hscontrol/oidc: fix ACL policy not applied to new OIDC nodes (#2890)

Fixes #2888 Fixes #2896
2026-04-24 09:38:45 +02:00 · 2025-11-30 19:02:15 +01:00
parent 0078eb7790
commit cb4d5b1906
9 changed files with 761 additions and 107 deletions
--- a/hscontrol/grpcv1.go
+++ b/hscontrol/grpcv1.go
@@ -312,13 +312,13 @@ func (api headscaleV1APIServer) RegisterNode(
 	// ensure we send an update.
 	// This works, but might be another good candidate for doing some sort of
 	// eventbus.
-	_ = api.h.state.AutoApproveRoutes(node)
-	_, _, err = api.h.state.SaveNode(node)
+	routeChange, err := api.h.state.AutoApproveRoutes(node)
 	if err != nil {
-		return nil, fmt.Errorf("saving auto approved routes to node: %w", err)
+		return nil, fmt.Errorf("auto approving routes: %w", err)
 	}

-	api.h.Change(nodeChange)
+	// Send both changes. Empty changes are ignored by Change().
+	api.h.Change(nodeChange, routeChange)

 	return &v1.RegisterNodeResponse{Node: node.Proto()}, nil
 }