From 4d86c112dcb5dd7ad6d2213f70ceb27922e4bd73 Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Wed, 4 Dec 2024 09:51:44 +0100
Subject: [PATCH 01/11] Add `AddMetadataToRetryableError` to
 `AuthenticateWebDevice`

---
 lib/teleterm/daemon/daemon.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/lib/teleterm/daemon/daemon.go b/lib/teleterm/daemon/daemon.go
index 19724daceb6b3..13f12f4dfa253 100644
--- a/lib/teleterm/daemon/daemon.go
+++ b/lib/teleterm/daemon/daemon.go
@@ -1131,10 +1131,14 @@ func (s *Service) AuthenticateWebDevice(ctx context.Context, rootClusterURI uri.
 	}
 	devicesClient := proxyClient.CurrentCluster().DevicesClient()
 
-	ceremony := dtauthn.NewCeremony()
-	confirmationToken, err := ceremony.RunWeb(ctx, devicesClient, &devicepb.DeviceWebToken{
-		Id:    req.DeviceWebToken.Id,
-		Token: req.DeviceWebToken.Token,
+	var confirmationToken *devicepb.DeviceConfirmationToken
+	err = clusters.AddMetadataToRetryableError(ctx, func() error {
+		ceremony := dtauthn.NewCeremony()
+		confirmationToken, err = ceremony.RunWeb(ctx, devicesClient, &devicepb.DeviceWebToken{
+			Id:    req.DeviceWebToken.Id,
+			Token: req.DeviceWebToken.Token,
+		})
+		return trace.Wrap(err)
 	})
 	if err != nil {
 		return nil, trace.Wrap(err)

From 76fd02d429a6c311a760cbd73de575df6fc92fc2 Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Wed, 4 Dec 2024 09:53:23 +0100
Subject: [PATCH 02/11] Add a document for web session authorization

---
 .../src/services/tshd/fixtures/mocks.ts       |   8 +-
 .../DocumentAuthorizeWebSession.story.tsx     |  90 +++++++++
 .../DocumentAuthorizeWebSession.test.tsx      | 105 ++++++++++
 .../DocumentAuthorizeWebSession.tsx           | 188 ++++++++++++++++++
 .../ui/DocumentAuthorizeWebSession/index.ts   |  19 ++
 .../src/ui/Documents/DocumentsRenderer.tsx    |   3 +
 .../documentsService/documentsService.ts      |  17 ++
 .../documentsService/documentsUtils.ts        |   2 +
 .../documentsService/types.ts                 |  22 +-
 .../workspacesService/workspacesService.ts    |   9 +-
 10 files changed, 460 insertions(+), 3 deletions(-)
 create mode 100644 web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.story.tsx
 create mode 100644 web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.test.tsx
 create mode 100644 web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
 create mode 100644 web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/index.ts

diff --git a/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts b/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
index 8696b36ee532d..8d0fa6999711d 100644
--- a/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
+++ b/web/packages/teleterm/src/services/tshd/fixtures/mocks.ts
@@ -101,7 +101,13 @@ export class MockTshClient implements TshdClient {
   getSuggestedAccessLists = () => new MockedUnaryCall({ accessLists: [] });
   promoteAccessRequest = () => new MockedUnaryCall({});
   updateTshdEventsServerAddress = () => new MockedUnaryCall({});
-  authenticateWebDevice = () => new MockedUnaryCall({});
+  authenticateWebDevice = () =>
+    new MockedUnaryCall({
+      confirmationToken: {
+        id: '123456789',
+        token: '7c8e7438-abe1-4cbc-b3e6-bd233bba967c',
+      },
+    });
   startHeadlessWatcher = () => new MockedUnaryCall({});
 }
 
diff --git a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.story.tsx b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.story.tsx
new file mode 100644
index 0000000000000..7b697092f7c62
--- /dev/null
+++ b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.story.tsx
@@ -0,0 +1,90 @@
+/**
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import { wait } from 'shared/utils/wait';
+
+import { MockAppContextProvider } from 'teleterm/ui/fixtures/MockAppContextProvider';
+import {
+  makeRootCluster,
+  makeLoggedInUser,
+  rootClusterUri,
+} from 'teleterm/services/tshd/testHelpers';
+import { MockAppContext } from 'teleterm/ui/fixtures/mocks';
+import { MockWorkspaceContextProvider } from 'teleterm/ui/fixtures/MockWorkspaceContextProvider';
+import * as types from 'teleterm/ui/services/workspacesService';
+import { MockedUnaryCall } from 'teleterm/services/tshd/cloneableClient';
+
+import { DocumentAuthorizeWebSession } from './DocumentAuthorizeWebSession';
+
+export default {
+  title: 'Teleterm/DocumentAuthorizeWebSession',
+};
+
+const doc: types.DocumentAuthorizeWebSession = {
+  uri: '/docs/e2hyt5',
+  rootClusterUri: rootClusterUri,
+  kind: 'doc.authorize_web_session',
+  title: 'Authorize Web Session',
+  webSessionRequest: {
+    redirectUri: '',
+    token: '',
+    id: '',
+  },
+};
+
+export function DeviceNotTrusted() {
+  const rootCluster = makeRootCluster();
+  const appContext = new MockAppContext();
+  appContext.clustersService.setState(draftState => {
+    draftState.clusters.set(rootCluster.uri, rootCluster);
+  });
+  return (
+    <MockAppContextProvider appContext={appContext}>
+      <MockWorkspaceContextProvider rootClusterUri={rootCluster.uri}>
+        <DocumentAuthorizeWebSession doc={doc} visible={true} />
+      </MockWorkspaceContextProvider>
+    </MockAppContextProvider>
+  );
+}
+
+export function DeviceTrusted() {
+  const rootCluster = makeRootCluster({
+    loggedInUser: makeLoggedInUser({ isDeviceTrusted: true }),
+  });
+  const appContext = new MockAppContext();
+  appContext.clustersService.setState(draftState => {
+    draftState.clusters.set(rootCluster.uri, rootCluster);
+  });
+  appContext.clustersService.authenticateWebDevice = async () => {
+    await wait(2_000);
+    return new MockedUnaryCall({
+      confirmationToken: {
+        id: '123456789',
+        token: '7c8e7438-abe1-4cbc-b3e6-bd233bba967c',
+      },
+    });
+  };
+
+  return (
+    <MockAppContextProvider appContext={appContext}>
+      <MockWorkspaceContextProvider rootClusterUri={rootCluster.uri}>
+        <DocumentAuthorizeWebSession doc={doc} visible={true} />
+      </MockWorkspaceContextProvider>
+    </MockAppContextProvider>
+  );
+}
diff --git a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.test.tsx b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.test.tsx
new file mode 100644
index 0000000000000..c06ff109ff93c
--- /dev/null
+++ b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.test.tsx
@@ -0,0 +1,105 @@
+/**
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import { render, screen } from 'design/utils/testing';
+import userEvent from '@testing-library/user-event';
+
+import { MockAppContextProvider } from 'teleterm/ui/fixtures/MockAppContextProvider';
+import { MockWorkspaceContextProvider } from 'teleterm/ui/fixtures/MockWorkspaceContextProvider';
+import {
+  makeRootCluster,
+  makeLoggedInUser,
+  rootClusterUri,
+} from 'teleterm/services/tshd/testHelpers';
+import * as types from 'teleterm/ui/services/workspacesService';
+import { MockAppContext } from 'teleterm/ui/fixtures/mocks';
+
+import { DocumentAuthorizeWebSession } from './DocumentAuthorizeWebSession';
+
+const doc: types.DocumentAuthorizeWebSession = {
+  uri: '/docs/e2hyt5',
+  rootClusterUri: rootClusterUri,
+  kind: 'doc.authorize_web_session',
+  title: 'Authorize Web Session',
+  webSessionRequest: {
+    redirectUri: '',
+    token: '',
+    id: '',
+  },
+};
+
+test('authorize button is disabled when device is not trusted', async () => {
+  const rootCluster = makeRootCluster({
+    loggedInUser: makeLoggedInUser({ isDeviceTrusted: false }),
+  });
+  const appContext = new MockAppContext();
+  appContext.clustersService.setState(draftState => {
+    draftState.clusters.set(rootCluster.uri, rootCluster);
+  });
+
+  render(
+    <MockAppContextProvider appContext={appContext}>
+      <MockWorkspaceContextProvider rootClusterUri={rootCluster.uri}>
+        <DocumentAuthorizeWebSession doc={doc} visible={true} />
+      </MockWorkspaceContextProvider>
+    </MockAppContextProvider>
+  );
+
+  expect(await screen.findByText(/This device is not trusted/)).toBeVisible();
+  expect(await screen.findByText(/Authorize Session/)).toBeDisabled();
+});
+
+test('authorizing a session opens its URL and closes document', async () => {
+  jest.spyOn(window, 'open').mockImplementation();
+  const rootCluster = makeRootCluster({
+    loggedInUser: makeLoggedInUser({ isDeviceTrusted: true }),
+  });
+  const appContext = new MockAppContext();
+  appContext.clustersService.setState(draftState => {
+    draftState.clusters.set(rootCluster.uri, rootCluster);
+  });
+  appContext.workspacesService.setState(draftState => {
+    draftState.workspaces[rootCluster.uri] = {
+      localClusterUri: rootCluster.uri,
+      documents: [doc],
+      location: undefined,
+      accessRequests: undefined,
+    };
+  });
+
+  render(
+    <MockAppContextProvider appContext={appContext}>
+      <MockWorkspaceContextProvider rootClusterUri={rootCluster.uri}>
+        <DocumentAuthorizeWebSession doc={doc} visible={true} />
+      </MockWorkspaceContextProvider>
+    </MockAppContextProvider>
+  );
+
+  const button = await screen.findByText(/Authorize Session/);
+  await userEvent.click(button);
+
+  expect(await screen.findByText(/Session Authorized/)).toBeVisible();
+  expect(window.open).toHaveBeenCalledWith(
+    'https://teleport-local:3080/webapi/devices/webconfirm?id=123456789&token=7c8e7438-abe1-4cbc-b3e6-bd233bba967c'
+  );
+  expect(
+    appContext.workspacesService
+      .getWorkspaceDocumentService(rootCluster.uri)
+      .getDocuments()
+  ).toHaveLength(0);
+});
diff --git a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
new file mode 100644
index 0000000000000..e2127bd7f7aca
--- /dev/null
+++ b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
@@ -0,0 +1,188 @@
+/**
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+import { Text, Alert, ButtonPrimary, H1, ButtonText } from 'design';
+import Flex from 'design/Flex';
+import { useAsync, Attempt } from 'shared/hooks/useAsync';
+import { processRedirectUri } from 'shared/redirects';
+import { Cluster } from 'gen-proto-ts/teleport/lib/teleterm/v1/cluster_pb';
+import { DeviceConfirmationToken } from 'gen-proto-ts/teleport/devicetrust/v1/device_confirmation_token_pb';
+
+import Document from 'teleterm/ui/Document';
+import { routing } from 'teleterm/ui/uri';
+import { retryWithRelogin } from 'teleterm/ui/utils';
+import { useAppContext } from 'teleterm/ui/appContextProvider';
+import * as types from 'teleterm/ui/services/workspacesService';
+import { WebSessionRequest } from 'teleterm/ui/services/workspacesService';
+import { useWorkspaceContext } from 'teleterm/ui/Documents';
+
+export function DocumentAuthorizeWebSession(props: {
+  doc: types.DocumentAuthorizeWebSession;
+  visible: boolean;
+}) {
+  const ctx = useAppContext();
+  const { documentsService } = useWorkspaceContext();
+  const rootCluster = ctx.clustersService.findCluster(props.doc.rootClusterUri);
+  const [attempt, authorize] = useAsync(async () => {
+    const {
+      response: { confirmationToken },
+    } = await retryWithRelogin(ctx, props.doc.rootClusterUri, () =>
+      ctx.clustersService.authenticateWebDevice(
+        props.doc.rootClusterUri,
+        props.doc.webSessionRequest
+      )
+    );
+    const url = buildAuthorizedSessionUrl(
+      rootCluster,
+      props.doc.webSessionRequest,
+      confirmationToken
+    );
+    // This endpoint verifies the token and "upgrades" the web session and redirects to "/web".
+    window.open(url);
+  });
+  const clusterName = routing.parseClusterName(props.doc.rootClusterUri);
+  const canAuthorize = rootCluster.loggedInUser?.isDeviceTrusted;
+
+  async function authorizeAndCloseDocument() {
+    const [, error] = await authorize();
+    if (!error) {
+      closeAndNotify();
+    }
+  }
+
+  function openUnauthorizedAndCloseDocument() {
+    const url = buildUnauthorizedSessionUrl(
+      rootCluster,
+      props.doc.webSessionRequest
+    );
+    window.open(url);
+    closeAndNotify();
+  }
+
+  function closeAndNotify() {
+    documentsService.close(props.doc.uri);
+    ctx.notificationsService.notifyInfo(
+      'Web session has been opened in the browser'
+    );
+  }
+
+  return (
+    <Document visible={props.visible}>
+      <Flex
+        flexDirection="column"
+        maxWidth="680px"
+        width="100%"
+        mx="auto"
+        mt="4"
+        px="5"
+      >
+        <H1 mb="4">Authorize Web Session</H1>
+        <Flex flexDirection="column" gap={3}>
+          {!canAuthorize && (
+            <Alert
+              mb={0}
+              details={
+                <>
+                  To authorize a web session, you must first{' '}
+                  <a
+                    href="https://goteleport.com/docs/admin-guides/access-controls/device-trust/guide/#step-22-enroll-device"
+                    target="_blank"
+                  >
+                    enroll your device.
+                  </a>{' '}
+                  Then log out of the app, log back in, and try again.
+                </>
+              }
+            >
+              This device is not trusted
+            </Alert>
+          )}
+          {attempt.status === 'error' && (
+            <Alert mb={0} details={attempt.statusText}>
+              Could not authorize the session
+            </Alert>
+          )}
+          <Text>
+            Would you like to authorize a device trust web session for{' '}
+            <b>{clusterName}</b>?
+            <br />
+            The session will automatically open in a new browser tab.
+          </Text>
+          <Flex flexDirection="column" gap={2}>
+            <ButtonPrimary
+              disabled={
+                !canAuthorize ||
+                attempt.status === 'processing' ||
+                attempt.status === 'success'
+              }
+              size="large"
+              onClick={authorizeAndCloseDocument}
+            >
+              {getButtonText(attempt)}
+            </ButtonPrimary>
+            <ButtonText
+              disabled={
+                attempt.status === 'processing' || attempt.status === 'success'
+              }
+              onClick={openUnauthorizedAndCloseDocument}
+            >
+              Open Session Without Device Trust
+            </ButtonText>
+          </Flex>
+        </Flex>
+      </Flex>
+    </Document>
+  );
+}
+
+const confirmPath = 'webapi/devices/webconfirm';
+
+function buildAuthorizedSessionUrl(
+  rootCluster: Cluster,
+  webSessionRequest: WebSessionRequest,
+  confirmationToken: DeviceConfirmationToken
+): string {
+  const { redirectUri } = webSessionRequest;
+  let url = `https://${rootCluster.proxyHost}/${confirmPath}?id=${confirmationToken.id}&token=${confirmationToken.token}`;
+  if (redirectUri) {
+    url = `${url}&redirect_uri=${redirectUri}`;
+  }
+  return url;
+}
+
+function buildUnauthorizedSessionUrl(
+  rootCluster: Cluster,
+  webSessionRequest: WebSessionRequest
+): string {
+  const processedRedirectUri = processRedirectUri(
+    webSessionRequest.redirectUri
+  );
+  return `https://${rootCluster.proxyHost}${processedRedirectUri}`;
+}
+
+function getButtonText(attempt: Attempt<void>): string {
+  switch (attempt.status) {
+    case '':
+    case 'error':
+      return 'Authorize Session';
+    case 'processing':
+      return 'Authorizing Session…';
+    case 'success':
+      return 'Session Authorized';
+  }
+}
diff --git a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/index.ts b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/index.ts
new file mode 100644
index 0000000000000..ffd92d5d17b86
--- /dev/null
+++ b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/index.ts
@@ -0,0 +1,19 @@
+/**
+ * Teleport
+ * Copyright (C) 2024 Gravitational, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+export * from './DocumentAuthorizeWebSession';
diff --git a/web/packages/teleterm/src/ui/Documents/DocumentsRenderer.tsx b/web/packages/teleterm/src/ui/Documents/DocumentsRenderer.tsx
index 0be864d2748f6..d1d300f0d8428 100644
--- a/web/packages/teleterm/src/ui/Documents/DocumentsRenderer.tsx
+++ b/web/packages/teleterm/src/ui/Documents/DocumentsRenderer.tsx
@@ -41,6 +41,7 @@ import {
 } from 'teleterm/ui/ConnectMyComputer';
 import { DocumentGatewayKube } from 'teleterm/ui/DocumentGatewayKube';
 import { DocumentGatewayApp } from 'teleterm/ui/DocumentGatewayApp';
+import { DocumentAuthorizeWebSession } from 'teleterm/ui/DocumentAuthorizeWebSession';
 
 import Document from 'teleterm/ui/Document';
 import { RootClusterUri, isDatabaseUri, isAppUri } from 'teleterm/ui/uri';
@@ -153,6 +154,8 @@ function MemoizedDocument(props: { doc: types.Document; visible: boolean }) {
         return <DocumentAccessRequests doc={doc} visible={visible} />;
       case 'doc.connect_my_computer':
         return <DocumentConnectMyComputer doc={doc} visible={visible} />;
+      case 'doc.authorize_web_session':
+        return <DocumentAuthorizeWebSession doc={doc} visible={visible} />;
       default:
         return (
           <Document visible={visible}>
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsService.ts b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsService.ts
index ec3851550e84c..1edc82ed9c524 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsService.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsService.ts
@@ -44,6 +44,8 @@ import {
   DocumentTshNodeWithServerId,
   DocumentClusterQueryParams,
   DocumentPtySession,
+  WebSessionRequest,
+  DocumentAuthorizeWebSession,
 } from './types';
 
 import type { Shell } from 'teleterm/mainProcess/shell';
@@ -228,6 +230,21 @@ export class DocumentsService {
     };
   }
 
+  createAuthorizeWebSessionDocument(params: {
+    rootClusterUri: string;
+    webSessionRequest: WebSessionRequest;
+  }): DocumentAuthorizeWebSession {
+    const uri = routing.getDocUri({ docId: unique() });
+
+    return {
+      uri,
+      kind: 'doc.authorize_web_session',
+      title: 'Authorize Web Session',
+      rootClusterUri: params.rootClusterUri,
+      webSessionRequest: params.webSessionRequest,
+    };
+  }
+
   openConnectMyComputerDocument(opts: {
     // URI of the root cluster could be passed to the `DocumentsService`
     // constructor and then to the document, instead of being taken from the parameter.
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsUtils.ts b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsUtils.ts
index e71525ce99b95..6bd654e01d963 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsUtils.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/documentsUtils.ts
@@ -53,6 +53,8 @@ export function getResourceUri(
       });
     case 'doc.connect_my_computer':
       return document.rootClusterUri;
+    case 'doc.authorize_web_session':
+      return document.rootClusterUri;
     case 'doc.blank':
       return undefined;
     default:
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/types.ts b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/types.ts
index cc95e377520ec..0c7fd36952285 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/documentsService/types.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/documentsService/types.ts
@@ -221,6 +221,25 @@ export interface DocumentConnectMyComputer extends DocumentBase {
   status: '' | 'connecting' | 'connected' | 'error';
 }
 
+/**
+ * Document to authorize a web session with device trust.
+ * Unlike other documents, it is not persisted on disk.
+ */
+export interface DocumentAuthorizeWebSession extends DocumentBase {
+  kind: 'doc.authorize_web_session';
+  // `DocumentAuthorizeWebSession` always operates on the root cluster, so in theory `rootClusterUri` is not needed.
+  // However, there are a few components in the system, such as `getResourceUri`, which need to determine the relation
+  // between a document and a cluster just by looking at the document fields.
+  rootClusterUri: uri.RootClusterUri;
+  webSessionRequest: WebSessionRequest;
+}
+
+export interface WebSessionRequest {
+  id: string;
+  token: string;
+  redirectUri: string;
+}
+
 export type DocumentTerminal =
   | DocumentPtySession
   | DocumentGatewayCliClient
@@ -234,7 +253,8 @@ export type Document =
   | DocumentGateway
   | DocumentCluster
   | DocumentTerminal
-  | DocumentConnectMyComputer;
+  | DocumentConnectMyComputer
+  | DocumentAuthorizeWebSession;
 
 export function isDocumentTshNodeWithLoginHost(
   doc: Document
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
index d2899b02df939..91984c5817025 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
@@ -570,10 +570,17 @@ export class WorkspacesService extends ImmutableStore<WorkspacesState> {
     };
     for (let w in this.state.workspaces) {
       const workspace = this.state.workspaces[w];
+      // We don't persist 'doc.authorize_web_session' because we don't want to store
+      // a session token and id on disk.
+      // Moreover, the user would not be able to authorize a session at a later time anyway.
+      const documentsToPersist = (
+        workspace.previous?.documents || workspace.documents
+      ).filter(d => d.kind !== 'doc.authorize_web_session');
+
       stateToSave.workspaces[w] = {
         localClusterUri: workspace.localClusterUri,
         location: workspace.previous?.location || workspace.location,
-        documents: workspace.previous?.documents || workspace.documents,
+        documents: documentsToPersist,
         connectMyComputer: workspace.connectMyComputer,
         unifiedResourcePreferences: workspace.unifiedResourcePreferences,
       };

From 6b1f8a8f6fd32cd9f0dedf8522d826d3d67b6005 Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Wed, 4 Dec 2024 09:54:15 +0100
Subject: [PATCH 03/11] Replace `AuthenticateWebDevice` modal with the document

---
 .../teleterm/src/ui/ModalsHost/ModalsHost.tsx | 15 ----
 .../AuthenticateWebDevice.story.tsx           | 39 ---------
 .../AuthenticateWebDevice.tsx                 | 82 -------------------
 .../ui/services/deepLinks/deepLinksService.ts | 38 +++------
 .../src/ui/services/modals/modalsService.ts   |  8 --
 5 files changed, 11 insertions(+), 171 deletions(-)
 delete mode 100644 web/packages/teleterm/src/ui/ModalsHost/modals/AuthenticateWebDevice/AuthenticateWebDevice.story.tsx
 delete mode 100644 web/packages/teleterm/src/ui/ModalsHost/modals/AuthenticateWebDevice/AuthenticateWebDevice.tsx

diff --git a/web/packages/teleterm/src/ui/ModalsHost/ModalsHost.tsx b/web/packages/teleterm/src/ui/ModalsHost/ModalsHost.tsx
index 3ccb6f6c164ad..ba276907d9037 100644
--- a/web/packages/teleterm/src/ui/ModalsHost/ModalsHost.tsx
+++ b/web/packages/teleterm/src/ui/ModalsHost/ModalsHost.tsx
@@ -32,7 +32,6 @@ import { assertUnreachable } from '../utils';
 import { UsageData } from './modals/UsageData';
 import { UserJobRole } from './modals/UserJobRole';
 import { ReAuthenticate } from './modals/ReAuthenticate';
-import { AuthenticateWebDevice } from './modals/AuthenticateWebDevice/AuthenticateWebDevice';
 import { ChangeAccessRequestKind } from './modals/ChangeAccessRequestKind';
 import { AskPin, ChangePin, OverwriteSlot, Touch } from './modals/HardwareKeys';
 
@@ -87,20 +86,6 @@ function renderDialog({
   }
 
   switch (dialog.kind) {
-    case 'device-trust-authorize': {
-      return (
-        <AuthenticateWebDevice
-          hidden={hidden}
-          rootClusterUri={dialog.rootClusterUri}
-          onAuthorize={dialog.onAuthorize}
-          onCancel={() => {
-            handleClose();
-            dialog.onCancel();
-          }}
-          onClose={handleClose}
-        />
-      );
-    }
     case 'cluster-connect': {
       return (
         <ClusterConnect
diff --git a/web/packages/teleterm/src/ui/ModalsHost/modals/AuthenticateWebDevice/AuthenticateWebDevice.story.tsx b/web/packages/teleterm/src/ui/ModalsHost/modals/AuthenticateWebDevice/AuthenticateWebDevice.story.tsx
deleted file mode 100644
index b6f35a6e673f2..0000000000000
--- a/web/packages/teleterm/src/ui/ModalsHost/modals/AuthenticateWebDevice/AuthenticateWebDevice.story.tsx
+++ /dev/null
@@ -1,39 +0,0 @@
-/**
- * Teleport
- * Copyright (C) 2023  Gravitational, Inc.
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- */
-
-import React from 'react';
-
-import { makeRootCluster } from 'teleterm/services/tshd/testHelpers';
-import { MockAppContextProvider } from 'teleterm/ui/fixtures/MockAppContextProvider';
-
-import { AuthenticateWebDevice } from './AuthenticateWebDevice';
-
-export default {
-  title: 'Teleterm/ModalsHost/AuthenticateWebDevice',
-};
-
-export const Dialog = () => (
-  <MockAppContextProvider>
-    <AuthenticateWebDevice
-      rootClusterUri={makeRootCluster().uri}
-      onClose={() => {}}
-      onCancel={() => {}}
-      onAuthorize={async () => {}}
-    />
-  </MockAppContextProvider>
-);
diff --git a/web/packages/teleterm/src/ui/ModalsHost/modals/AuthenticateWebDevice/AuthenticateWebDevice.tsx b/web/packages/teleterm/src/ui/ModalsHost/modals/AuthenticateWebDevice/AuthenticateWebDevice.tsx
deleted file mode 100644
index 5c97b8d3ddad5..0000000000000
--- a/web/packages/teleterm/src/ui/ModalsHost/modals/AuthenticateWebDevice/AuthenticateWebDevice.tsx
+++ /dev/null
@@ -1,82 +0,0 @@
-/**
- * Teleport
- * Copyright (C) 2024 Gravitational, Inc.
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU Affero General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU Affero General Public License for more details.
- *
- * You should have received a copy of the GNU Affero General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
- */
-
-import { Alert } from 'design/Alert';
-import { ButtonPrimary, ButtonSecondary, Text } from 'design';
-import Dialog, { DialogContent } from 'design/Dialog';
-import Flex from 'design/Flex';
-import { useAsync } from 'shared/hooks/useAsync';
-
-import { useAppContext } from 'teleterm/ui/appContextProvider';
-import { RootClusterUri, routing } from 'teleterm/ui/uri';
-
-export const AuthenticateWebDevice = ({
-  hidden,
-  onAuthorize,
-  onClose,
-  onCancel,
-  rootClusterUri,
-}: {
-  rootClusterUri: RootClusterUri;
-  onCancel(): void;
-  onClose(): void;
-  onAuthorize(): Promise<void>;
-  hidden?: boolean;
-}) => {
-  const [attempt, run] = useAsync(async () => {
-    await onAuthorize();
-    onClose();
-  });
-  const { clustersService } = useAppContext();
-  const clusterName =
-    clustersService.findCluster(rootClusterUri)?.name ||
-    routing.parseClusterName(rootClusterUri);
-
-  return (
-    <Dialog open={!hidden} keepInDOMAfterClose>
-      {/* 400px was used as a way to do our best to get clusterName as the first item on the second line */}
-      <DialogContent maxWidth="400px">
-        <Text>
-          Would you like to authorize a device trust web session for{' '}
-          <b>{clusterName}</b>?
-        </Text>
-      </DialogContent>
-      {attempt.status === 'error' && (
-        <Alert details={attempt.statusText}>
-          Could not authorize the session
-        </Alert>
-      )}
-      <Flex flexDirection="column">
-        <ButtonPrimary
-          disabled={attempt.status === 'processing'}
-          block={true}
-          onClick={run}
-          mb={3}
-        >
-          Authorize session
-        </ButtonPrimary>
-        <ButtonSecondary
-          disabled={attempt.status === 'processing'}
-          onClick={onCancel}
-        >
-          Continue without device trust
-        </ButtonSecondary>
-      </Flex>
-    </Dialog>
-  );
-};
diff --git a/web/packages/teleterm/src/ui/services/deepLinks/deepLinksService.ts b/web/packages/teleterm/src/ui/services/deepLinks/deepLinksService.ts
index 2dd0c68310a2a..6083df679f626 100644
--- a/web/packages/teleterm/src/ui/services/deepLinks/deepLinksService.ts
+++ b/web/packages/teleterm/src/ui/services/deepLinks/deepLinksService.ts
@@ -17,7 +17,6 @@
  */
 
 import { AuthenticateWebDeviceDeepURL, DeepURL } from 'shared/deepLinks';
-import { processRedirectUri } from 'shared/redirects';
 
 import { DeepLinkParseResult } from 'teleterm/deepLinks';
 import { RootClusterUri, routing } from 'teleterm/ui/uri';
@@ -28,7 +27,6 @@ import { WorkspacesService } from 'teleterm/ui/services/workspacesService';
 import { ModalsService } from 'teleterm/ui/services/modals';
 import { NotificationsService } from 'teleterm/ui/services/notifications';
 
-const confirmPath = 'webapi/devices/webconfirm';
 export class DeepLinksService {
   constructor(
     private runtimeSettings: RuntimeSettings,
@@ -97,9 +95,9 @@ export class DeepLinksService {
   }
 
   /**
-   * askAuthorizeDeviceTrust opens a dialog asking the user if they'd like to authorize
+   * askAuthorizeDeviceTrust opens a document asking the user if they'd like to authorize
    * a web session with device trust. If confirmed, the web session will be upgraded and the
-   * user will be directed back to the web UI
+   * user will be directed back to the web UI.
    */
   private async askAuthorizeDeviceTrust(
     url: AuthenticateWebDeviceDeepURL
@@ -112,32 +110,18 @@ export class DeepLinksService {
     }
 
     const { rootClusterUri } = result;
-    const rootCluster = this.clustersService.findCluster(rootClusterUri);
-
-    this.modalsService.openRegularDialog({
-      kind: 'device-trust-authorize',
+    const documentService =
+      this.workspacesService.getWorkspaceDocumentService(rootClusterUri);
+    const doc = documentService.createAuthorizeWebSessionDocument({
       rootClusterUri,
-      onCancel: () => {
-        const processedRedirectURI = processRedirectUri(redirect_uri);
-        window.open(`https://${rootCluster.proxyHost}${processedRedirectURI}`);
-      },
-      onAuthorize: async () => {
-        const result = await this.clustersService.authenticateWebDevice(
-          rootClusterUri,
-          {
-            id,
-            token,
-          }
-        );
-        let url = `https://${rootCluster.proxyHost}/${confirmPath}?id=${result.response.confirmationToken.id}&token=${result.response.confirmationToken.token}`;
-        if (redirect_uri) {
-          url = `${url}&redirect_uri=${redirect_uri}`;
-        }
-        // open url to confirm the token. This endpoint verifies the token and "upgrades"
-        // the web session and redirects to "/web"
-        window.open(url);
+      webSessionRequest: {
+        id,
+        token,
+        redirectUri: redirect_uri,
       },
     });
+    documentService.add(doc);
+    documentService.open(doc.uri);
   }
 
   /**
diff --git a/web/packages/teleterm/src/ui/services/modals/modalsService.ts b/web/packages/teleterm/src/ui/services/modals/modalsService.ts
index e02035a7426ec..19f52af9e1eb3 100644
--- a/web/packages/teleterm/src/ui/services/modals/modalsService.ts
+++ b/web/packages/teleterm/src/ui/services/modals/modalsService.ts
@@ -170,13 +170,6 @@ export interface DialogDocumentsReopen {
   onCancel?(): void;
 }
 
-export interface DialogDeviceTrustAuthorize {
-  kind: 'device-trust-authorize';
-  rootClusterUri: RootClusterUri;
-  onAuthorize(): Promise<void>;
-  onCancel(): void;
-}
-
 export interface DialogUsageData {
   kind: 'usage-data';
   onAllow(): void;
@@ -252,7 +245,6 @@ export type Dialog =
   | DialogClusterConnect
   | DialogClusterLogout
   | DialogDocumentsReopen
-  | DialogDeviceTrustAuthorize
   | DialogUsageData
   | DialogUserJobRole
   | DialogResourceSearchErrors

From 7fec9249339cdbcb49d241003a1d015cf8a47af6 Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Thu, 5 Dec 2024 13:27:00 +0100
Subject: [PATCH 04/11] Remove dot from anchor

---
 .../DocumentAuthorizeWebSession.tsx                         | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
index e2127bd7f7aca..66add741461be 100644
--- a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
+++ b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
@@ -103,9 +103,9 @@ export function DocumentAuthorizeWebSession(props: {
                     href="https://goteleport.com/docs/admin-guides/access-controls/device-trust/guide/#step-22-enroll-device"
                     target="_blank"
                   >
-                    enroll your device.
-                  </a>{' '}
-                  Then log out of the app, log back in, and try again.
+                    enroll your device
+                  </a>
+                  . Then log out of the app, log back in, and try again.
                 </>
               }
             >

From b9a69401607f897677a7880f3662c9488d896d4b Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Thu, 5 Dec 2024 13:27:38 +0100
Subject: [PATCH 05/11] Move more logic to `authorizeAndCloseDocument`

---
 .../DocumentAuthorizeWebSession.tsx           | 34 ++++++++++---------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
index 66add741461be..74a018b5aedd2 100644
--- a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
+++ b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
@@ -38,7 +38,7 @@ export function DocumentAuthorizeWebSession(props: {
   const ctx = useAppContext();
   const { documentsService } = useWorkspaceContext();
   const rootCluster = ctx.clustersService.findCluster(props.doc.rootClusterUri);
-  const [attempt, authorize] = useAsync(async () => {
+  const [authorizeAttempt, authorize] = useAsync(async () => {
     const {
       response: { confirmationToken },
     } = await retryWithRelogin(ctx, props.doc.rootClusterUri, () =>
@@ -47,20 +47,21 @@ export function DocumentAuthorizeWebSession(props: {
         props.doc.webSessionRequest
       )
     );
-    const url = buildAuthorizedSessionUrl(
-      rootCluster,
-      props.doc.webSessionRequest,
-      confirmationToken
-    );
-    // This endpoint verifies the token and "upgrades" the web session and redirects to "/web".
-    window.open(url);
+    return confirmationToken;
   });
   const clusterName = routing.parseClusterName(props.doc.rootClusterUri);
   const canAuthorize = rootCluster.loggedInUser?.isDeviceTrusted;
 
   async function authorizeAndCloseDocument() {
-    const [, error] = await authorize();
+    const [confirmationToken, error] = await authorize();
     if (!error) {
+      const url = buildAuthorizedSessionUrl(
+        rootCluster,
+        props.doc.webSessionRequest,
+        confirmationToken
+      );
+      // This endpoint verifies the token and "upgrades" the web session and redirects to "/web".
+      window.open(url);
       closeAndNotify();
     }
   }
@@ -112,8 +113,8 @@ export function DocumentAuthorizeWebSession(props: {
               This device is not trusted
             </Alert>
           )}
-          {attempt.status === 'error' && (
-            <Alert mb={0} details={attempt.statusText}>
+          {authorizeAttempt.status === 'error' && (
+            <Alert mb={0} details={authorizeAttempt.statusText}>
               Could not authorize the session
             </Alert>
           )}
@@ -127,17 +128,18 @@ export function DocumentAuthorizeWebSession(props: {
             <ButtonPrimary
               disabled={
                 !canAuthorize ||
-                attempt.status === 'processing' ||
-                attempt.status === 'success'
+                authorizeAttempt.status === 'processing' ||
+                authorizeAttempt.status === 'success'
               }
               size="large"
               onClick={authorizeAndCloseDocument}
             >
-              {getButtonText(attempt)}
+              {getButtonText(authorizeAttempt)}
             </ButtonPrimary>
             <ButtonText
               disabled={
-                attempt.status === 'processing' || attempt.status === 'success'
+                authorizeAttempt.status === 'processing' ||
+                authorizeAttempt.status === 'success'
               }
               onClick={openUnauthorizedAndCloseDocument}
             >
@@ -175,7 +177,7 @@ function buildUnauthorizedSessionUrl(
   return `https://${rootCluster.proxyHost}${processedRedirectUri}`;
 }
 
-function getButtonText(attempt: Attempt<void>): string {
+function getButtonText(attempt: Attempt<unknown>): string {
   switch (attempt.status) {
     case '':
     case 'error':

From 5362a3e28c9a5a83b086b0246ed8a4d24c293f69 Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Thu, 5 Dec 2024 13:30:59 +0100
Subject: [PATCH 06/11] Add a comment about `canAuthorize`

---
 .../DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
index 74a018b5aedd2..3a52fcfdc972e 100644
--- a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
+++ b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
@@ -94,6 +94,7 @@ export function DocumentAuthorizeWebSession(props: {
       >
         <H1 mb="4">Authorize Web Session</H1>
         <Flex flexDirection="column" gap={3}>
+          {/*It's technically possible to open a deep link to authorize a session on a device that is not enrolled.*/}
           {!canAuthorize && (
             <Alert
               mb={0}

From 089b1d4730f2f39ffd9adb6dfd2491ded4957057 Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Thu, 5 Dec 2024 13:54:19 +0100
Subject: [PATCH 07/11] Filter out documents before restoring session

---
 .../workspacesService.test.ts                 | 48 +++++++++++++++++++
 .../workspacesService/workspacesService.ts    | 47 ++++++++++++++----
 2 files changed, 87 insertions(+), 8 deletions(-)

diff --git a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts
index be44ad0ea1a16..6af55fd4fc1ab 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts
@@ -137,6 +137,54 @@ describe('restoring workspace', () => {
       },
     });
   });
+
+  it('does not restore doc.authorize_web_session documents', async () => {
+    const cluster = makeRootCluster();
+    const testWorkspace: Workspace = {
+      accessRequests: {
+        isBarCollapsed: true,
+        pending: getEmptyPendingAccessRequest(),
+      },
+      localClusterUri: cluster.uri,
+      documents: [
+        {
+          kind: 'doc.terminal_shell',
+          uri: '/docs/terminal_shell_uri',
+          title: '/Users/alice/Documents',
+        },
+        {
+          kind: 'doc.authorize_web_session',
+          rootClusterUri: cluster.uri,
+          uri: '/docs/authorize_web_session_uri',
+          webSessionRequest: {
+            id: '',
+            token: '',
+            redirectUri: '',
+          },
+          title: 'Authorize Web Session',
+        },
+      ],
+      location: '/docs/authorize_web_session_uri',
+    };
+
+    const { workspacesService } = getTestSetup({
+      cluster,
+      persistedWorkspaces: { [cluster.uri]: testWorkspace },
+    });
+
+    await workspacesService.restorePersistedState();
+
+    expect(workspacesService.getWorkspace(cluster.uri).previous).toStrictEqual({
+      documents: [
+        {
+          kind: 'doc.terminal_shell',
+          uri: '/docs/terminal_shell_uri',
+          title: '/Users/alice/Documents',
+        },
+      ],
+      location: '/docs/terminal_shell_uri', // location no longer points to the document that was omitted
+    });
+  });
 });
 
 describe('setActiveWorkspace', () => {
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
index 91984c5817025..b130775e24b0c 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
@@ -421,17 +421,22 @@ export class WorkspacesService extends ImmutableStore<WorkspacesState> {
         const workspaceDefaultState = this.getWorkspaceDefaultState(
           persistedWorkspace?.localClusterUri || cluster.uri
         );
-        const persistedWorkspaceDocuments = persistedWorkspace?.documents;
+        const restorableDocuments = getRestorableDocuments(
+          persistedWorkspace?.documents || []
+        );
 
         workspaces[cluster.uri] = {
           ...workspaceDefaultState,
           previous: this.canReopenPreviousDocuments({
-            previousDocuments: persistedWorkspaceDocuments,
+            previousDocuments: restorableDocuments,
             currentDocuments: workspaceDefaultState.documents,
           })
             ? {
-                location: persistedWorkspace.location,
-                documents: persistedWorkspaceDocuments,
+                location: getLocationToRestore(
+                  restorableDocuments,
+                  persistedWorkspace.location
+                ),
+                documents: restorableDocuments,
               }
             : undefined,
           connectMyComputer: persistedWorkspace?.connectMyComputer,
@@ -570,12 +575,21 @@ export class WorkspacesService extends ImmutableStore<WorkspacesState> {
     };
     for (let w in this.state.workspaces) {
       const workspace = this.state.workspaces[w];
-      // We don't persist 'doc.authorize_web_session' because we don't want to store
-      // a session token and id on disk.
-      // Moreover, the user would not be able to authorize a session at a later time anyway.
       const documentsToPersist = (
         workspace.previous?.documents || workspace.documents
-      ).filter(d => d.kind !== 'doc.authorize_web_session');
+      ).map(d =>
+        d.kind === 'doc.authorize_web_session'
+          ? {
+              ...d,
+              // Do not store potentially sensitive properties.
+              webSessionRequest: {
+                id: '',
+                token: '',
+                redirectUri: '',
+              },
+            }
+          : d
+      );
 
       stateToSave.workspaces[w] = {
         localClusterUri: workspace.localClusterUri,
@@ -635,3 +649,20 @@ type UnifiedResourcePreferencesSchemaAsRequired = Required<
 export const useWorkspaceServiceState = () => {
   return useStoreSelector('workspacesService', identitySelector);
 };
+
+function getRestorableDocuments(documents: Document[]): Document[] {
+  return (
+    documents
+      // We don't restore 'doc.authorize_web_session' because the user would not
+      // be able to authorize a session at a later time anyway.
+      .filter(d => d.kind !== 'doc.authorize_web_session')
+  );
+}
+
+/** Assumes that there is at least one document to restore. */
+function getLocationToRestore(
+  documents: Document[],
+  location: DocumentUri
+): DocumentUri {
+  return documents.find(d => d.uri === location) ? location : documents[0]!.uri;
+}

From 1c3c8b2e18872f97cfd7afa356592f773f6b3dc3 Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Thu, 5 Dec 2024 14:12:39 +0100
Subject: [PATCH 08/11] Add a comment about `processedRedirectUri`

---
 .../DocumentAuthorizeWebSession.tsx                           | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
index 3a52fcfdc972e..331389fa12e19 100644
--- a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
+++ b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
@@ -161,6 +161,7 @@ function buildAuthorizedSessionUrl(
   confirmationToken: DeviceConfirmationToken
 ): string {
   const { redirectUri } = webSessionRequest;
+
   let url = `https://${rootCluster.proxyHost}/${confirmPath}?id=${confirmationToken.id}&token=${confirmationToken.token}`;
   if (redirectUri) {
     url = `${url}&redirect_uri=${redirectUri}`;
@@ -172,6 +173,9 @@ function buildUnauthorizedSessionUrl(
   rootCluster: Cluster,
   webSessionRequest: WebSessionRequest
 ): string {
+  // processedRedirectUri is the path part of the redirectUri.
+  // Unlike in buildAuthorizedSessionUrl, here we return a full path to open
+  // instead of including redirection as the `redirect_uri` query parameter.
   const processedRedirectUri = processRedirectUri(
     webSessionRequest.redirectUri
   );

From d22dc12982a779008f254930825f61a867fd49c6 Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Thu, 5 Dec 2024 17:01:55 +0100
Subject: [PATCH 09/11] Restore filtering out documents before saving them on
 disk

---
 .../workspacesService.test.ts                 | 90 ++++++++++++++++---
 .../workspacesService/workspacesService.ts    | 36 +++-----
 2 files changed, 87 insertions(+), 39 deletions(-)

diff --git a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts
index 6af55fd4fc1ab..50647439e781a 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts
@@ -33,7 +33,11 @@ import { NotificationsService } from '../notifications';
 import { ModalsService } from '../modals';
 
 import { getEmptyPendingAccessRequest } from './accessRequestsService';
-import { Workspace, WorkspacesService } from './workspacesService';
+import {
+  Workspace,
+  WorkspacesService,
+  WorkspacesState,
+} from './workspacesService';
 import { DocumentCluster, DocumentsService } from './documentsService';
 
 import type * as tshd from 'teleterm/services/tshd/types';
@@ -138,7 +142,7 @@ describe('restoring workspace', () => {
     });
   });
 
-  it('does not restore doc.authorize_web_session documents', async () => {
+  it('location is set to first document if it points to non-existing document', async () => {
     const cluster = makeRootCluster();
     const testWorkspace: Workspace = {
       accessRequests: {
@@ -149,22 +153,16 @@ describe('restoring workspace', () => {
       documents: [
         {
           kind: 'doc.terminal_shell',
-          uri: '/docs/terminal_shell_uri',
+          uri: '/docs/terminal_shell_uri_1',
           title: '/Users/alice/Documents',
         },
         {
-          kind: 'doc.authorize_web_session',
-          rootClusterUri: cluster.uri,
-          uri: '/docs/authorize_web_session_uri',
-          webSessionRequest: {
-            id: '',
-            token: '',
-            redirectUri: '',
-          },
-          title: 'Authorize Web Session',
+          kind: 'doc.terminal_shell',
+          uri: '/docs/terminal_shell_uri_2',
+          title: '/Users/alice/Documents',
         },
       ],
-      location: '/docs/authorize_web_session_uri',
+      location: '/docs/non-existing-doc',
     };
 
     const { workspacesService } = getTestSetup({
@@ -182,7 +180,70 @@ describe('restoring workspace', () => {
           title: '/Users/alice/Documents',
         },
       ],
-      location: '/docs/terminal_shell_uri', // location no longer points to the document that was omitted
+      location: '/docs/terminal_shell_uri',
+    });
+  });
+});
+
+describe('state persistence', () => {
+  it('doc.authorize_web_session is not stored to disk', () => {
+    const cluster = makeRootCluster();
+    const workspacesState: WorkspacesState = {
+      rootClusterUri: cluster.uri,
+      isInitialized: true,
+      workspaces: {
+        [cluster.uri]: {
+          accessRequests: {
+            isBarCollapsed: true,
+            pending: getEmptyPendingAccessRequest(),
+          },
+          localClusterUri: cluster.uri,
+          documents: [
+            {
+              kind: 'doc.terminal_shell',
+              uri: '/docs/terminal_shell_uri',
+              title: '/Users/alice/Documents',
+            },
+            {
+              kind: 'doc.authorize_web_session',
+              uri: '/docs/authorize_web_session',
+              rootClusterUri: cluster.uri,
+              title: 'Authorize Web Session',
+              webSessionRequest: {
+                id: '',
+                token: '',
+                redirectUri: '',
+              },
+            },
+          ],
+          location: '/docs/authorize_web_session',
+        },
+      },
+    };
+    const { workspacesService, statePersistenceService } = getTestSetup({
+      cluster,
+      persistedWorkspaces: {},
+    });
+
+    workspacesService.setState(() => workspacesState);
+
+    expect(statePersistenceService.saveWorkspacesState).toHaveBeenCalledTimes(
+      1
+    );
+    expect(statePersistenceService.saveWorkspacesState).toHaveBeenCalledWith({
+      rootClusterUri: cluster.uri,
+      workspaces: {
+        [cluster.uri]: expect.objectContaining({
+          documents: [
+            {
+              kind: 'doc.terminal_shell',
+              uri: '/docs/terminal_shell_uri',
+              title: '/Users/alice/Documents',
+            },
+          ],
+          location: '/docs/authorize_web_session',
+        }),
+      },
     });
   });
 });
@@ -349,5 +410,6 @@ function getTestSetup(options: {
     clusterDocument,
     modalsService,
     notificationsService,
+    statePersistenceService,
   };
 }
diff --git a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
index b130775e24b0c..e3f38745bef83 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.ts
@@ -421,22 +421,20 @@ export class WorkspacesService extends ImmutableStore<WorkspacesState> {
         const workspaceDefaultState = this.getWorkspaceDefaultState(
           persistedWorkspace?.localClusterUri || cluster.uri
         );
-        const restorableDocuments = getRestorableDocuments(
-          persistedWorkspace?.documents || []
-        );
+        const persistedWorkspaceDocuments = persistedWorkspace?.documents;
 
         workspaces[cluster.uri] = {
           ...workspaceDefaultState,
           previous: this.canReopenPreviousDocuments({
-            previousDocuments: restorableDocuments,
+            previousDocuments: persistedWorkspaceDocuments,
             currentDocuments: workspaceDefaultState.documents,
           })
             ? {
                 location: getLocationToRestore(
-                  restorableDocuments,
+                  persistedWorkspaceDocuments,
                   persistedWorkspace.location
                 ),
-                documents: restorableDocuments,
+                documents: persistedWorkspaceDocuments,
               }
             : undefined,
           connectMyComputer: persistedWorkspace?.connectMyComputer,
@@ -575,20 +573,8 @@ export class WorkspacesService extends ImmutableStore<WorkspacesState> {
     };
     for (let w in this.state.workspaces) {
       const workspace = this.state.workspaces[w];
-      const documentsToPersist = (
+      const documentsToPersist = getDocumentsToPersist(
         workspace.previous?.documents || workspace.documents
-      ).map(d =>
-        d.kind === 'doc.authorize_web_session'
-          ? {
-              ...d,
-              // Do not store potentially sensitive properties.
-              webSessionRequest: {
-                id: '',
-                token: '',
-                redirectUri: '',
-              },
-            }
-          : d
       );
 
       stateToSave.workspaces[w] = {
@@ -650,19 +636,19 @@ export const useWorkspaceServiceState = () => {
   return useStoreSelector('workspacesService', identitySelector);
 };
 
-function getRestorableDocuments(documents: Document[]): Document[] {
+function getDocumentsToPersist(documents: Document[]): Document[] {
   return (
     documents
-      // We don't restore 'doc.authorize_web_session' because the user would not
-      // be able to authorize a session at a later time anyway.
+      // We don't persist 'doc.authorize_web_session' because we don't want to store
+      // a session token and id on disk.
+      // Moreover, the user would not be able to authorize a session at a later time anyway.
       .filter(d => d.kind !== 'doc.authorize_web_session')
   );
 }
 
-/** Assumes that there is at least one document to restore. */
 function getLocationToRestore(
   documents: Document[],
   location: DocumentUri
-): DocumentUri {
-  return documents.find(d => d.uri === location) ? location : documents[0]!.uri;
+): DocumentUri | undefined {
+  return documents.find(d => d.uri === location) ? location : documents[0]?.uri;
 }

From 0ce9584c3609f5caa595f0e15b4be98c0efd0457 Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Thu, 5 Dec 2024 17:12:05 +0100
Subject: [PATCH 10/11] Fix test

---
 .../services/workspacesService/workspacesService.test.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts
index 50647439e781a..ded2d08080df5 100644
--- a/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts
+++ b/web/packages/teleterm/src/ui/services/workspacesService/workspacesService.test.ts
@@ -176,11 +176,16 @@ describe('restoring workspace', () => {
       documents: [
         {
           kind: 'doc.terminal_shell',
-          uri: '/docs/terminal_shell_uri',
+          uri: '/docs/terminal_shell_uri_1',
+          title: '/Users/alice/Documents',
+        },
+        {
+          kind: 'doc.terminal_shell',
+          uri: '/docs/terminal_shell_uri_2',
           title: '/Users/alice/Documents',
         },
       ],
-      location: '/docs/terminal_shell_uri',
+      location: '/docs/terminal_shell_uri_1',
     });
   });
 });

From fb15aff7693d86551fdced10939ddda4f1bfd411 Mon Sep 17 00:00:00 2001
From: Grzegorz Zdunek <grzegorz.zdunek@goteleport.com>
Date: Mon, 9 Dec 2024 12:33:17 +0100
Subject: [PATCH 11/11] Refer to Teleport Connect instead of 'the app'

---
 .../DocumentAuthorizeWebSession.tsx                            | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
index 331389fa12e19..461a8de679ae4 100644
--- a/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
+++ b/web/packages/teleterm/src/ui/DocumentAuthorizeWebSession/DocumentAuthorizeWebSession.tsx
@@ -107,7 +107,8 @@ export function DocumentAuthorizeWebSession(props: {
                   >
                     enroll your device
                   </a>
-                  . Then log out of the app, log back in, and try again.
+                  . Then log out of Teleport Connect, log back in, and try
+                  again.
                 </>
               }
             >