search

juanfont / headscale

An open source, self-hosted implementation of the Tailscale control server
BSD 3-Clause "New" or "Revised" License
22.46k stars 1.24k forks source link

Add support for web client check mode #1623

Closed willnorris closed 2 weeks ago

willnorris commented 10 months ago

The Tailscale web client (the one you get by running tailscale web), is currently getting a complete overhaul, bringing it more-or-less on par with the native clients. Because it exposes much more functionality than the old client, we are adding an additional auth flow which is effectively identical to SSH check mode, but tied to specific browser sessions. In order to make changes via a device's web client, the user has to have an active session that has authenticated with the control server.

For launch, we are only going to enforce check mode when using a "tailscale.com" control server, and just not require it otherwise. I'm opening this as a tracking bug for adding support in headscale so that we can use check mode with headscale as well. (Maybe we should allow the control server to advertise support, so then we only require it with newer headscale versions? We'll see)

Web client source: https://github.com/tailscale/tailscale/tree/main/client/web Machine API calls to control server can be seen in doWebClientNoiseRequest of https://github.com/tailscale/tailscale/blob/main/ipn/ipnlocal/web_client.go

github-actions[bot] commented 7 months ago

This issue is stale because it has been open for 90 days with no activity.

juanfont commented 6 months ago

@willnorris hey Will, I am looking into this. Thanks for opening the issue!

Maybe we should allow the control server to advertise support

For the clients, we are pretty familiar with CapVer. But I am not aware -and cannot find it anywhere- an equivalent facility for the Control Server to announce its capabilities (e.g., supports tailnet lock, or this one on the check mode...). Am I missing something?

willnorris commented 6 months ago

No, that was just an idea we had. We never ended up implementing it.

github-actions[bot] commented 3 months ago

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] commented 3 weeks ago

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] commented 2 weeks ago

This issue was closed because it has been inactive for 14 days since being marked as stale.