fix(tailscale): better handling of auth URL

cgossiaux · cgossiaux · commit 17728a216f98 · 2026-04-15T17:40:24.000+02:00
diff --git a/tailscale/Main.qml b/tailscale/Main.qml
@@ -56,6 +56,7 @@ Item {
   property string tailscaleIp: ""
   property string tailscaleStatus: ""
   property bool needsLogin: false
+  property string authUrl: ""
   property int peerCount: 0
   property bool isRefreshing: false
   property string lastToggleAction: ""
@@ -162,9 +163,27 @@ Item {
             root.peerCount = 0;
             root._realPeerList = [];
             root.exitNodeStatus = null;
+            // Capture the pending authentication URL exposed by the daemon.
+            var newAuthUrl = data.AuthURL || "";
+            root.authUrl = newAuthUrl;
+            // If a login attempt is in progress and the daemon has surfaced a
+            // URL that differs from the one cached at click-time, it means the
+            // URL was regenerated (fresh) — open it immediately.
+            if (root._loginInProgress
+                && !root._loginUrlOpened
+                && newAuthUrl.length > 0
+                && newAuthUrl !== root._preLoginAuthUrl) {
+              root._openAuthUrl(newAuthUrl);
+            }
           } else if (root.tailscaleRunning && data.Self && data.Self.TailscaleIPs && data.Self.TailscaleIPs.length > 0) {
             root.tailscaleIp = filterIPv4(data.Self.TailscaleIPs)[0] || data.Self.TailscaleIPs[0];
             root.tailscaleStatus = "Connected";
+            root.authUrl = "";
+            // Login flow settled — reset flags so the next attempt starts clean
+            root._loginInProgress = false;
+            root._loginUrlOpened = false;
+            root._preLoginAuthUrl = "";
+            loginTimeoutTimer.stop();
 
             var peers = [];
             if (data.Peer) {
@@ -202,13 +221,15 @@ Item {
             root.peerCount = 0;
             root._realPeerList = [];
             root.exitNodeStatus = null;
+            root.authUrl = "";
           }
         } catch (e) {
           Logger.e("Tailscale", "Failed to parse status: " + e);
           root.tailscaleRunning = false;
           root.needsLogin = false;
           root.tailscaleStatus = "Error";
           root._realPeerList = [];
+          root.authUrl = "";
         }
       } else {
         root.tailscaleRunning = false;
@@ -217,6 +238,7 @@ Item {
         root.tailscaleIp = "";
         root.peerCount = 0;
         root._realPeerList = [];
+        root.authUrl = "";
       }
     }
   }
@@ -246,7 +268,61 @@ Item {
 
   property string lastExitNodeAction: ""
 
+  // ─── Login flow state ────────────────────────────────────────────────────
+  // A login attempt is tracked across two asynchronous sources that may deliver
+  // a fresh AuthURL: (1) stdout/stderr of `tailscale up` and (2) the periodic
+  // `tailscale status --json` poll. Whichever arrives first wins; the other is
+  // deduped via `_loginUrlOpened`.
   property bool _loginUrlOpened: false
+  property bool _loginInProgress: false
+  // Snapshot of authUrl taken at click-time. Used to detect when the daemon
+  // has regenerated the URL so we never open a stale/expired one.
+  property string _preLoginAuthUrl: ""
+
+  /**
+   * Open an authentication URL in the default browser, with anti-double-open
+   * protection. Resets login-flow state.
+   *
+   * @param {string} url Authentication URL to open
+   */
+  function _openAuthUrl(url) {
+    if (root._loginUrlOpened) return;
+    if (!url || url.length === 0) return;
+    root._loginUrlOpened = true;
+    root._loginInProgress = false;
+    loginTimeoutTimer.stop();
+    Logger.d("Tailscale", "Opening auth URL: " + url);
+    Qt.openUrlExternally(url);
+    ToastService.showNotice(
+      pluginApi?.tr("toast.title"),
+      pluginApi?.tr("toast.login-browser-opened"),
+      "external-link"
+    );
+  }
+
+  // Safety net: if no fresh AuthURL surfaces within 10s after a login click,
+  // either open whatever is cached (best effort) or show an error toast.
+  Timer {
+    id: loginTimeoutTimer
+    interval: 10000
+    repeat: false
+    onTriggered: {
+      if (!root._loginInProgress || root._loginUrlOpened) return;
+      root._loginInProgress = false;
+      Logger.w("Tailscale", "Login timeout: no fresh AuthURL received within 10s");
+      if (root.authUrl && root.authUrl.length > 0) {
+        // Last resort: open the cached URL (may be the stale one)
+        Logger.w("Tailscale", "Falling back to cached (possibly stale) AuthURL");
+        root._openAuthUrl(root.authUrl);
+      } else {
+        ToastService.showError(
+          pluginApi?.tr("toast.title"),
+          pluginApi?.tr("toast.login-failed"),
+          "alert-circle"
+        );
+      }
+    }
+  }
 
   Process {
     id: loginProcess
@@ -257,13 +333,7 @@ Item {
       Logger.d("Tailscale", "Login output: " + line);
       var urlMatch = line.match(/https?:\/\/\S+/);
       if (urlMatch) {
-        root._loginUrlOpened = true;
-        Qt.openUrlExternally(urlMatch[0]);
-        ToastService.showNotice(
-          pluginApi?.tr("toast.title"),
-          pluginApi?.tr("toast.login-browser-opened"),
-          "external-link"
-        );
+        root._openAuthUrl(urlMatch[0]);
       }
     }
 
@@ -278,14 +348,11 @@ Item {
     onExited: function (exitCode, exitStatus) {
       Logger.d("Tailscale", "Login exited (code " + exitCode + "), urlOpened=" + root._loginUrlOpened);
       if (exitCode !== 0 && !root._loginUrlOpened) {
-        ToastService.showError(
-          pluginApi?.tr("toast.title"),
-          pluginApi?.tr("toast.login-failed"),
-          "alert-circle"
-        );
-        Logger.e("Tailscale", "Login failed (exit " + exitCode + ")");
+        Logger.e("Tailscale", "tailscale up failed (exit " + exitCode + "), waiting on status poll for fresh AuthURL");
       }
-      root._loginUrlOpened = false;
+      // Do NOT reset _loginUrlOpened here — the status poll may still deliver
+      // the fresh URL after process exit. The flag is reset by _openAuthUrl
+      // and by the login-state transitions in statusProcess.
       statusDelayTimer.start();
     }
   }
@@ -535,16 +602,46 @@ Item {
     toggleProcess.running = true;
   }
 
+  /**
+   * Trigger the Tailscale authentication flow.
+   *
+   * @description
+   * Always runs `tailscale up --force-reauth` to force the daemon to generate
+   * a fresh AuthURL (any cached one may be expired). The fresh URL is then
+   * opened from whichever channel delivers it first:
+   *  - stdout/stderr of `tailscale up` (parsed by loginProcess)
+   *  - the next `tailscale status --json` poll (via statusProcess)
+   * Deduped through `_openAuthUrl` / `_loginUrlOpened`.
+   *
+   * Guard: no-op when not in NeedsLogin state to avoid disconnecting an
+   * already-authenticated session.
+   */
   function loginTailscale() {
     if (!root.tailscaleInstalled)
       return;
+    if (!root.needsLogin) {
+      Logger.w("Tailscale", "Login requested but backend is not in NeedsLogin state — ignoring");
+      return;
+    }
+
+    // Start a fresh login attempt
+    root._loginInProgress = true;
+    root._loginUrlOpened = false;
+    root._preLoginAuthUrl = root.authUrl;
+
+    // --force-reauth forces the daemon to regenerate the AuthURL even if a
+    // (possibly expired) one is still cached in its session state.
     var loginServer = pluginApi?.pluginSettings?.loginServer || "";
-    var cmd = ["tailscale", "up", "--accept-routes"];
+    var cmd = ["tailscale", "up", "--accept-routes", "--force-reauth"];
     if (loginServer.trim() !== "") {
       cmd.push("--login-server=" + loginServer.trim());
     }
     loginProcess.command = cmd;
     loginProcess.running = true;
+
+    // Arm the safety-net timeout and kick an early status refresh
+    loginTimeoutTimer.restart();
+    statusDelayTimer.start();
   }
 
   Timer {
