[Feature] Expose pending interactive registrations via admin API/CLI #1087

New Issue

adam · 2025-12-29T02:28:12+01:00

adam commented

2025-12-29 02:28:12 +01:00

Originally created by @oneingan on GitHub (Aug 18, 2025).

Use case

Use cases

An admin-side service or UI that:
- lists pending interactive registrations
- approves a subset based on an allow/deny list, or after human review
Automation using a periodic job that approves known devices, while still using registrationId.

Description

Background

Since the registrationId flow was introduced (replacing mkey-based approval for interactive registration), pending registrations are short‑lived and tracked in memory until approved (AuthURL follow-up).
This decouples identity from machine keys and fixes multi-user/same-machine cases, which is great.

Problem today

For interactive registrations there’s no way for an external controller to see “what’s pending” and act on it.
The pending registrations live only in the in-memory registration cache:
As a result, an external approval service cannot discover pending registrationIds to approve them, and polling the DB won’t help (not persisted).

Is exposing pending interactive registrations acceptable within headscale’s design?

Contribution

I can write the design doc for this feature
I can contribute this feature

How can it be implemented?

No response

Originally created by @oneingan on GitHub (Aug 18, 2025). ### Use case Use cases - An admin-side service or UI that: - lists pending interactive registrations - approves a subset based on an allow/deny list, or after human review - Automation using a periodic job that approves known devices, while still using registrationId. ### Description Background - Since the registrationId flow was introduced (replacing mkey-based approval for interactive registration), pending registrations are short‑lived and tracked in memory until approved (AuthURL follow-up). - This decouples identity from machine keys and fixes multi-user/same-machine cases, which is great. Problem today - For interactive registrations there’s no way for an external controller to see “what’s pending” and act on it. - The pending registrations live only in the in-memory registration cache: - As a result, an external approval service cannot discover pending registrationIds to approve them, and polling the DB won’t help (not persisted). Is exposing pending interactive registrations acceptable within headscale’s design? ### Contribution - [x] I can write the design doc for this feature - [x] I can contribute this feature ### How can it be implemented? _No response_

adam added the enhancement no-stale-bot labels 2025-12-29 02:28:12 +01:00

adam commented

2025-12-29 02:28:12 +01:00

@kradalby commented on GitHub (Aug 19, 2025):

An admin-side service or UI that:

lists pending interactive registrations

approves a subset based on an allow/deny list, or after human review

Automation using a periodic job that approves known devices, while still using registrationId.

I believe that if you have access to the registration token, then the "write" part here is already solved right? Since the approval of registrations is already implemented in the API (and used in the CLI)?

So this should only be about programatically expose the current pending registrations?

Is exposing pending interactive registrations acceptable within headscale’s design?

I would like to hear others opinions in regards to exposing this, but as far as I can think, it should not be a problem and it should not expose any additional attack surface because:

If you have API access, you can already issue pre authenticated keys
API access can already approve/register the machines, you just need the ID.

I cannot remember how much metadata is associated with the registration key, I think it is at least the nodekey/machinekey, but not sure if you have enough to make it a nice UX (hostname etc).

My only holdback right now is that I kind of want to explore to reimplement (#2305), so adding more to the current one is more work later, but should be ok.

@kradalby commented on GitHub (Aug 19, 2025): > - An admin-side service or UI that: > - lists pending interactive registrations > - approves a subset based on an allow/deny list, or after human review > - Automation using a periodic job that approves known devices, while still using registrationId. I believe that if you have access to the registration token, then the "write" part here is already solved right? Since the approval of registrations is already implemented in the API (and used in the CLI)? So this should only be about programatically expose the current pending registrations? > Is exposing pending interactive registrations acceptable within headscale’s design? I would like to hear others opinions in regards to exposing this, but as far as I can think, it should not be a problem and it should not expose any additional attack surface because: - If you have API access, you can already issue pre authenticated keys - API access can already approve/register the machines, you just need the ID. I cannot remember how much metadata is associated with the registration key, I think it is at least the nodekey/machinekey, but not sure if you have enough to make it a nice UX (hostname etc). My only holdback right now is that I kind of want to explore to reimplement (#2305), so adding more to the current one is more work later, but should be ok.

adam commented

2025-12-29 02:28:12 +01:00

@github-actions[bot] commented on GitHub (Nov 18, 2025):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Nov 18, 2025): This issue is stale because it has been open for 90 days with no activity.

adam referenced this issue

2025-12-29 02:32:05 +01:00

[PR #1098] [MERGED] Remove ephemeral on logout #1876

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1087