hscontrol/oidc: fix ACL policy not applied to new OIDC nodes (#2890)

Fixes #2888 Fixes #2896
2026-04-21 16:21:41 +02:00 · 2025-11-30 19:02:15 +01:00
parent 0078eb7790
commit cb4d5b1906
9 changed files with 761 additions and 107 deletions
--- a/hscontrol/auth.go
+++ b/hscontrol/auth.go
@@ -11,7 +11,6 @@ import (
 	"time"

 	"github.com/juanfont/headscale/hscontrol/types"
-	"github.com/juanfont/headscale/hscontrol/types/change"
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
@@ -364,16 +363,13 @@ func (h *Headscale) handleRegisterWithAuthKey(
 	// eventbus.
 	// TODO(kradalby): This needs to be ran as part of the batcher maybe?
 	// now since we dont update the node/pol here anymore
-	routeChange := h.state.AutoApproveRoutes(node)
-
-	if _, _, err := h.state.SaveNode(node); err != nil {
-		return nil, fmt.Errorf("saving auto approved routes to node: %w", err)
+	routesChange, err := h.state.AutoApproveRoutes(node)
+	if err != nil {
+		return nil, fmt.Errorf("auto approving routes: %w", err)
 	}

-	if routeChange && changed.Empty() {
-		changed = change.NodeAdded(node.ID())
-	}
-	h.Change(changed)
+	// Send both changes. Empty changes are ignored by Change().
+	h.Change(changed, routesChange)

 	// TODO(kradalby): I think this is covered above, but we need to validate that.
 	// // If policy changed due to node registration, send a separate policy change