Merge pull request #657 from SuperKumKum/feat/tailscale-login

feat(tailscale): add login/authentication support with custom login server

Author: spiros132

tailscale/BarWidget.qml

@@ -89,13 +89,20 @@ Item {
     id: contextMenu
 
     model: [
+      {
+        "label": pluginApi?.tr("context.login"),
+        "action": "login",
+        "icon": "login",
+        "visible": mainInstance?.needsLogin ?? false
+      },
       {
         "label": (mainInstance?.tailscaleRunning ?? false)
           ? pluginApi?.tr("context.disconnect")
           : pluginApi?.tr("context.connect"),
         "action": "toggle-tailscale",
         "icon": (mainInstance?.tailscaleRunning ?? false) ? "plug-x" : "plug",
-        "enabled": mainInstance?.tailscaleInstalled ?? false
+        "enabled": mainInstance?.tailscaleInstalled ?? false,
+        "visible": !(mainInstance?.needsLogin ?? false)
       },
       {
         "label": pluginApi?.tr("actions.widget-settings"),
@@ -114,6 +121,10 @@ Item {
         if (mainInstance) {
           mainInstance.toggleTailscale()
         }
+      } else if (action === "login") {
+        if (mainInstance) {
+          mainInstance.loginTailscale()
+        }
       }
     }
   }

tailscale/Main.qml

@@ -55,6 +55,8 @@ Item {
   property bool tailscaleRunning: false
   property string tailscaleIp: ""
   property string tailscaleStatus: ""
+  property bool needsLogin: false
+  property string authUrl: ""
   property int peerCount: 0
   property bool isRefreshing: false
   property string lastToggleAction: ""
@@ -160,10 +162,35 @@ Item {
         try {
           var data = JSON.parse(stdout);
           root.tailscaleRunning = data.BackendState === "Running";
+          root.needsLogin = data.BackendState === "NeedsLogin";
 
-          if (root.tailscaleRunning && data.Self && data.Self.TailscaleIPs && data.Self.TailscaleIPs.length > 0) {
+          if (root.needsLogin) {
+            root.tailscaleIp = "";
+            root.tailscaleStatus = "NeedsLogin";
+            root.peerCount = 0;
+            root._realPeerList = [];
+            root.exitNodeStatus = null;
+            // Capture the pending authentication URL exposed by the daemon.
+            var newAuthUrl = data.AuthURL || "";
+            root.authUrl = newAuthUrl;
+            // If a login attempt is in progress and the daemon has surfaced a
+            // URL that differs from the one cached at click-time, it means the
+            // URL was regenerated (fresh) — open it immediately.
+            if (root._loginInProgress
+                && !root._loginUrlOpened
+                && newAuthUrl.length > 0
+                && newAuthUrl !== root._preLoginAuthUrl) {
+              root._openAuthUrl(newAuthUrl);
+            }
+          } else if (root.tailscaleRunning && data.Self && data.Self.TailscaleIPs && data.Self.TailscaleIPs.length > 0) {
             root.tailscaleIp = filterIPv4(data.Self.TailscaleIPs)[0] || data.Self.TailscaleIPs[0];
             root.tailscaleStatus = "Connected";
+            root.authUrl = "";
+            // Login flow settled — reset flags so the next attempt starts clean
+            root._loginInProgress = false;
+            root._loginUrlOpened = false;
+            root._preLoginAuthUrl = "";
+            loginTimeoutTimer.stop();
 
             var peers = [];
             if (data.Peer) {
@@ -201,19 +228,24 @@ Item {
             root.peerCount = 0;
             root._realPeerList = [];
             root.exitNodeStatus = null;
+            root.authUrl = "";
           }
         } catch (e) {
           Logger.e("Tailscale", "Failed to parse status: " + e);
           root.tailscaleRunning = false;
+          root.needsLogin = false;
           root.tailscaleStatus = "Error";
           root._realPeerList = [];
+          root.authUrl = "";
         }
       } else {
         root.tailscaleRunning = false;
+        root.needsLogin = false;
         root.tailscaleStatus = "Disconnected";
         root.tailscaleIp = "";
         root.peerCount = 0;
         root._realPeerList = [];
+        root.authUrl = "";
       }
     }
   }
@@ -243,6 +275,95 @@ Item {
 
   property string lastExitNodeAction: ""
 
+  // ─── Login flow state ────────────────────────────────────────────────────
+  // A login attempt is tracked across two asynchronous sources that may deliver
+  // a fresh AuthURL: (1) stdout/stderr of `tailscale up` and (2) the periodic
+  // `tailscale status --json` poll. Whichever arrives first wins; the other is
+  // deduped via `_loginUrlOpened`.
+  property bool _loginUrlOpened: false
+  property bool _loginInProgress: false
+  // Snapshot of authUrl taken at click-time. Used to detect when the daemon
+  // has regenerated the URL so we never open a stale/expired one.
+  property string _preLoginAuthUrl: ""
+
+  /**
+   * Open an authentication URL in the default browser, with anti-double-open
+   * protection. Resets login-flow state.
+   *
+   * @param {string} url Authentication URL to open
+   */
+  function _openAuthUrl(url) {
+    if (root._loginUrlOpened) return;
+    if (!url || url.length === 0) return;
+    root._loginUrlOpened = true;
+    root._loginInProgress = false;
+    loginTimeoutTimer.stop();
+    Logger.d("Tailscale", "Opening auth URL: " + url);
+    Qt.openUrlExternally(url);
+    ToastService.showNotice(
+      pluginApi?.tr("toast.title"),
+      pluginApi?.tr("toast.login-browser-opened"),
+      "external-link"
+    );
+  }
+
+  // Safety net: if no fresh AuthURL surfaces within 10s after a login click,
+  // either open whatever is cached (best effort) or show an error toast.
+  Timer {
+    id: loginTimeoutTimer
+    interval: 10000
+    repeat: false
+    onTriggered: {
+      if (!root._loginInProgress || root._loginUrlOpened) return;
+      root._loginInProgress = false;
+      Logger.w("Tailscale", "Login timeout: no fresh AuthURL received within 10s");
+      if (root.authUrl && root.authUrl.length > 0) {
+        // Last resort: open the cached URL (may be the stale one)
+        Logger.w("Tailscale", "Falling back to cached (possibly stale) AuthURL");
+        root._openAuthUrl(root.authUrl);
+      } else {
+        ToastService.showError(
+          pluginApi?.tr("toast.title"),
+          pluginApi?.tr("toast.login-failed"),
+          "alert-circle"
+        );
+      }
+    }
+  }
+
+  Process {
+    id: loginProcess
+
+    function _handleLine(data) {
+      if (root._loginUrlOpened) return;
+      var line = data.trim();
+      Logger.d("Tailscale", "Login output: " + line);
+      var urlMatch = line.match(/https?:\/\/\S+/);
+      if (urlMatch) {
+        root._openAuthUrl(urlMatch[0]);
+      }
+    }
+
+    stdout: SplitParser {
+      onRead: data => loginProcess._handleLine(data)
+    }
+
+    stderr: SplitParser {
+      onRead: data => loginProcess._handleLine(data)
+    }
+
+    onExited: function (exitCode, exitStatus) {
+      Logger.d("Tailscale", "Login exited (code " + exitCode + "), urlOpened=" + root._loginUrlOpened);
+      if (exitCode !== 0 && !root._loginUrlOpened) {
+        Logger.e("Tailscale", "tailscale up failed (exit " + exitCode + "), waiting on status poll for fresh AuthURL");
+      }
+      // Do NOT reset _loginUrlOpened here — the status poll may still deliver
+      // the fresh URL after process exit. The flag is reset by _openAuthUrl
+      // and by the login-state transitions in statusProcess.
+      statusDelayTimer.start();
+    }
+  }
+
   // ─── Taildrop state ──────────────────────────────────────────────────────
 
   // Possible values: "idle", "receiving", "sending", "error"
@@ -462,6 +583,7 @@ Item {
   function updateTailscaleStatus() {
     if (!root.tailscaleInstalled) {
       root.tailscaleRunning = false;
+      root.needsLogin = false;
       root.tailscaleIp = "";
       root.tailscaleStatus = "Not installed";
       root.peerCount = 0;
@@ -487,6 +609,48 @@ Item {
     toggleProcess.running = true;
   }
 
+  /**
+   * Trigger the Tailscale authentication flow.
+   *
+   * @description
+   * Always runs `tailscale up --force-reauth` to force the daemon to generate
+   * a fresh AuthURL (any cached one may be expired). The fresh URL is then
+   * opened from whichever channel delivers it first:
+   *  - stdout/stderr of `tailscale up` (parsed by loginProcess)
+   *  - the next `tailscale status --json` poll (via statusProcess)
+   * Deduped through `_openAuthUrl` / `_loginUrlOpened`.
+   *
+   * Guard: no-op when not in NeedsLogin state to avoid disconnecting an
+   * already-authenticated session.
+   */
+  function loginTailscale() {
+    if (!root.tailscaleInstalled)
+      return;
+    if (!root.needsLogin) {
+      Logger.w("Tailscale", "Login requested but backend is not in NeedsLogin state — ignoring");
+      return;
+    }
+
+    // Start a fresh login attempt
+    root._loginInProgress = true;
+    root._loginUrlOpened = false;
+    root._preLoginAuthUrl = root.authUrl;
+
+    // --force-reauth forces the daemon to regenerate the AuthURL even if a
+    // (possibly expired) one is still cached in its session state.
+    var loginServer = pluginApi?.pluginSettings?.loginServer || "";
+    var cmd = ["tailscale", "up", "--accept-routes", "--force-reauth"];
+    if (loginServer.trim() !== "") {
+      cmd.push("--login-server=" + loginServer.trim());
+    }
+    loginProcess.command = cmd;
+    loginProcess.running = true;
+
+    // Arm the safety-net timeout and kick an early status refresh
+    loginTimeoutTimer.restart();
+    statusDelayTimer.start();
+  }
+
   Timer {
     id: updateTimer
     interval: refreshInterval
@@ -526,14 +690,19 @@ Item {
         "running": root.tailscaleRunning,
         "ip": root.tailscaleIp,
         "status": root.tailscaleStatus,
-        "peers": root.peerCount
+        "peers": root.peerCount,
+        "needsLogin": root.needsLogin
       };
     }
 
     function refresh() {
       updateTailscaleStatus();
     }
 
+    function login() {
+      loginTailscale();
+    }
+
     // Taildrop IPC: qs ipc call plugin:tailscale receive
     function receive() {
       startTaildropReceive();

tailscale/Panel.qml

@@ -355,7 +355,7 @@ Item {
             NText {
               text: mainInstance?.tailscaleRunning
                 ? (mainInstance?.peerList?.length || 0) + " " + (pluginApi?.tr("panel.peers"))
-                : pluginApi?.tr("panel.not-connected")
+                : (mainInstance?.needsLogin ? pluginApi?.tr("panel.not-authenticated") : pluginApi?.tr("panel.not-connected"))
               pointSize: Style.fontSizeS
               color: Color.mOnSurfaceVariant
             }
@@ -642,7 +642,23 @@ Item {
 
       NButton {
         Layout.fillWidth: true
-        text: mainInstance?.tailscaleRunning 
+        visible: mainInstance?.needsLogin ?? false
+        text: pluginApi?.tr("context.login")
+        icon: "login"
+        backgroundColor: Color.mPrimary
+        textColor: Color.mOnPrimary
+        enabled: mainInstance?.tailscaleInstalled ?? false
+        onClicked: {
+          if (mainInstance) {
+            mainInstance.loginTailscale()
+          }
+        }
+      }
+
+      NButton {
+        Layout.fillWidth: true
+        visible: !(mainInstance?.needsLogin ?? false)
+        text: mainInstance?.tailscaleRunning
           ? pluginApi?.tr("context.disconnect")
           : pluginApi?.tr("context.connect")
         icon: mainInstance?.tailscaleRunning ? "plug-x" : "plug"

tailscale/README.md

@@ -72,6 +72,7 @@ Right-click any online peer in the panel and choose **Send File**. A file picker
 | `taildropEnabled` | `true` | Enable Taildrop send/receive. When false, hides the Receive button and Send File option. |
 | `taildropDownloadDir` | `"~/Downloads"` | Directory where received files are saved |
 | `taildropReceiveMode` | `"operator"` | Taildrop receive mode: `operator` or `pkexec` |
+| `loginServer` | `""` | Custom login server URL (e.g. Headscale). Leave empty for default Tailscale. |
 
 ## IPC Commands
 
@@ -90,6 +91,7 @@ qs -c noctalia-shell ipc call plugin:tailscale <command>
 | `togglePanel` | Toggle Tailscale panel | `qs -c noctalia-shell ipc call plugin:tailscale togglePanel` |
 | `status` | Get current Tailscale status | `qs -c noctalia-shell ipc call plugin:tailscale status` |
 | `refresh` | Force refresh Tailscale status | `qs -c noctalia-shell ipc call plugin:tailscale refresh` |
+| `login` | Trigger Tailscale login (opens browser) | `qs -c noctalia-shell ipc call plugin:tailscale login` |
 | `receive` | Fetch any pending Taildrop files | `qs -c noctalia-shell ipc call plugin:tailscale receive` |
 
 ## Usage

tailscale/Settings.qml

@@ -75,6 +75,11 @@ ColumnLayout {
     pluginApi?.manifest?.metadata?.defaultSettings?.taildropReceiveMode ||
     "operator"
 
+  property string editLoginServer:
+    pluginApi?.pluginSettings?.loginServer ||
+    pluginApi?.manifest?.metadata?.defaultSettings?.loginServer ||
+    ""
+
   spacing: Style.marginM
 
   // Title section
@@ -185,6 +190,26 @@ ColumnLayout {
     onToggled: checked => root.editHideMullvadExitNodes = checked
   }
 
+  // Authentication section
+  NDivider {
+    Layout.fillWidth: true
+    Layout.topMargin: Style.marginM
+    Layout.bottomMargin: Style.marginM
+  }
+
+  NLabel {
+    label: pluginApi?.tr("settings.authentication")
+  }
+
+  NTextInput {
+    Layout.fillWidth: true
+    label: pluginApi?.tr("settings.login-server")
+    description: pluginApi?.tr("settings.login-server-desc")
+    placeholderText: "https://login.tailscale.com"
+    text: root.editLoginServer
+    onTextChanged: root.editLoginServer = text
+  }
+
   // Terminal section
   NDivider {
     Layout.fillWidth: true
@@ -316,6 +341,7 @@ ColumnLayout {
     pluginApi.pluginSettings.taildropEnabled = root.editTaildropEnabled
     pluginApi.pluginSettings.taildropDownloadDir = root.editTaildropDownloadDir
     pluginApi.pluginSettings.taildropReceiveMode = root.editTaildropReceiveMode
+    pluginApi.pluginSettings.loginServer = root.editLoginServer
 
     pluginApi.saveSettings()