tailscale

Commit Graph

Author	SHA1	Message	Date
kari-ts	3c4c9dc1d2	web: use EditPrefs instead of passing UpdatePrefs to starting (#12040 ) Web version of https://github.com/tailscale/tailscale-android/pull/370 This allows us to update the prefs rather than creating new prefs Updates tailscale/tailscale#11731 Signed-off-by: kari-ts <kari@tailscale.com>	2 months ago
Sonia Appasamy	95f26565db	client/web: use grants on web UI frontend Starts using peer capabilities to restrict the management client on a per-view basis. This change also includes a bulky cleanup of the login-toggle.tsx file, which was getting pretty unwieldy in its previous form. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	4 months ago
Sonia Appasamy	9aa704a05d	client/web: restrict serveAPI endpoints to peer capabilities This change adds a new apiHandler struct for use from serveAPI to aid with restricting endpoints to specific peer capabilities. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	4 months ago
Sonia Appasamy	2bb837a9cf	client/web: only check policy caps for tagged nodes For user-owned nodes, only the owner is ever allowed to manage the node. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	5 months ago
Will Norris	128c99d4ae	client/web: add new readonly mode The new read-only mode is only accessible when running `tailscale web` by passing a new `-readonly` flag. This new mode is identical to the existing login mode with two exceptions: - the management client in tailscaled is not started (though if it is already running, it is left alone) - the client does not prompt the user to login or switch to the management client. Instead, a message is shown instructing the user to use other means to manage the device. Updates #10979 Signed-off-by: Will Norris <will@tailscale.com>	5 months ago
Sonia Appasamy	331a6d105f	client/web: add initial types for using peer capabilities Sets up peer capability types for future use within the web client views and APIs. Updates tailscale/corp#16695 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	5 months ago
Will Norris	569b91417f	client/web: ensure path prefix has a leading slash This is simply an extra check to prevent hypothetical issues if a prefix such as `--prefix="javascript:alert(1)"` was provided. This isn't really necessary since the prefix is a configuration flag provided by the device owner, not user input. But it does enforce that we are always interpreting the provided value as a path relative to the root. Fixes: tailscale/corp#16268 Signed-off-by: Will Norris <will@tailscale.com>	6 months ago
Sonia Appasamy	c6a274611e	client/web: use Tailscale IP known by peer node Throughout the web UI, we present the tailscale addresses for the self node. In the case of the node being shared out with a user from another tailnet, the peer viewer may actually know the node by a different IP than the node knows itself as (Tailscale IPs can be configured as desired on a tailnet level). This change includes two fixes: 1. Present the self node's addresses in the frontend as the addresses the viewing node knows it as (i.e. the addresses the viewing node uses to access the web client). 2. We currently redirect the viewer to the Tailscale IPv4 address if viewing it by MagicDNS name, or any other name that maps to the Tailscale node. When doing this redirect, which is primarily added for DNS rebinding protection, we now check the address the peer knows this node as, and redirect to specifically that IP. Fixes tailscale/corp#16402 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Chris Palmer	b62a3fc895	client/web: keep redirects on-site (#10525 ) Ensure we don't create Location: header URLs that have leading //, which is a schema-less reference to arbitrary 3rd-party sites. That is, //example.com/foo redirects off-site, while /example.com/foo is an on-site path URL. Fixes tailscale/corp#16268 Signed-off-by: Chris Palmer <cpalmer@tailscale.com>	6 months ago
Sonia Appasamy	4fb679d9cd	client/web: fix redirect logic when accessing login client over TS IP Was previously failing to redirect to the manage client when accessing the login client with the Tailscale IP. Updates #10261 Fixes tailscale/corp#16348 Co-authored-by: Will Norris <will@tailscale.com> Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	6 months ago
Will Norris	d2fbdb005d	client/web: use CSP hash for inline javascript Calculate and set the hash of the one inline script we have in index.html. That script is unlikely to change, so hardcoding the hash seems fine for now. Updates #10261 Updates tailscale/corp#16266 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Sonia Appasamy	bc9b9e8f69	client/web: restrict using an exit node on a couple more platforms Completed testing of the new UI on the existing platforms that use it. From testing, QNAP, Unraid, and Home Assistant (in addition to Synology) all do not play well with using an exit node. For now, we're disabling this setting from the UI. CLI should be updated to also disallow selection of an exit node from these platforms. All platforms still allow for advertising as an exit node. Co-authored-by: Will Norris <will@tailscale.com> Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Mario Minardi	4e012794fc	client/web: add metric logging when viewing local / remote node (#10555 ) Add metric logging for the case where a user is viewing a local or remote node. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	7 months ago
Mario Minardi	763b9daa84	client/web: add visual indication for exit node pending approval (#10532 ) Add visual indication when running as an exit node prior to receiving admin approval. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com> Co-authored-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Will Norris	970dc2a976	client/web: remove 'unsafe-inline' from CSP I seem to recall I needed this for things to work properly with the vite dev server, but that doesn't seem to be the case anymore? Everything seems to work fine without it. If we still have issues, we'll need to look into using a nonce or integrity attribute. Updates #10261 Fixes tailscale/corp#16266 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Mario Minardi	109929d110	client/web: add endpoint for logging device detail click metric (#10505 ) Add an endpoint for logging the device detail click metric to allow for this metric to be logged without having a valid session which is the case when in readonly mode. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	7 months ago
Will Norris	5a2e6a6f7d	client/web: use Home Assistant's X-Ingress-Path header When running on Home Assistant, use the X-Ingress-Path header to set the URLPrefix that is passed to the frontend. Also fix handling of errNotUsingTailscale in the auth handler (previously it falling through to a later case and returning a 500). Instead, it's just a terminal state with no auth needed. Also disable SSH on Home Assistant, since it causes problems on startup and doesn't make much sense anyway for that platform. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Will Norris	69b56462fc	client/web: check content-type on PATCH requests Updates #10261 Fixes tailscale/corp#16267 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Will Norris	c615fe2296	client/web: add security attributes on session cookie Limit cookies to HTTP requests (not accessible from javascript). Set SameSite to "Lax", which is similar to "Strict" but allows for cookies to be included in requests that come from offsite links. This will be necessary when we link to the web client from the admin console. Updates #10261 Fixes tailscale/corp#16265 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Sonia Appasamy	261b6f1e9f	client/web: limit updates ui to unstable builds The updates view still needs a final design pass, limit to unstable track for now. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Will Norris	33de922d57	client/web: only enforce path prefix in CGI mode The client has changed a bit since we introduced the path prefix. It is now used for two things: - its original purpose, of ensuring that when the client is run in CGI mode at arbitrary paths, then relative paths for assets continue to work - we also now pass the path to the frontend and use wouter to manage routes for the various subpages of the client. When the client is run behind a reverse proxy (as it is in Home Assistant), it is common for the proxy to rewrite the request so that the backend application doesn't see the path it's being served at. In this case, we don't need to call enforcePrefix, since it's already stripped before it reaches us. However, wouter (or react router library) still sees the original path in the browser, and needs to know what part of it is the prefix that needs to be stripped off. We're handling this by now only calling enforcePrefix when run in CGI mode. For Home Assistant, or any other platform that runs the client behind a reverse proxy with a custom path, they will still need to pass the `-prefix` flag to `tailscale web`, but we will only use it for route handling in the frontend. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Sonia Appasamy	c2319f0dfa	client/web: fix serveAPIAuth in Login mode In Login mode, must first run system auth. But once authorized, should be able to reach rest of auth logic to check whether the user can manage the node. This results in showing/hiding the sign in button in the frontend login toggle. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Sonia Appasamy	7c172df791	client/web: fix 500 error after logout Calling DebugPacketFilterRules fails when the node is not logged in, which was causing 500 errors on the node data endpoint after logging the node out. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Mario Minardi	21958d2934	client/web: add logging of device management type for web client (#10492 ) Add logging of device management type for the web client auth flow. Namely, this differentiates between viewing a node you do not own, viewing a local tagged node, viewing a remote tagged node, managing a local node, and managing a remote node. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	7 months ago
Sonia Appasamy	ddb4b51122	client/web: always run platform auth for login mode Even if connected to the login client over tailscale, still check platform auth so the browser can obtain the tokens it needs to make platform requests complete successfully. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Sonia Appasamy	97f8577ad2	client/web: restructure api mutations into hook This commit makes some restructural changes to how we handle api posting from the web client frontend. Now that we're using SWR, we have less of a need for hooks like useNodeData that return a useSWR response alongside some mutation callbacks. SWR makes it easy to mutate throughout the UI without needing access to the original data state in order to reflect updates. So, we can fetch data without having to tie it to post callbacks that have to be passed around through components. In an effort to consolidate our posting endpoints, and make it easier to add more api handlers cleanly in the future, this change introduces a new `useAPI` hook that returns a single `api` callback that can make any changes from any component in the UI. The hook itself handles using SWR to mutate the relevant data keys, which get globally reflected throughout the UI. As a concurrent cleanup, node types are also moved to their own types.ts file, to consolidate data types across the app. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Sonia Appasamy	a95b3cbfa8	client/web: add copyable components throughout UI Updates the IP address on home view to open a copyable list of node addresses on click. And makes various values on the details view copyable text items, mirroring the machine admin panel table. As part of these changes, pulls the AddressCard, NiceIP and QuickCopy components from the admin panel, with the AddressCard slightly modified to avoid needing to also pull in the CommandLine component. A new toaster interface is also added, allowing us to display success and failure toasts throughout the UI. The toaster code is slightly modified from it's admin form to avoid the need for some excess libraries. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Mario Minardi	6b083a8ddf	client/web: add metric logging logic to the web client (#10434 ) Add metric logging logic for the web client frontend. This is an initial pass of adding the base logic, plus a single point where it is used for validation that the logging is working correctly. More metric logging calls will follow in subsquent PRs. Updates https://github.com/tailscale/tailscale/issues/10261 Signed-off-by: Mario Minardi <mario@tailscale.com>	7 months ago
Will Norris	f5989f317f	client/web: handle offline exit nodes If the currently selected exit node is offline, render the exit node selector in red with an error message. Update exit nodes in the dropdown to indicate if they are offline, and don't allow them to be selected. This also updates some older color values to use the new colors. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Will Norris	f9550e0bed	client/web: indicate if ACLs prevent access Use the packet filter rules to determine if any device is allowed to connect on port 5252. This does not check whether a specific device can connect (since we typically don't know the source device when this is used). Nor does it specifically check for wide-open ACLs, which is something we may provide a warning about in the future. Update the login popover content to display information when the src device is unable to connect to the dst device over its Tailscale IP. If we know it's an ACL issue, mention that, otherwise list a couple of things to check. In both cases, link to a placeholder URL to get more information about web client connection issues. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Sonia Appasamy	7a4ba609d9	client/web: show features based on platform support Hiding/disabling UI features when not available on the running client. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Sonia Appasamy	bcc9b44cb1	client/web: hide admin panel links for non-tailscale control servers Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Sonia Appasamy	ecd1ccb917	client/web: add subnet routes view Add UI view for mutating the node's advertised subnet routes. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Sonia Appasamy	7aa981ba49	client/web: remove duplicate WhoIs call Fixes a TODO in web.authorizeRequest. `getSession` calls `WhoIs` already. Call `getSession` earlier in `authorizeRequest` so we can avoid the duplicate `WhoIs` check on the same request. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Will Norris	42dc843a87	client/web: add advanced login options This adds an expandable section of the login view to allow users to specify an auth key and an alternate control URL. Input and Collapsible components and accompanying styles were brought over from the adminpanel. Updates #10261 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Sonia Appasamy	e75be017e4	client/web: add exit node selector Add exit node selector (in full management client only) that allows for advertising as an exit node, or selecting another exit node on the Tailnet for use. Updates #10261 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Will Norris	f880c77df0	client/web: split login from nodeUpdate This creates a new /api/up endpoint which is exposed in the login client, and is solely focused on logging in. Login has been removed from the nodeUpdate endpoint. This also adds support in the LoginClientView for a stopped node that just needs to reconnect, but not necessarily reauthenticate. This follows the same pattern in `tailscale up` of just setting the WantRunning user pref. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Sonia Appasamy	bd534b971a	{client/web},{ipn/ipnlocal}: replace localapi debug-web-client endpoint This change removes the existing debug-web-client localapi endpoint and replaces it with functions passed directly to the web.ServerOpts when constructing a web.ManageServerMode client. The debug-web-client endpoint previously handled making noise requests to the control server via the /machine/webclient/ endpoints. The noise requests must be made from tailscaled, which has the noise connection open. But, now that the full client is served from tailscaled, we no longer need to proxy this request over the localapi. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Will Norris	d01fa857b1	client/web: allow login client to still run tailscale up I don't believe this has ever worked, since we didn't allow POST requests in the login client. But previously, we were primarily using the legacy client, so it didn't really matter. Now that we've removed the legacy client, we have no way to login. This fixes the login client, allowing it to login, but it still needs to be refactored to expose a dedicated login method, without exposing all the node update functionality. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	7 months ago
Sonia Appasamy	2dbd546766	client/web: remove DebugMode from GET /api/data No longer using this! Readonly state fully managed via auth endpoint. Also getting rid of old Legacy server mode. A #cleanup Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Naman Sood	d5c460e83c	client/{tailscale,web}: add initial webUI frontend for self-updates (#10191 ) Updates #10187. Signed-off-by: Naman Sood <mail@nsood.in>	7 months ago
Sonia Appasamy	7c99a1763b	client/web: fix panic on logout Fix panic due to `CurrentTailnet` being nil. Fixes tailscale/corp#15791 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Sonia Appasamy	c9bfb7c683	client/web: add Tailscale SSH view Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	7 months ago
Sonia Appasamy	86c8ab7502	client/web: add readonly/manage toggle Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Sonia Appasamy	d544e80fc1	client/web: populate device details view Fills /details page with real values, passed back from the /data endpoint. Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago
Will Norris	623f669239	client/web: pass URL prefix to frontend This allows wouter to route URLs properly when running in CGI mode. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	e537d304ef	client/web: relax CSP restrictions for manage client Don't return CSP headers in dev mode, since that includes a bunch of extra things like the vite server. Allow images from any source, which is needed to load user profile images. Allow 'unsafe-inline' for various inline scripts and style react uses. We can eliminate this by using CSP nonce or hash values, but we'll need to look into the best way to handle that. There appear to be several react plugins for this, but I haven't evaluated any of them. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	a05ab9f3bc	client/web: check r.Host rather than r.URL.Host r.URL.Host is not typically populated on server requests. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Will Norris	6b956b49e0	client/web: add some security checks for full client Require that requests to servers in manage mode are made to the Tailscale IP (either ipv4 or ipv6) or quad-100. Also set various security headers on those responses. These might be too restrictive, but we can relax them as needed. Allow requests to /ok (even in manage mode) with no checks. This will be used for the connectivity check from a login client to see if the management client is reachable. Updates tailscale/corp#14335 Signed-off-by: Will Norris <will@tailscale.com>	8 months ago
Sonia Appasamy	e5dcf7bdde	client/web: move auth session creation out of /api/auth Splits auth session creation into two new endpoints: /api/auth/session/new - to request a new auth session /api/auth/session/wait - to block until user has completed auth url Updates tailscale/corp#14335 Signed-off-by: Sonia Appasamy <sonia@tailscale.com>	8 months ago

1 2

99 Commits (6831a29f8b9344653aed841543f9bb3e73285b0b)