state: apply default node key expiry on registration

Use the node.expiry config to apply a default expiry to non-tagged nodes when the client does not request a specific expiry. This covers all registration paths: new node creation, re-authentication, and pre-auth key re-registration. Tagged nodes remain exempt and never expire. Fixes #1711
2026-04-25 10:08:41 +02:00 · 2026-03-01 22:53:55 +00:00
parent 4d0b273b90
commit 6337a3dbc4
3 changed files with 40 additions and 8 deletions
--- a/hscontrol/state/state.go
+++ b/hscontrol/state/state.go
@@ -1431,6 +1431,17 @@ func (s *State) applyAuthNodeUpdate(params authNodeUpdateParams) (types.NodeView
 			}
 		}
 		// Tagged → Tagged: keep existing expiry (nil) - no action needed
+
+		// Apply default node expiry for non-tagged nodes when the
+		// resolved expiry is still nil or zero (e.g., CLI registration
+		// where the client did not request a specific expiry).
+		needsDefaultExpiry := !node.IsTagged() &&
+			(node.Expiry == nil || node.Expiry.IsZero()) &&
+			s.cfg.Node.Expiry > 0
+		if needsDefaultExpiry {
+			exp := time.Now().Add(s.cfg.Node.Expiry)
+			node.Expiry = &exp
+		}
 	})

 	if !ok {
@@ -1553,6 +1564,17 @@ func (s *State) createAndSaveNewNode(params newNodeParams) (types.NodeView, erro
 		}
 	}

+	// Apply default node expiry for non-tagged nodes when the client
+	// did not request a specific expiry.
+	// Tagged nodes are exempt — they never expire.
+	needsDefaultExpiry := !nodeToRegister.IsTagged() &&
+		(nodeToRegister.Expiry == nil || nodeToRegister.Expiry.IsZero()) &&
+		s.cfg.Node.Expiry > 0
+	if needsDefaultExpiry {
+		exp := time.Now().Add(s.cfg.Node.Expiry)
+		nodeToRegister.Expiry = &exp
+	}
+
 	// Validate before saving
 	err := validateNodeOwnership(&nodeToRegister)
 	if err != nil {
@@ -2030,9 +2052,18 @@ func (s *State) HandleNodeFromPreAuthKey(
 			node.LastSeen = new(time.Now())

 			// Tagged nodes keep their existing expiry (disabled).
-			// User-owned nodes update expiry from the client request.
+			// User-owned nodes update expiry from the client request,
+			// falling back to the configured default if the client
+			// did not request a specific expiry.
 			if !node.IsTagged() {
-				node.Expiry = &regReq.Expiry
+				if !regReq.Expiry.IsZero() {
+					node.Expiry = &regReq.Expiry
+				} else if s.cfg.Node.Expiry > 0 {
+					exp := time.Now().Add(s.cfg.Node.Expiry)
+					node.Expiry = &exp
+				} else {
+					node.Expiry = &regReq.Expiry
+				}
 			}
 		})