mirror of
https://github.com/juanfont/headscale.git
synced 2026-07-17 16:36:02 +00:00
auth: check machine key on tailscaled-restart fast path
The #2862 restart path returned nodeToRegisterResponse after a NodeKey-only lookup without verifying MachineKey. Add the same check handleLogout already performs.
This commit is contained in:
parent
99767cf805
commit
41d70fe87b
1 changed files with 14 additions and 0 deletions
|
|
@ -70,6 +70,20 @@ func (h *Headscale) handleRegister(
|
|||
// We do not look up nodes by [key.MachinePublic] as it might belong to multiple
|
||||
// nodes, separated by users and this path is handling expiring/logout paths.
|
||||
if node, ok := h.state.GetNodeByNodeKey(req.NodeKey); ok {
|
||||
// Refuse to act on a node looked up purely by NodeKey unless
|
||||
// the Noise session's machine key matches the cached node.
|
||||
// Without this check anyone holding a target's NodeKey could
|
||||
// open a Noise session with a throwaway machine key and read
|
||||
// the owner's User/Login back through nodeToRegisterResponse.
|
||||
// handleLogout enforces the same check on its own path.
|
||||
if node.MachineKey() != machineKey {
|
||||
return nil, NewHTTPError(
|
||||
http.StatusUnauthorized,
|
||||
"node exists with a different machine key",
|
||||
nil,
|
||||
)
|
||||
}
|
||||
|
||||
// When tailscaled restarts, it sends RegisterRequest with Auth=nil and Expiry=zero.
|
||||
// Return the current node state without modification.
|
||||
// See: https://github.com/juanfont/headscale/issues/2862
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue