Improve map auth logic

2025-08-14 13:51:01 +02:00 · 2025-06-05 13:56:55 +02:00 · 2025-06-05 13:56:55 +02:00 · ae30020b22
commit ae30020b22
parent b8044c29dd
1 changed files with 8 additions and 2 deletions
--- a/hscontrol/noise.go
+++ b/hscontrol/noise.go
@ -209,9 +209,8 @@ func (ns *noiseServer) NoisePollNetMapHandler(
 		return
 	}

-	ns.nodeKey = mapRequest.NodeKey
+	node, err := ns.headscale.db.GetNodeByMachineKey(ns.machineKey)

-	node, err := ns.headscale.db.GetNodeByNodeKey(mapRequest.NodeKey)
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
 			httpError(writer, NewHTTPError(http.StatusNotFound, "node not found", nil))
@ -221,6 +220,13 @@ func (ns *noiseServer) NoisePollNetMapHandler(
 		return
 	}

+	if ns.nodeKey != mapRequest.NodeKey {
+		httpError(writer, NewHTTPError(http.StatusNotFound, "node does not belong to machine key", nil))
+		return
+	}
+
+	ns.nodeKey = node.NodeKey
+
 	sess := ns.headscale.newMapSession(req.Context(), mapRequest, writer, node)
 	sess.tracef("a node sending a MapRequest with Noise protocol")
 	if !sess.isStreaming() {