: LoginDefault,
 				url:   url,
 			}
-			c.state = StateURLVisitRequired
 			c.mu.Unlock()
 
 			c.sendStatus("authRoutine-url", err, url, nil)
@@ -380,7 +374,6 @@ func (c *Auto) authRoutine() {
 		c.urlToVisit = ""
 		c.loggedIn = true
 		c.loginGoal = nil
-		c.state = StateAuthenticated
 		c.mu.Unlock()
 
 		c.sendStatus("authRoutine-success", nil, "", nil)
@@ -431,12 +424,9 @@ func (mrs mapRoutineState) UpdateFullNetmap(nm *netmap.NetworkMap) {
 
 	c.mu.Lock()
 	c.inMapPoll = true
-	if c.loggedIn {
-		c.state = StateSynchronized
-	}
 	c.expiry = nm.Expiry
 	stillAuthed := c.loggedIn
-	c.logf("[v1] mapRoutine: netmap received: %s", c.state)
+	c.logf("[v1] mapRoutine: netmap received: loggedIn=%v inMapPoll=true", stillAuthed)
 	c.mu.Unlock()
 
 	if stillAuthed {
@@ -484,8 +474,8 @@ func (c *Auto) mapRoutine() {
 		}
 
 		c.mu.Lock()
-		c.logf("[v1] mapRoutine: %s", c.state)
 		loggedIn := c.loggedIn
+		c.logf("[v1] mapRoutine: loggedIn=%v", loggedIn)
 		ctx := c.mapCtx
 		c.mu.Unlock()
 
@@ -516,9 +506,6 @@ func (c *Auto) mapRoutine() {
 		c.direct.health.SetOutOfPollNetMap()
 		c.mu.Lock()
 		c.inMapPoll = false
-		if c.state == StateSynchronized {
-			c.state = StateAuthenticated
-		}
 		paused := c.paused
 		c.mu.Unlock()
 
@@ -584,12 +571,12 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		c.mu.Unlock()
 		return
 	}
-	state := c.state
 	loggedIn := c.loggedIn
 	inMapPoll := c.inMapPoll
+	loginGoal := c.loginGoal
 	c.mu.Unlock()
 
-	c.logf("[v1] sendStatus: %s: %v", who, state)
+	c.logf("[v1] sendStatus: %s: loggedIn=%v inMapPoll=%v", who, loggedIn, inMapPoll)
 
 	var p persist.PersistView
 	if nm != nil && loggedIn && inMapPoll {
@@ -600,11 +587,12 @@ func (c *Auto) sendStatus(who string, err error, url string, nm *netmap.NetworkM
 		nm = nil
 	}
 	newSt := &Status{
-		URL:     url,
-		Persist: p,
-		NetMap:  nm,
-		Err:     err,
-		state:   state,
+		URL:       url,
+		Persist:   p,
+		NetMap:    nm,
+		Err:       err,
+		LoggedIn:  loggedIn && loginGoal == nil,
+		InMapPoll: inMapPoll,
 	}
 
 	if c.observer == nil {
@@ -667,14 +655,15 @@ func canSkipStatus(s1, s2 *Status) bool {
 		// we can't skip it.
 		return false
 	}
-	if s1.Err != nil || s1.URL != "" {
-		// If s1 has an error or a URL, we shouldn't skip it, lest the error go
-		// away in s2 or in-between. We want to make sure all the subsystems see
-		// it. Plus there aren't many of these, so not worth skipping.
+	if s1.Err != nil || s1.URL != "" || s1.LoggedIn {
+		// If s1 has an error, a URL, or LoginFinished set, we shouldn't skip it,
+		// lest the error go away in s2 or in-between. We want to make sure all
+		// the subsystems see it. Plus there aren't many of these, so not worth
+		// skipping.
 		return false
 	}
-	if !s1.Persist.Equals(s2.Persist) || s1.state != s2.state {
-		// If s1 has a different Persist or state than s2,
+	if !s1.Persist.Equals(s2.Persist) || s1.LoggedIn != s2.LoggedIn || s1.InMapPoll != s2.InMapPoll || s1.URL != s2.URL {
+		// If s1 has a different Persist, LoginFinished, Synced, or URL than s2,
 		// don't skip it. We only care about skipping the typical
 		// entries where the only difference is the NetMap.
 		return false
@@ -736,7 +725,6 @@ func (c *Auto) Logout(ctx context.Context) error {
 	}
 	c.mu.Lock()
 	c.loggedIn = false
-	c.state = StateNotAuthenticated
 	c.cancelAuthCtxLocked()
 	c.cancelMapCtxLocked()
 	c.mu.Unlock()

control/controlclient/controlclient_test.go

@@ -15,7 +15,6 @@ import (
 	"net/netip"
 	"net/url"
 	"reflect"
-	"slices"
 	"sync/atomic"
 	"testing"
 	"time"
@@ -49,7 +48,7 @@ func fieldsOf(t reflect.Type) (fields []string) {
 
 func TestStatusEqual(t *testing.T) {
 	// Verify that the Equal method stays in sync with reality
-	equalHandles := []string{"Err", "URL", "NetMap", "Persist", "state"}
+	equalHandles := []string{"Err", "URL", "LoggedIn", "InMapPoll", "NetMap", "Persist"}
 	if have := fieldsOf(reflect.TypeFor[Status]()); !reflect.DeepEqual(have, equalHandles) {
 		t.Errorf("Status.Equal check might be out of sync\nfields: %q\nhandled: %q\n",
 			have, equalHandles)
@@ -81,7 +80,7 @@ func TestStatusEqual(t *testing.T) {
 		},
 		{
 			&Status{},
-			&Status{state: StateAuthenticated},
+			&Status{LoggedIn: true, Persist: new(persist.Persist).View()},
 			false,
 		},
 	}
@@ -135,8 +134,20 @@ func TestCanSkipStatus(t *testing.T) {
 			want: false,
 		},
 		{
-			name: "s1-state-diff",
-			s1:   &Status{state: 123, NetMap: nm1},
+			name: "s1-login-finished-diff",
+			s1:   &Status{LoggedIn: true, Persist: new(persist.Persist).View(), NetMap: nm1},
+			s2:   &Status{NetMap: nm2},
+			want: false,
+		},
+		{
+			name: "s1-login-finished",
+			s1:   &Status{LoggedIn: true, Persist: new(persist.Persist).View(), NetMap: nm1},
+			s2:   &Status{NetMap: nm2},
+			want: false,
+		},
+		{
+			name: "s1-synced-diff",
+			s1:   &Status{InMapPoll: true, LoggedIn: true, Persist: new(persist.Persist).View(), NetMap: nm1},
 			s2:   &Status{NetMap: nm2},
 			want: false,
 		},
@@ -167,10 +178,11 @@ func TestCanSkipStatus(t *testing.T) {
 		})
 	}
 
-	want := []string{"Err", "URL", "NetMap", "Persist", "state"}
-	if f := fieldsOf(reflect.TypeFor[Status]()); !slices.Equal(f, want) {
-		t.Errorf("Status fields = %q; this code was only written to handle fields %q", f, want)
+	coveredFields := []string{"Err", "URL", "LoggedIn", "InMapPoll", "NetMap", "Persist"}
+	if have := fieldsOf(reflect.TypeFor[Status]()); !reflect.DeepEqual(have, coveredFields) {
+		t.Errorf("Status fields = %q; this code was only written to handle fields %q", have, coveredFields)
 	}
+
 }
 
 func TestRetryableErrors(t *testing.T) {

control/controlclient/status.go

@@ -4,8 +4,6 @@
 package controlclient
 
 import (
-	"encoding/json"
-	"fmt"
 	"reflect"
 
 	"tailscale.com/types/netmap"
@@ -13,57 +11,6 @@ import (
 	"tailscale.com/types/structs"
 )
 
-// State is the high-level state of the client. It is used only in
-// unit tests for proper sequencing, don't depend on it anywhere else.
-//
-// TODO(apenwarr): eliminate the state, as it's now obsolete.
-//
-// apenwarr: Historical note: controlclient.Auto was originally
-// intended to be the state machine for the whole tailscale client, but that
-// turned out to not be the right abstraction layer, and it moved to
-// ipn.Backend. Since ipn.Backend now has a state machine, it would be
-// much better if controlclient could be a simple stateless API. But the
-// current server-side API (two interlocking polling https calls) makes that
-// very hard to implement. A server side API change could untangle this and
-// remove all the statefulness.
-type State int
-
-const (
-	StateNew = State(iota)
-	StateNotAuthenticated
-	StateAuthenticating
-	StateURLVisitRequired
-	StateAuthenticated
-	StateSynchronized // connected and received map update
-)
-
-func (s State) AppendText(b []byte) ([]byte, error) {
-	return append(b, s.String()...), nil
-}
-
-func (s State) MarshalText() ([]byte, error) {
-	return []byte(s.String()), nil
-}
-
-func (s State) String() string {
-	switch s {
-	case StateNew:
-		return "state:new"
-	case StateNotAuthenticated:
-		return "state:not-authenticated"
-	case StateAuthenticating:
-		return "state:authenticating"
-	case StateURLVisitRequired:
-		return "state:url-visit-required"
-	case StateAuthenticated:
-		return "state:authenticated"
-	case StateSynchronized:
-		return "state:synchronized"
-	default:
-		return fmt.Sprintf("state:unknown:%d", int(s))
-	}
-}
-
 type Status struct {
 	_ structs.Incomparable
 
@@ -76,6 +23,14 @@ type Status struct {
 	// URL, if non-empty, is the interactive URL to visit to finish logging in.
 	URL string
 
+	// LoggedIn, if true, indicates that serveRegister has completed and no
+	// other login change is in progress.
+	LoggedIn bool
+
+	// InMapPoll, if true, indicates that we've received at least one netmap
+	// and are connected to receive updates.
+	InMapPoll bool
+
 	// NetMap is the latest server-pushed state of the tailnet network.
 	NetMap *netmap.NetworkMap
 
@@ -83,26 +38,8 @@ type Status struct {
 	//
 	// TODO(bradfitz,maisem): clarify this.
 	Persist persist.PersistView
-
-	// state is the internal state. It should not be exposed outside this
-	// package, but we have some automated tests elsewhere that need to
-	// use it via the StateForTest accessor.
-	// TODO(apenwarr): Unexport or remove these.
-	state State
 }
 
-// LoginFinished reports whether the controlclient is in its "StateAuthenticated"
-// state where it's in a happy register state but not yet in a map poll.
-//
-// TODO(bradfitz): delete this and everything around Status.state.
-func (s *Status) LoginFinished() bool { return s.state == StateAuthenticated }
-
-// StateForTest returns the internal state of s for tests only.
-func (s *Status) StateForTest() State { return s.state }
-
-// SetStateForTest sets the internal state of s for tests only.
-func (s *Status) SetStateForTest(state State) { s.state = state }
-
 // Equal reports whether s and s2 are equal.
 func (s *Status) Equal(s2 *Status) bool {
 	if s == nil && s2 == nil {
@@ -111,15 +48,8 @@ func (s *Status) Equal(s2 *Status) bool {
 	return s != nil && s2 != nil &&
 		s.Err == s2.Err &&
 		s.URL == s2.URL &&
-		s.state == s2.state &&
+		s.LoggedIn == s2.LoggedIn &&
+		s.InMapPoll == s2.InMapPoll &&
 		reflect.DeepEqual(s.Persist, s2.Persist) &&
 		reflect.DeepEqual(s.NetMap, s2.NetMap)
 }
-
-func (s Status) String() string {
-	b, err := json.MarshalIndent(s, "", "\t")
-	if err != nil {
-		panic(err)
-	}
-	return s.state.String() + " " + string(b)
-}

ipn/ipnlocal/local.go

@@ -1623,7 +1623,7 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control
 		b.blockEngineUpdatesLocked(false)
 	}
 
-	if st.LoginFinished() && (wasBlocked || authWasInProgress) {
+	if st.LoggedIn && (wasBlocked || authWasInProgress) {
 		if wasBlocked {
 			// Auth completed, unblock the engine
 			b.blockEngineUpdatesLocked(false)
@@ -1658,8 +1658,8 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control
 			prefs.Persist = st.Persist.AsStruct()
 		}
 	}
-	if st.LoginFinished() {
-		if b.authURL != "" {
+	if st.LoggedIn {
+		if authWasInProgress {
 			b.resetAuthURLLocked()
 			// Interactive login finished successfully (URL visited).
 			// After an interactive login, the user always wants

ipn/ipnlocal/state_test.go

@@ -206,9 +206,7 @@ func (cc *mockControl) send(opts sendOpt) {
 			Err:     err,
 		}
 		if loginFinished {
-			s.SetStateForTest(controlclient.StateAuthenticated)
-		} else if url == "" && err == nil && nm == nil {
-			s.SetStateForTest(controlclient.StateNotAuthenticated)
+			s.LoggedIn = true
 		}
 		cc.opts.Observer.SetControlClientStatus(cc, s)
 	}
@@ -228,7 +226,6 @@ func (cc *mockControl) sendAuthURL(nm *netmap.NetworkMap) {
 		NetMap:  nm,
 		Persist: cc.persist.View(),
 	}
-	s.SetStateForTest(controlclient.StateURLVisitRequired)
 	cc.opts.Observer.SetControlClientStatus(cc, s)
 }
 
@@ -434,8 +431,11 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		// for it, so it doesn't count as Prefs.LoggedOut==true.
 		c.Assert(prefs.LoggedOut(), qt.IsTrue)
 		c.Assert(prefs.WantRunning(), qt.IsFalse)
-		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[1].State)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		// Verify notification indicates we need login (prefs show logged out)
+		c.Assert(nn[1].Prefs == nil || nn[1].Prefs.LoggedOut(), qt.IsTrue)
+		// Verify the actual facts about our state
+		c.Assert(needsLogin(b), qt.IsTrue)
+		c.Assert(hasValidNetMap(b), qt.IsFalse)
 	}
 
 	// Restart the state machine.
@@ -455,8 +455,11 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		c.Assert(nn[1].State, qt.IsNotNil)
 		c.Assert(nn[0].Prefs.LoggedOut(), qt.IsTrue)
 		c.Assert(nn[0].Prefs.WantRunning(), qt.IsFalse)
-		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[1].State)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		// Verify notification indicates we need login
+		c.Assert(nn[1].Prefs == nil || nn[1].Prefs.LoggedOut(), qt.IsTrue)
+		// Verify the actual facts about our state
+		c.Assert(needsLogin(b), qt.IsTrue)
+		c.Assert(hasValidNetMap(b), qt.IsFalse)
 	}
 
 	// Start non-interactive login with no token.
@@ -473,7 +476,8 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		// (This behaviour is needed so that b.Login() won't
 		// start connecting to an old account right away, if one
 		// exists when you launch another login.)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		// Verify we still need login
+		c.Assert(needsLogin(b), qt.IsTrue)
 	}
 
 	// Attempted non-interactive login with no key; indicate that
@@ -500,10 +504,11 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		c.Assert(nn[1].Prefs, qt.IsNotNil)
 		c.Assert(nn[1].Prefs.LoggedOut(), qt.IsTrue)
 		c.Assert(nn[1].Prefs.WantRunning(), qt.IsFalse)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		// Verify we need URL visit
+		c.Assert(hasAuthURL(b), qt.IsTrue)
 		c.Assert(nn[2].BrowseToURL, qt.IsNotNil)
 		c.Assert(url1, qt.Equals, *nn[2].BrowseToURL)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		c.Assert(isFullyAuthenticated(b), qt.IsFalse)
 	}
 
 	// Now we'll try an interactive login.
@@ -518,7 +523,8 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		cc.assertCalls()
 		c.Assert(nn[0].BrowseToURL, qt.IsNotNil)
 		c.Assert(url1, qt.Equals, *nn[0].BrowseToURL)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		// Verify we still need to complete login
+		c.Assert(needsLogin(b), qt.IsTrue)
 	}
 
 	// Sometimes users press the Login button again, in the middle of
@@ -534,7 +540,8 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		notifies.drain(0)
 		// backend asks control for another login sequence
 		cc.assertCalls("Login")
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		// Verify we still need login
+		c.Assert(needsLogin(b), qt.IsTrue)
 	}
 
 	// Provide a new interactive login URL.
@@ -550,7 +557,8 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		nn := notifies.drain(1)
 		c.Assert(nn[0].BrowseToURL, qt.IsNotNil)
 		c.Assert(url2, qt.Equals, *nn[0].BrowseToURL)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		// Verify we still need to complete login
+		c.Assert(needsLogin(b), qt.IsTrue)
 	}
 
 	// Pretend that the interactive login actually happened.
@@ -582,10 +590,18 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		cc.assertCalls()
 		c.Assert(nn[0].LoginFinished, qt.IsNotNil)
 		c.Assert(nn[1].Prefs, qt.IsNotNil)
-		c.Assert(nn[2].State, qt.IsNotNil)
 		c.Assert(nn[1].Prefs.Persist().UserProfile().LoginName, qt.Equals, "user1")
-		c.Assert(ipn.NeedsMachineAuth, qt.Equals, *nn[2].State)
-		c.Assert(ipn.NeedsMachineAuth, qt.Equals, b.State())
+		// nn[2] is a state notification after login
+		// Verify login finished but need machine auth using backend state
+		c.Assert(isFullyAuthenticated(b), qt.IsTrue)
+		c.Assert(needsMachineAuth(b), qt.IsTrue)
+		nm := b.NetMap()
+		c.Assert(nm, qt.IsNotNil)
+		// For an empty netmap (after initial login), SelfNode may not be valid yet.
+		// In this case, we can't check MachineAuthorized, but needsMachineAuth already verified the state.
+		if nm.SelfNode.Valid() {
+			c.Assert(nm.SelfNode.MachineAuthorized(), qt.IsFalse)
+		}
 	}
 
 	// Pretend that the administrator has authorized our machine.
@@ -603,8 +619,13 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 	{
 		nn := notifies.drain(1)
 		cc.assertCalls()
-		c.Assert(nn[0].State, qt.IsNotNil)
-		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
+		// nn[0] is a state notification after machine auth granted
+		c.Assert(len(nn), qt.Equals, 1)
+		// Verify machine authorized using backend state
+		nm := b.NetMap()
+		c.Assert(nm, qt.IsNotNil)
+		c.Assert(nm.SelfNode.Valid(), qt.IsTrue)
+		c.Assert(nm.SelfNode.MachineAuthorized(), qt.IsTrue)
 	}
 
 	// TODO: add a fake DERP server to our fake netmap, so we can
@@ -627,9 +648,9 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		nn := notifies.drain(2)
 		cc.assertCalls("pause")
 		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.IsNotNil)
+		// nn[0] is state notification, nn[1] is prefs notification
 		c.Assert(nn[1].Prefs, qt.IsNotNil)
-		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
+		c.Assert(nn[1].Prefs.WantRunning(), qt.IsFalse)
 	}
 
 	// The user changes their preference to WantRunning after all.
@@ -645,17 +666,12 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		// BUG: Login isn't needed here. We never logged out.
 		cc.assertCalls("Login", "unpause")
 		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.IsNotNil)
+		// nn[0] is state notification, nn[1] is prefs notification
 		c.Assert(nn[1].Prefs, qt.IsNotNil)
-		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
+		c.Assert(nn[1].Prefs.WantRunning(), qt.IsTrue)
 		c.Assert(store.sawWrite(), qt.IsTrue)
 	}
 
-	// undo the state hack above.
-	b.mu.Lock()
-	b.state = ipn.Starting
-	b.mu.Unlock()
-
 	// User wants to logout.
 	store.awaitWrite()
 	t.Logf("\n\nLogout")
@@ -664,27 +680,26 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 	{
 		nn := notifies.drain(5)
 		previousCC.assertCalls("pause", "Logout", "unpause", "Shutdown")
+		// nn[0] is state notification (Stopped)
 		c.Assert(nn[0].State, qt.IsNotNil)
 		c.Assert(*nn[0].State, qt.Equals, ipn.Stopped)
-
+		// nn[1] is prefs notification after logout
 		c.Assert(nn[1].Prefs, qt.IsNotNil)
 		c.Assert(nn[1].Prefs.LoggedOut(), qt.IsTrue)
 		c.Assert(nn[1].Prefs.WantRunning(), qt.IsFalse)
 
 		cc.assertCalls("New")
-		c.Assert(nn[2].State, qt.IsNotNil)
-		c.Assert(*nn[2].State, qt.Equals, ipn.NoState)
-
-		c.Assert(nn[3].Prefs, qt.IsNotNil) // emptyPrefs
+		// nn[2] is the initial state notification after New (NoState)
+		// nn[3] is prefs notification with emptyPrefs
+		c.Assert(nn[3].Prefs, qt.IsNotNil)
 		c.Assert(nn[3].Prefs.LoggedOut(), qt.IsTrue)
 		c.Assert(nn[3].Prefs.WantRunning(), qt.IsFalse)
 
-		c.Assert(nn[4].State, qt.IsNotNil)
-		c.Assert(*nn[4].State, qt.Equals, ipn.NeedsLogin)
-
-		c.Assert(b.State(), qt.Equals, ipn.NeedsLogin)
-
 		c.Assert(store.sawWrite(), qt.IsTrue)
+		// nn[4] is state notification (NeedsLogin)
+		// Verify logged out and needs new login using backend state
+		c.Assert(needsLogin(b), qt.IsTrue)
+		c.Assert(hasValidNetMap(b), qt.IsFalse)
 	}
 
 	// A second logout should be a no-op as we are in the NeedsLogin state.
@@ -696,7 +711,8 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		cc.assertCalls()
 		c.Assert(b.Prefs().LoggedOut(), qt.IsTrue)
 		c.Assert(b.Prefs().WantRunning(), qt.IsFalse)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		// Verify still needs login
+		c.Assert(needsLogin(b), qt.IsTrue)
 	}
 
 	// A third logout should also be a no-op as the cc should be in
@@ -709,7 +725,8 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		cc.assertCalls()
 		c.Assert(b.Prefs().LoggedOut(), qt.IsTrue)
 		c.Assert(b.Prefs().WantRunning(), qt.IsFalse)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		// Verify still needs login
+		c.Assert(needsLogin(b), qt.IsTrue)
 	}
 
 	// Oh, you thought we were done? Ha! Now we have to test what
@@ -732,11 +749,13 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		nn := notifies.drain(2)
 		cc.assertCalls()
 		c.Assert(nn[0].Prefs, qt.IsNotNil)
-		c.Assert(nn[1].State, qt.IsNotNil)
 		c.Assert(nn[0].Prefs.LoggedOut(), qt.IsTrue)
 		c.Assert(nn[0].Prefs.WantRunning(), qt.IsFalse)
-		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[1].State)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		// Verify notification indicates we need login
+		c.Assert(nn[1].Prefs == nil || nn[1].Prefs.LoggedOut(), qt.IsTrue)
+		// Verify we need login after restart
+		c.Assert(needsLogin(b), qt.IsTrue)
+		c.Assert(hasValidNetMap(b), qt.IsFalse)
 	}
 
 	// Explicitly set the ControlURL to avoid defaulting to [ipn.DefaultControlURL].
@@ -787,8 +806,9 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		c.Assert(nn[1].Prefs.LoggedOut(), qt.IsFalse)
 		// If a user initiates an interactive login, they also expect WantRunning to become true.
 		c.Assert(nn[1].Prefs.WantRunning(), qt.IsTrue)
-		c.Assert(nn[2].State, qt.IsNotNil)
-		c.Assert(ipn.Starting, qt.Equals, *nn[2].State)
+		// nn[2] is state notification (Starting) - verify using backend state
+		c.Assert(isWantRunning(b), qt.IsTrue)
+		c.Assert(isLoggedIn(b), qt.IsTrue)
 	}
 
 	// Now we've logged in successfully. Let's disconnect.
@@ -802,9 +822,9 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		nn := notifies.drain(2)
 		cc.assertCalls("pause")
 		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.IsNotNil)
+		// nn[0] is state notification (Stopped), nn[1] is prefs notification
 		c.Assert(nn[1].Prefs, qt.IsNotNil)
-		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
+		c.Assert(nn[1].Prefs.WantRunning(), qt.IsFalse)
 		c.Assert(nn[1].Prefs.LoggedOut(), qt.IsFalse)
 	}
 
@@ -822,10 +842,11 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		// and WantRunning is false, so cc should be paused.
 		cc.assertCalls("New", "Login", "pause")
 		c.Assert(nn[0].Prefs, qt.IsNotNil)
-		c.Assert(nn[1].State, qt.IsNotNil)
 		c.Assert(nn[0].Prefs.WantRunning(), qt.IsFalse)
 		c.Assert(nn[0].Prefs.LoggedOut(), qt.IsFalse)
-		c.Assert(*nn[1].State, qt.Equals, ipn.Stopped)
+		// nn[1] is state notification (Stopped)
+		// Verify backend shows we're not wanting to run
+		c.Assert(isWantRunning(b), qt.IsFalse)
 	}
 
 	// When logged in but !WantRunning, ipn leaves us unpaused to retrieve
@@ -863,9 +884,9 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		nn := notifies.drain(2)
 		cc.assertCalls("Login", "unpause")
 		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.IsNotNil)
+		// nn[0] is state notification (Starting), nn[1] is prefs notification
 		c.Assert(nn[1].Prefs, qt.IsNotNil)
-		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
+		c.Assert(nn[1].Prefs.WantRunning(), qt.IsTrue)
 	}
 
 	// Disconnect.
@@ -879,9 +900,9 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		nn := notifies.drain(2)
 		cc.assertCalls("pause")
 		// BUG: I would expect Prefs to change first, and state after.
-		c.Assert(nn[0].State, qt.IsNotNil)
+		// nn[0] is state notification (Stopped), nn[1] is prefs notification
 		c.Assert(nn[1].Prefs, qt.IsNotNil)
-		c.Assert(ipn.Stopped, qt.Equals, *nn[0].State)
+		c.Assert(nn[1].Prefs.WantRunning(), qt.IsFalse)
 	}
 
 	// We want to try logging in as a different user, while Stopped.
@@ -926,12 +947,13 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		cc.assertCalls("unpause")
 		c.Assert(nn[0].LoginFinished, qt.IsNotNil)
 		c.Assert(nn[1].Prefs, qt.IsNotNil)
-		c.Assert(nn[2].State, qt.IsNotNil)
 		// Prefs after finishing the login, so LoginName updated.
 		c.Assert(nn[1].Prefs.Persist().UserProfile().LoginName, qt.Equals, "user3")
 		c.Assert(nn[1].Prefs.LoggedOut(), qt.IsFalse)
 		c.Assert(nn[1].Prefs.WantRunning(), qt.IsTrue)
-		c.Assert(ipn.Starting, qt.Equals, *nn[2].State)
+		// nn[2] is state notification (Starting) - verify using backend state
+		c.Assert(isWantRunning(b), qt.IsTrue)
+		c.Assert(isLoggedIn(b), qt.IsTrue)
 	}
 
 	// The last test case is the most common one: restarting when both
@@ -950,11 +972,10 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		c.Assert(nn[0].Prefs, qt.IsNotNil)
 		c.Assert(nn[0].Prefs.LoggedOut(), qt.IsFalse)
 		c.Assert(nn[0].Prefs.WantRunning(), qt.IsTrue)
-		// We're logged in and have a valid netmap, so we should
-		// be in the Starting state.
-		c.Assert(nn[1].State, qt.IsNotNil)
-		c.Assert(*nn[1].State, qt.Equals, ipn.Starting)
-		c.Assert(b.State(), qt.Equals, ipn.Starting)
+		// nn[1] is state notification (Starting)
+		// Verify we're authenticated with valid netmap using backend state
+		c.Assert(isFullyAuthenticated(b), qt.IsTrue)
+		c.Assert(hasValidNetMap(b), qt.IsTrue)
 	}
 
 	// Control server accepts our valid key from before.
@@ -971,7 +992,9 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 		// NOTE: No prefs change this time. WantRunning stays true.
 		// We were in Starting in the first place, so that doesn't
 		// change either, so we don't expect any notifications.
-		c.Assert(ipn.Starting, qt.Equals, b.State())
+		// Verify we're still authenticated with valid netmap
+		c.Assert(isFullyAuthenticated(b), qt.IsTrue)
+		c.Assert(hasValidNetMap(b), qt.IsTrue)
 	}
 	t.Logf("\n\nExpireKey")
 	notifies.expect(1)
@@ -982,9 +1005,10 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 	{
 		nn := notifies.drain(1)
 		cc.assertCalls()
-		c.Assert(nn[0].State, qt.IsNotNil)
-		c.Assert(ipn.NeedsLogin, qt.Equals, *nn[0].State)
-		c.Assert(ipn.NeedsLogin, qt.Equals, b.State())
+		// nn[0] is state notification (NeedsLogin) due to key expiry
+		c.Assert(len(nn), qt.Equals, 1)
+		// Verify key expired, need new login using backend state
+		c.Assert(needsLogin(b), qt.IsTrue)
 		c.Assert(b.isEngineBlocked(), qt.IsTrue)
 	}
 
@@ -997,9 +1021,11 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 	{
 		nn := notifies.drain(1)
 		cc.assertCalls()
-		c.Assert(nn[0].State, qt.IsNotNil)
-		c.Assert(ipn.Starting, qt.Equals, *nn[0].State)
-		c.Assert(ipn.Starting, qt.Equals, b.State())
+		// nn[0] is state notification (Starting) after key extension
+		c.Assert(len(nn), qt.Equals, 1)
+		// Verify key extended, authenticated again using backend state
+		c.Assert(isFullyAuthenticated(b), qt.IsTrue)
+		c.Assert(hasValidNetMap(b), qt.IsTrue)
 		c.Assert(b.isEngineBlocked(), qt.IsFalse)
 	}
 	notifies.expect(1)
@@ -1008,9 +1034,10 @@ func runTestStateMachine(t *testing.T, seamless bool) {
 	{
 		nn := notifies.drain(1)
 		cc.assertCalls()
-		c.Assert(nn[0].State, qt.IsNotNil)
-		c.Assert(ipn.Running, qt.Equals, *nn[0].State)
-		c.Assert(ipn.Running, qt.Equals, b.State())
+		// nn[0] is state notification (Running) after DERP connection
+		c.Assert(len(nn), qt.Equals, 1)
+		// Verify we can route traffic using backend state
+		c.Assert(canRouteTraffic(b), qt.IsTrue)
 	}
 }
 
@@ -1901,3 +1928,77 @@ func (e *mockEngine) Close() {
 func (e *mockEngine) Done() <-chan struct{} {
 	return e.done
 }
+
+// hasValidNetMap returns true if the backend has a valid network map with a valid self node.
+func hasValidNetMap(b *LocalBackend) bool {
+	nm := b.NetMap()
+	return nm != nil && nm.SelfNode.Valid()
+}
+
+// needsLogin returns true if the backend needs user login action.
+// This is true when logged out, when an auth URL is present (interactive login in progress),
+// or when the node key has expired.
+func needsLogin(b *LocalBackend) bool {
+	// Note: b.Prefs() handles its own locking, so we lock only for authURL and keyExpired access
+	b.mu.Lock()
+	authURL := b.authURL
+	keyExpired := b.keyExpired
+	b.mu.Unlock()
+	return b.Prefs().LoggedOut() || authURL != "" || keyExpired
+}
+
+// needsMachineAuth returns true if the user has logged in but the machine is not yet authorized.
+// This includes the case where we have a netmap but no valid SelfNode yet (empty netmap after initial login).
+func needsMachineAuth(b *LocalBackend) bool {
+	// Note: b.NetMap() and b.Prefs() handle their own locking
+	nm := b.NetMap()
+	prefs := b.Prefs()
+	if prefs.LoggedOut() || nm == nil {
+		return false
+	}
+	// If we have a valid SelfNode, check its MachineAuthorized status
+	if nm.SelfNode.Valid() {
+		return !nm.SelfNode.MachineAuthorized()
+	}
+	// Empty netmap (no SelfNode yet) after login also means we need machine auth
+	return true
+}
+
+// hasAuthURL returns true if an authentication URL is present (user needs to visit a URL).
+func hasAuthURL(b *LocalBackend) bool {
+	b.mu.Lock()
+	authURL := b.authURL
+	b.mu.Unlock()
+	return authURL != ""
+}
+
+// canRouteTraffic returns true if the backend is capable of routing traffic.
+// This requires a valid netmap, machine authorization, and WantRunning preference.
+func canRouteTraffic(b *LocalBackend) bool {
+	// Note: b.NetMap() and b.Prefs() handle their own locking
+	nm := b.NetMap()
+	prefs := b.Prefs()
+	return nm != nil &&
+		nm.SelfNode.Valid() &&
+		nm.SelfNode.MachineAuthorized() &&
+		prefs.WantRunning()
+}
+
+// isFullyAuthenticated returns true if the user has completed login and no auth URL is pending.
+func isFullyAuthenticated(b *LocalBackend) bool {
+	// Note: b.Prefs() handles its own locking, so we lock only for authURL access
+	b.mu.Lock()
+	authURL := b.authURL
+	b.mu.Unlock()
+	return !b.Prefs().LoggedOut() && authURL == ""
+}
+
+// isWantRunning returns true if the WantRunning preference is set.
+func isWantRunning(b *LocalBackend) bool {
+	return b.Prefs().WantRunning()
+}
+
+// isLoggedIn returns true if the user is logged in (not logged out).
+func isLoggedIn(b *LocalBackend) bool {
+	return !b.Prefs().LoggedOut()
+}