date in changelog

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

.github/workflows/check-tests.yaml

@@ -32,7 +32,7 @@ jobs:
       - name: Generate and check integration tests
         if: steps.changed-files.outputs.files == 'true'
         run: |
-          nix develop --command bash -c "cd cmd/gh-action-integration-generator/ && go generate"
+          nix develop --command bash -c "cd .github/workflows && go generate"
           git diff --exit-code .github/workflows/test-integration.yaml
 
       - name: Show missing tests

.github/workflows/gh-action-integration-generator.go

@@ -1,6 +1,6 @@
 package main
 
-//go:generate go run ./main.go
+//go:generate go run ./gh-action-integration-generator.go
 
 import (
 	"bytes"
@@ -42,15 +42,19 @@ func updateYAML(tests []string) {
 	testsForYq := fmt.Sprintf("[%s]", strings.Join(tests, ", "))
 
 	yqCommand := fmt.Sprintf(
-		"yq eval '.jobs.integration-test.strategy.matrix.test = %s' ../../.github/workflows/test-integration.yaml -i",
+		"yq eval '.jobs.integration-test.strategy.matrix.test = %s' ./test-integration.yaml -i",
 		testsForYq,
 	)
 	cmd := exec.Command("bash", "-c", yqCommand)
 
-	var out bytes.Buffer
-	cmd.Stdout = &out
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
 	err := cmd.Run()
 	if err != nil {
+		log.Printf("stdout: %s", stdout.String())
+		log.Printf("stderr: %s", stderr.String())
 		log.Fatalf("failed to run yq command: %s", err)
 	}
 

.github/workflows/test-integration.yaml

@@ -22,10 +22,13 @@ jobs:
           - TestACLNamedHostsCanReach
           - TestACLDevice1CanAccessDevice2
           - TestPolicyUpdateWhileRunningWithCLIInDatabase
+          - TestAuthKeyLogoutAndReloginSameUser
+          - TestAuthKeyLogoutAndReloginNewUser
           - TestOIDCAuthenticationPingAll
           - TestOIDCExpireNodesBasedOnTokenExpiry
           - TestOIDC024UserCreation
           - TestOIDCAuthenticationWithPKCE
+          - TestOIDCReloginSameNodeNewUser
           - TestAuthWebFlowAuthenticationPingAll
           - TestAuthWebFlowLogoutAndRelogin
           - TestUserCommand
@@ -50,7 +53,6 @@ jobs:
           - TestDERPServerWebsocketScenario
           - TestPingAllByIP
           - TestPingAllByIPPublicDERP
-          - TestAuthKeyLogoutAndRelogin
           - TestEphemeral
           - TestEphemeralInAlternateTimezone
           - TestEphemeral2006DeletedTooQuickly

.goreleaser.yml

@@ -82,7 +82,9 @@ nfpms:
 
 kos:
   - id: ghcr
-    repository: ghcr.io/juanfont/headscale
+    repositories:
+      - ghcr.io/juanfont/headscale
+      - headscale/headscale
 
     # bare tells KO to only use the repository
     # for tagging and naming the container.
@@ -110,31 +112,11 @@ kos:
       - '{{ trimprefix .Tag "v" }}'
       - "sha-{{ .ShortCommit }}"
 
-  - id: dockerhub
-    build: headscale
-    base_image: gcr.io/distroless/base-debian12
-    repository: headscale/headscale
-    bare: true
-    platforms:
-      - linux/amd64
-      - linux/386
-      - linux/arm64
-      - linux/arm/v7
-    tags:
-      - "{{ if not .Prerelease }}latest{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}.{{ .Patch }}{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}{{ end }}"
-      - "{{ if not .Prerelease }}stable{{ else }}unstable{{ end }}"
-      - "{{ .Tag }}"
-      - '{{ trimprefix .Tag "v" }}'
-      - "sha-{{ .ShortCommit }}"
-
   - id: ghcr-debug
-    repository: ghcr.io/juanfont/headscale
+    repositories:
+      - ghcr.io/juanfont/headscale
+      - headscale/headscale
+
     bare: true
     base_image: gcr.io/distroless/base-debian12:debug
     build: headscale
@@ -159,29 +141,6 @@ kos:
       - '{{ trimprefix .Tag "v" }}-debug'
       - "sha-{{ .ShortCommit }}-debug"
 
-  - id: dockerhub-debug
-    build: headscale
-    base_image: gcr.io/distroless/base-debian12:debug
-    repository: headscale/headscale
-    bare: true
-    platforms:
-      - linux/amd64
-      - linux/386
-      - linux/arm64
-      - linux/arm/v7
-    tags:
-      - "{{ if not .Prerelease }}latest-debug{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}stable-debug{{ else }}unstable-debug{{ end }}"
-      - "{{ .Tag }}-debug"
-      - '{{ trimprefix .Tag "v" }}-debug'
-      - "sha-{{ .ShortCommit }}-debug"
-
 checksum:
   name_template: "checksums.txt"
 snapshot:

CHANGELOG.md

@@ -1,5 +1,52 @@
 # CHANGELOG
 
+## Next
+
+
+## 0.25.0 (2025-02-11)
+
+### BREAKING
+
+- Authentication flow has been rewritten
+  [#2374](https://github.com/juanfont/headscale/pull/2374) This change should be
+  transparent to users with the exception of some buxfixes that has been
+  discovered and was fixed as part of the rewrite.
+  - When a node is registered with _a new user_, it will be registered as a new
+    node ([#2327](https://github.com/juanfont/headscale/issues/2327) and
+    [#1310](https://github.com/juanfont/headscale/issues/1310)).
+  - A logged out node logging in with the same user will replace the existing
+    node.
+- Remove support for Tailscale clients older than 1.62 (Capability version 87)
+      [#2405](https://github.com/juanfont/headscale/pull/2405)
+
+### Changes
+
+- `oidc.map_legacy_users` is now `false` by default
+  [#2350](https://github.com/juanfont/headscale/pull/2350)
+- Print Tailscale version instead of capability versions for outdated nodes
+  [#2391](https://github.com/juanfont/headscale/pull/2391)
+- Do not allow renaming of users from OIDC
+  [#2393](https://github.com/juanfont/headscale/pull/2393)
+- Change minimum hostname length to 2
+  [#2393](https://github.com/juanfont/headscale/pull/2393)
+- Fix migration error caused by nodes having invalid auth keys
+  [#2412](https://github.com/juanfont/headscale/pull/2412)
+- Pre auth keys belonging to a user are no longer deleted with the user
+  [#2396](https://github.com/juanfont/headscale/pull/2396)
+- Pre auth keys that are used by a node can no longer be deleted
+  [#2396](https://github.com/juanfont/headscale/pull/2396)
+- Rehaul HTTP errors, return better status code and errors to users
+  [#2398](https://github.com/juanfont/headscale/pull/2398)
+
+## 0.24.3 (2025-02-07)
+
+### Changes
+- Fix migration error caused by nodes having invalid auth keys
+  [#2412](https://github.com/juanfont/headscale/pull/2412)
+- Pre auth keys belonging to a user are no longer deleted with the user
+  [#2396](https://github.com/juanfont/headscale/pull/2396)
+- Pre auth keys that are used by a node can no longer be deleted
+  [#2396](https://github.com/juanfont/headscale/pull/2396)
 
 ## 0.24.2 (2025-01-30)
 
@@ -18,8 +65,8 @@
   [#2367](https://github.com/juanfont/headscale/pull/2367)
 - Relax username validation to allow emails
   [#2364](https://github.com/juanfont/headscale/pull/2364)
-- Remove invalid routes and add stronger constraints for routes to avoid API panic
-  [#2371](https://github.com/juanfont/headscale/pull/2371)
+- Remove invalid routes and add stronger constraints for routes to avoid API
+  panic [#2371](https://github.com/juanfont/headscale/pull/2371)
 - Fix panic when `derp.update_frequency` is 0
   [#2368](https://github.com/juanfont/headscale/pull/2368)
 
@@ -54,8 +101,7 @@ and have it populate to Headscale automatically the next time they log in.
 However, this may affect the way you reference users in policies.
 
 Headscale v0.23.0 and earlier never recorded the `iss` and `sub` fields, so all
-legacy (existing) OIDC accounts _need to be migrated_ to be properly
-secured.
+legacy (existing) OIDC accounts _need to be migrated_ to be properly secured.
 
 #### What do I need to do to migrate?
 
@@ -67,8 +113,8 @@ The migration will mostly be done automatically, with one exception. If your
 OIDC does not provide an `email_verified` claim, Headscale will ignore the
 `email`. This means that either the administrator will have to mark the user
 emails as verified, or ensure the users verify their emails. Any unverified
-emails will be ignored, meaning that the users will get new accounts instead
-of being migrated.
+emails will be ignored, meaning that the users will get new accounts instead of
+being migrated.
 
 After this exception is ensured, make all users log into Headscale with their
 account, and Headscale will automatically update the account record. This will
@@ -169,7 +215,8 @@ This will also affect the way you
 - User gRPC/API [#2261](https://github.com/juanfont/headscale/pull/2261):
   - If you depend on a Headscale Web UI, you should wait with this update until
     the UI have been updated to match the new API.
-  - `GET /api/v1/user/{name}` and `GetUser` have been removed in favour of `ListUsers` with an ID parameter
+  - `GET /api/v1/user/{name}` and `GetUser` have been removed in favour of
+    `ListUsers` with an ID parameter
   - `RenameUser` and `DeleteUser` now require an ID instead of a name.
 
 ### Changes
@@ -191,9 +238,12 @@ This will also affect the way you
 - CLI for managing users now accepts `--identifier` in addition to `--name`,
   usage of `--identifier` is recommended
   [#2261](https://github.com/juanfont/headscale/pull/2261)
-- Add `dns.extra_records_path` configuration option [#2262](https://github.com/juanfont/headscale/issues/2262)
-- Support client verify for DERP [#2046](https://github.com/juanfont/headscale/pull/2046)
-- Add PKCE Verifier for OIDC [#2314](https://github.com/juanfont/headscale/pull/2314)
+- Add `dns.extra_records_path` configuration option
+  [#2262](https://github.com/juanfont/headscale/issues/2262)
+- Support client verify for DERP
+  [#2046](https://github.com/juanfont/headscale/pull/2046)
+- Add PKCE Verifier for OIDC
+  [#2314](https://github.com/juanfont/headscale/pull/2314)
 
 ## 0.23.0 (2024-09-18)
 
@@ -369,7 +419,7 @@ part of adopting [#1460](https://github.com/juanfont/headscale/pull/1460).
   [#1391](https://github.com/juanfont/headscale/pull/1391)
 - Improvements on Noise implementation
   [#1379](https://github.com/juanfont/headscale/pull/1379)
-- Replace node filter logic, ensuring nodes with access can see eachother
+- Replace node filter logic, ensuring nodes with access can see each other
   [#1381](https://github.com/juanfont/headscale/pull/1381)
 - Disable (or delete) both exit routes at the same time
   [#1428](https://github.com/juanfont/headscale/pull/1428)
@@ -724,8 +774,8 @@ behaviour.
   - All machines can communicate with all machines by default
   - Tags should now work correctly and adding a host to Headscale should now
     reload the rules.
-  - The documentation have a [fictional example](./docs/ref/acls.md) that should cover
-    some use cases of the ACLs features
+  - The documentation have a [fictional example](./docs/ref/acls.md) that should
+    cover some use cases of the ACLs features
 
 ### Features
 
@@ -743,7 +793,8 @@ behaviour.
 
 - Add IPv6 support to the prefix assigned to namespaces
 - Add API Key support
-  - Enable remote control of `headscale` via CLI [docs](./docs/ref/remote-cli.md)
+  - Enable remote control of `headscale` via CLI
+    [docs](./docs/ref/remote-cli.md)
   - Enable HTTP API (beta, subject to change)
 - OpenID Connect users will be mapped per namespaces
   - Each user will get its own namespace, created if it does not exist

README.md

@@ -32,12 +32,12 @@ organisation.
 
 ## Design goal
 
-Headscale aims to implement a self-hosted, open source alternative to the Tailscale
-control server.
-Headscale's goal is to provide self-hosters and hobbyists with an open-source
-server they can use for their projects and labs.
-It implements a narrow scope, a single Tailnet, suitable for a personal use, or a small
-open-source organisation.
+Headscale aims to implement a self-hosted, open source alternative to the
+[Tailscale](https://tailscale.com/) control server. Headscale's goal is to
+provide self-hosters and hobbyists with an open-source server they can use for
+their projects and labs. It implements a narrow scope, a _single_ Tailscale
+network (tailnet), suitable for a personal use, or a small open-source
+organisation.
 
 ## Supporting Headscale
 

cmd/headscale/cli/debug.go

@@ -4,10 +4,10 @@ import (
 	"fmt"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
-	"tailscale.com/types/key"
 )
 
 const (
@@ -79,7 +79,7 @@ var createNodeCmd = &cobra.Command{
 			)
 		}
 
-		machineKey, err := cmd.Flags().GetString("key")
+		registrationID, err := cmd.Flags().GetString("key")
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -88,8 +88,7 @@ var createNodeCmd = &cobra.Command{
 			)
 		}
 
-		var mkey key.MachinePublic
-		err = mkey.UnmarshalText([]byte(machineKey))
+		_, err = types.RegistrationIDFromString(registrationID)
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -108,7 +107,7 @@ var createNodeCmd = &cobra.Command{
 		}
 
 		request := &v1.DebugCreateNodeRequest{
-			Key:    machineKey,
+			Key:    registrationID,
 			Name:   name,
 			User:   user,
 			Routes: routes,

cmd/headscale/cli/nodes.go

@@ -122,7 +122,7 @@ var registerNodeCmd = &cobra.Command{
 		defer cancel()
 		defer conn.Close()
 
-		machineKey, err := cmd.Flags().GetString("key")
+		registrationID, err := cmd.Flags().GetString("key")
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -132,7 +132,7 @@ var registerNodeCmd = &cobra.Command{
 		}
 
 		request := &v1.RegisterNodeRequest{
-			Key:  machineKey,
+			Key:  registrationID,
 			User: user,
 		}
 

config-example.yaml

@@ -384,10 +384,10 @@ unix_socket_permission: "0770"
 #   # Note that this will only work if the username from the legacy user is the same
 #   # and there is a possibility for account takeover should a username have changed
 #   # with the provider.
-#   # Disabling this feature will cause all new logins to be created as new users.
+#   # When this feature is disabled, it will cause all new logins to be created as new users.
 #   # Note this option will be removed in the future and should be set to false
 #   # on all new installations, or when all users have logged in with OIDC once.
-#   map_legacy_users: true
+#   map_legacy_users: false
 
 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel

docs/about/clients.md

@@ -10,7 +10,7 @@ headscale.
 | OpenBSD | Yes                                                                                                   |
 | FreeBSD | Yes                                                                                                   |
 | Windows | Yes (see [docs](../usage/connect/windows.md) and `/windows` on your headscale for more information)   |
-| Android | Yes (see [docs](../usage/connect/android.md))                                                         |
+| Android | Yes (see [docs](../usage/connect/android.md) for more information)                                    |
 | macOS   | Yes (see [docs](../usage/connect/apple.md#macos) and `/apple` on your headscale for more information) |
 | iOS     | Yes (see [docs](../usage/connect/apple.md#ios) and `/apple` on your headscale for more information)   |
 | tvOS    | Yes (see [docs](../usage/connect/apple.md#tvos) and `/apple` on your headscale for more information)  |

docs/about/faq.md

@@ -2,12 +2,12 @@
 
 ## What is the design goal of headscale?
 
-Headscale aims to implement a self-hosted, open source alternative to the [Tailscale](https://tailscale.com/)
-control server.
-Headscale's goal is to provide self-hosters and hobbyists with an open-source
-server they can use for their projects and labs.
-It implements a narrow scope, a _single_ Tailnet, suitable for a personal use, or a small
-open-source organisation.
+Headscale aims to implement a self-hosted, open source alternative to the
+[Tailscale](https://tailscale.com/) control server. Headscale's goal is to
+provide self-hosters and hobbyists with an open-source server they can use for
+their projects and labs. It implements a narrow scope, a _single_ Tailscale
+network (tailnet), suitable for a personal use, or a small open-source
+organisation.
 
 ## How can I contribute?
 

docs/about/features.md

@@ -25,7 +25,7 @@ provides on overview of headscale's feature and compatibility with the Tailscale
     - [ ] `autogroup:member`
 * [ ] Node registration using Single-Sign-On (OpenID Connect) ([GitHub label "OIDC"](https://github.com/juanfont/headscale/labels/OIDC))
     - [x] Basic registration
-    - [ ] Update user profile from identity provider
+    - [x] Update user profile from identity provider
     - [ ] Dynamic ACL support
     - [ ] OIDC groups cannot be used in ACLs
 - [ ] [Funnel](https://tailscale.com/kb/1223/funnel) ([#1040](https://github.com/juanfont/headscale/issues/1040))

docs/index.md

@@ -14,12 +14,12 @@ Join our [Discord server](https://discord.gg/c84AZQhmpx) for a chat and communit
 
 ## Design goal
 
-Headscale aims to implement a self-hosted, open source alternative to the Tailscale
-control server.
-Headscale's goal is to provide self-hosters and hobbyists with an open-source
-server they can use for their projects and labs.
-It implements a narrower scope, a single Tailnet, suitable for a personal use, or a small
-open-source organisation.
+Headscale aims to implement a self-hosted, open source alternative to the
+[Tailscale](https://tailscale.com/) control server. Headscale's goal is to
+provide self-hosters and hobbyists with an open-source server they can use for
+their projects and labs. It implements a narrow scope, a _single_ Tailscale
+network (tailnet), suitable for a personal use, or a small open-source
+organisation.
 
 ## Supporting headscale
 

docs/setup/install/community.md

@@ -4,7 +4,7 @@ Several Linux distributions and community members provide packages for headscale
 the [official releases](./official.md) provided by the headscale maintainers. Such packages offer improved integration
 for their targeted operating system and usually:
 
-- setup a dedicated user account to run headscale
+- setup a dedicated local user account to run headscale
 - provide a default configuration
 - install headscale as system service
 

docs/setup/install/container.md

@@ -89,7 +89,7 @@ not work with alternatives like [Podman](https://podman.io). The Docker image ca
     curl http://127.0.0.1:9090/metrics
     ```
 
-1.  Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
+1.  Create a headscale user:
 
     ```shell
     docker exec -it headscale \

docs/setup/install/official.md

@@ -6,8 +6,8 @@ Both are available on the [GitHub releases page](https://github.com/juanfont/hea
 ## Using packages for Debian/Ubuntu (recommended)
 
 It is recommended to use our DEB packages to install headscale on a Debian based system as those packages configure a
-user to run headscale, provide a default configuration and ship with a systemd service file. Supported distributions are
-Ubuntu 20.04 or newer, Debian 11 or newer.
+local user to run headscale, provide a default configuration and ship with a systemd service file. Supported
+distributions are Ubuntu 20.04 or newer, Debian 11 or newer.
 
 1.  Download the [latest headscale package](https://github.com/juanfont/headscale/releases/latest) for your platform (`.deb` for Ubuntu and Debian).
 
@@ -46,13 +46,13 @@ Ubuntu 20.04 or newer, Debian 11 or newer.
 
 !!! warning "Advanced"
 
-    This installation method is considered advanced as one needs to take care of the headscale user and the systemd
+    This installation method is considered advanced as one needs to take care of the local user and the systemd
     service themselves. If possible, use the [DEB packages](#using-packages-for-debianubuntu-recommended) or a
     [community package](./community.md) instead.
 
 This section describes the installation of headscale according to the [Requirements and
-assumptions](../requirements.md#assumptions). Headscale is run by a dedicated user and the service itself is managed by
-systemd.
+assumptions](../requirements.md#assumptions). Headscale is run by a dedicated local user and the service itself is
+managed by systemd.
 
 1.  Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
 
@@ -67,7 +67,7 @@ systemd.
     sudo chmod +x /usr/local/bin/headscale
     ```
 
-1.  Add a dedicated user to run headscale:
+1.  Add a dedicated local user to run headscale:
 
     ```shell
     sudo useradd \

docs/setup/requirements.md

@@ -6,14 +6,14 @@ Headscale should just work as long as the following requirements are met:
   recommended.
 - Headscale is served via HTTPS on port 443[^1].
 - A reasonably modern Linux or BSD based operating system.
-- A dedicated user account to run headscale.
+- A dedicated local user account to run headscale.
 - A little bit of command line knowledge to configure and operate headscale.
 
 ## Assumptions
 
 The headscale documentation and the provided examples are written with a few assumptions in mind:
 
-- Headscale is running as system service via a dedicated user `headscale`.
+- Headscale is running as system service via a dedicated local user `headscale`.
 - The [configuration](../ref/configuration.md) is loaded from `/etc/headscale/config.yaml`.
 - SQLite is used as database.
 - The data directory for headscale (used for private keys, ACLs, SQLite database, …) is located in `/var/lib/headscale`.

docs/usage/getting-started.md

@@ -41,13 +41,14 @@ options, run:
       headscale <COMMAND> --help
     ```
 
-## Manage users
+## Manage headscale users
 
-In headscale, a node (also known as machine or device) is always assigned to a specific user, a
-[tailnet](https://tailscale.com/kb/1136/tailnet/). Such users can be managed with the `headscale users` command. Invoke
-the built-in help for more information: `headscale users --help`.
+In headscale, a node (also known as machine or device) is always assigned to a
+headscale user. Such a headscale user may have many nodes assigned to them and
+can be managed with the `headscale users` command. Invoke the built-in help for
+more information: `headscale users --help`.
 
-### Create a user
+### Create a headscale user
 
 === "Native"
 
@@ -62,7 +63,7 @@ the built-in help for more information: `headscale users --help`.
       headscale users create <USER>
     ```
 
-### List existing users
+### List existing headscale users
 
 === "Native"
 

flake.lock

@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1736420959,
-        "narHash": "sha256-dMGNa5UwdtowEqQac+Dr0d2tFO/60ckVgdhZU9q2E2o=",
+        "lastModified": 1738297584,
+        "narHash": "sha256-AYvaFBzt8dU0fcSK2jKD0Vg23K2eIRxfsVXIPCW9a0E=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "32af3611f6f05655ca166a0b1f47b57c762b5192",
+        "rev": "9189ac18287c599860e878e905da550aa6dec1cd",
         "type": "github"
       },
       "original": {

flake.nix

@@ -32,7 +32,7 @@
 
           # When updating go.mod or go.sum, a new sha will need to be calculated,
           # update this if you have a mismatch after doing a change to those files.
-          vendorHash = "sha256-SBfeixT8DQOrK2SWmHHSOBtzRdSZs+pwomHpw6Jd+qc=";
+          vendorHash = "sha256-ZQj2A0GdLhHc7JLW7qgpGBveXXNWg9ueSG47OZQQXEw=";
 
           subPackages = ["cmd/headscale"];
 

go.mod

@@ -37,10 +37,10 @@ require (
 	github.com/tailscale/tailsql v0.0.0-20241211062219-bf96884c6a49
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.31.0
-	golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e
-	golang.org/x/net v0.32.0
-	golang.org/x/oauth2 v0.24.0
+	golang.org/x/crypto v0.32.0
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8
+	golang.org/x/net v0.34.0
+	golang.org/x/oauth2 v0.25.0
 	golang.org/x/sync v0.10.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20241216192217-9240e9c98484
 	google.golang.org/grpc v1.69.0
@@ -49,7 +49,7 @@ require (
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/postgres v1.5.11
 	gorm.io/gorm v1.25.12
-	tailscale.com v1.79.0-pre
+	tailscale.com v1.80.0
 	zgo.at/zcache/v2 v2.1.0
 	zombiezen.com/go/postgrestest v1.0.1
 )
@@ -75,7 +75,7 @@ require (
 	modernc.org/libc v1.55.3 // indirect
 	modernc.org/mathutil v1.6.0 // indirect
 	modernc.org/memory v1.8.0 // indirect
-	modernc.org/sqlite v1.33.1 // indirect
+	modernc.org/sqlite v1.34.5 // indirect
 )
 
 require (
@@ -112,18 +112,18 @@ require (
 	github.com/creachadair/mds v0.20.0 // indirect
 	github.com/dblohm7/wingoes v0.0.0-20240123200102-b75a8a7d7eb0 // indirect
 	github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e // indirect
-	github.com/docker/cli v27.4.0+incompatible // indirect
-	github.com/docker/docker v27.4.0+incompatible // indirect
+	github.com/docker/cli v27.4.1+incompatible // indirect
+	github.com/docker/docker v27.4.1+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/fgprof v0.9.5 // indirect
-	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/gaissmai/bart v0.11.1 // indirect
 	github.com/glebarez/go-sqlite v1.22.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
-	github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 // indirect
+	github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.2.1 // indirect
 	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
@@ -139,7 +139,7 @@ require (
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/gookit/color v1.5.4 // indirect
-	github.com/gorilla/csrf v1.7.2 // indirect
+	github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
@@ -153,7 +153,6 @@ require (
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect
 	github.com/jsimonetti/rtnetlink v1.4.1 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a // indirect
@@ -165,7 +164,7 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mdlayher/genetlink v1.3.2 // indirect
-	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 // indirect
 	github.com/mdlayher/sdnotify v1.0.0 // indirect
 	github.com/mdlayher/socket v0.5.0 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
@@ -203,13 +202,12 @@ require (
 	github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4 // indirect
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 // indirect
 	github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 // indirect
-	github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 // indirect
+	github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc // indirect
 	github.com/tailscale/setec v0.0.0-20240930150730-e6eb93658ed3 // indirect
 	github.com/tailscale/squibble v0.0.0-20240909231413-32a80b9743f7 // indirect
-	github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 // indirect
-	github.com/tailscale/wireguard-go v0.0.0-20241113014420-4e883d38c8d3 // indirect
-	github.com/tcnksm/go-httpstat v0.2.0 // indirect
-	github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e // indirect
+	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect
+	github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19 // indirect
+	github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 // indirect
 	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
@@ -217,13 +215,13 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
+	go4.org/mem v0.0.0-20240501181205-ae6ca9944745 // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab // indirect
+	golang.org/x/term v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.28.0 // indirect
+	golang.org/x/time v0.9.0 // indirect
+	golang.org/x/tools v0.29.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241216192217-9240e9c98484 // indirect

go.sum

@@ -134,10 +134,10 @@ github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e h1:vUmf0yez
 github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e/go.mod h1:YTIHhz/QFSYnu/EhlF2SpU2Uk+32abacUYA5ZPljz1A=
 github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
-github.com/docker/cli v27.4.0+incompatible h1:/nJzWkcI1MDMN+U+px/YXnQWJqnu4J+QKGTfD6ptiTc=
-github.com/docker/cli v27.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v27.4.0+incompatible h1:I9z7sQ5qyzO0BfAb9IMOawRkAGxhYsidKiTMcm0DU+A=
-github.com/docker/docker v27.4.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/cli v27.4.1+incompatible h1:VzPiUlRJ/xh+otB75gva3r05isHMo5wXDfPRi5/b4hI=
+github.com/docker/cli v27.4.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v27.4.1+incompatible h1:ZJvcY7gfwHn1JF48PfbyXg7Jyt9ZCWDW+GGXOIxEwp4=
+github.com/docker/docker v27.4.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -157,8 +157,8 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
 github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
-github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
-github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/gaissmai/bart v0.11.1 h1:5Uv5XwsaFBRo4E5VBcb9TzY8B7zxFf+U7isDxqOrRfc=
 github.com/gaissmai/bart v0.11.1/go.mod h1:KHeYECXQiBjTzQz/om2tqn3sZF1J7hw9m6z41ftj3fg=
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
@@ -173,8 +173,8 @@ github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7
 github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
 github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
 github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
-github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 h1:ymLjT4f35nQbASLnvxEde4XOBL+Sn7rFuV+FOJqkljg=
-github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0/go.mod h1:6daplAwHHGbUGib4990V3Il26O0OC4aRyvewaaAihaA=
+github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288 h1:KbX3Z3CgiYlbaavUq3Cj9/MjpO+88S7/AGXzynVDv84=
+github.com/go-json-experiment/json v0.0.0-20250103232110-6a9a0fde9288/go.mod h1:BWmvoE1Xia34f3l/ibJweyhrT+aROb/FQ6d+37F0e2s=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
@@ -236,8 +236,8 @@ github.com/gookit/color v1.4.2/go.mod h1:fqRyamkC1W8uxl+lxCQxOT09l/vYfZ+QeiX3rKQ
 github.com/gookit/color v1.5.0/go.mod h1:43aQb+Zerm/BWh2GnrgOQm7ffz7tvQXEKV6BFMl7wAo=
 github.com/gookit/color v1.5.4 h1:FZmqs7XOyGgCAxmWyPslpiok1k05wmY3SJTytgvYFs0=
 github.com/gookit/color v1.5.4/go.mod h1:pZJOeOS8DM43rXbp4AZo1n9zCU2qjpcRko0b6/QJi9w=
-github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
-github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30 h1:fiJdrgVBkjZ5B1HJ2WQwNOaXB+QyYcNXTA3t1XYLz0M=
+github.com/gorilla/csrf v1.7.3-0.20250123201450-9dd6af1f6d30/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
@@ -248,8 +248,6 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 h1:TmHmbvxPmaegwhDubVz0lICL0J5
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKAPIS5qsmQDqZna/PgVt4rWtI=
 github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY=
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
-github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
 github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=
@@ -283,9 +281,6 @@ github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHW
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
-github.com/josharian/native v1.0.1-0.20221213033349-c1e37c09b531/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
-github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 h1:elKwZS1OcdQ0WwEDBeqxKwb7WB62QX8bvZ/FJnVXIfk=
-github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86/go.mod h1:aFAMtuldEgx/4q7iSGazk22+IcgvtiC+HIimFO9XlS8=
 github.com/jsimonetti/rtnetlink v1.4.1 h1:JfD4jthWBqZMEffc5RjgmlzpYttAVw1sdnmiNaPO3hE=
 github.com/jsimonetti/rtnetlink v1.4.1/go.mod h1:xJjT7t59UIZ62GLZbv6PLLo8VFrostJMPBAheR6OM8w=
 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
@@ -334,8 +329,8 @@ github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6T
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
 github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
-github.com/mdlayher/netlink v1.7.2 h1:/UtM3ofJap7Vl4QWCPDGXY8d3GIY2UGSDbK+QWmY8/g=
-github.com/mdlayher/netlink v1.7.2/go.mod h1:xraEF7uJbxLhc5fpHL4cPe221LI2bdttWlU+ZGLfQSw=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42 h1:A1Cq6Ysb0GM0tpKMbdCXCIfBclan4oHk1Jb+Hrejirg=
+github.com/mdlayher/netlink v1.7.3-0.20250113171957-fbb4dce95f42/go.mod h1:BB4YCPDOzfy7FniQ/lxuYQ3dgmM2cZumHbK8RpTjN2o=
 github.com/mdlayher/sdnotify v1.0.0 h1:Ma9XeLVN/l0qpyx1tNeMSeTjCPH6NtuD6/N9XdTlQ3c=
 github.com/mdlayher/sdnotify v1.0.0/go.mod h1:HQUmpM4XgYkhDLtd+Uad8ZFK1T9D5+pNxnXQjCeJlGE=
 github.com/mdlayher/socket v0.5.0 h1:ilICZmJcQz70vrWVes1MFera4jGiWNocSkykwwoy3XI=
@@ -378,7 +373,6 @@ github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43 h1:ah1dvbqPMN5+oc
 github.com/petermattis/goid v0.0.0-20241211131331-93ee7e083c43/go.mod h1:pxMtw7cyUw6B2bRH0ZBANSPg+AoSud1I1iyJHI69jH4=
 github.com/philip-bui/grpc-zerolog v1.0.1 h1:EMacvLRUd2O1K0eWod27ZP5CY1iTNkhBDLSN+Q4JEvA=
 github.com/philip-bui/grpc-zerolog v1.0.1/go.mod h1:qXbiq/2X4ZUMMshsqlWyTHOcw7ns+GZmlqZZN05ZHcQ=
-github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pierrec/lz4/v4 v4.1.21 h1:yOVMLb6qSIDP67pl/5F7RepeKYu/VmTyEXvuMI5d9mQ=
 github.com/pierrec/lz4/v4 v4.1.21/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -435,8 +429,8 @@ github.com/samber/lo v1.47.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5
 github.com/sasha-s/go-deadlock v0.3.5 h1:tNCOEEDG6tBqrNDOX35j/7hL5FcFViG6awUGROb2NsU=
 github.com/sasha-s/go-deadlock v0.3.5/go.mod h1:bugP6EGbdGYObIlx7pUZtWqlvo8k9H6vCBBsiChJQ5U=
 github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
-github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
-github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@@ -480,34 +474,32 @@ github.com/tailscale/hujson v0.0.0-20241010212012-29efb4a0184b h1:MNaGusDfB1qxEs
 github.com/tailscale/hujson v0.0.0-20241010212012-29efb4a0184b/go.mod h1:EbW0wDK/qEUYI0A5bqq0C2kF8JTQwWONmGDBbzsxxHo=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7 h1:uFsXVBE9Qr4ZoF094vE6iYTLDl0qCiKzYXlL6UeWObU=
 github.com/tailscale/netlink v1.1.1-0.20240822203006-4d49adab4de7/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
-github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 h1:Gz0rz40FvFVLTBk/K8UNAenb36EbDSnh+q7Z9ldcC8w=
-github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4/go.mod h1:phI29ccmHQBc+wvroosENp1IF9195449VDnFDhJ4rJU=
+github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc h1:24heQPtnFR+yfntqhI3oAu9i27nEojcQ4NuBQOo5ZFA=
+github.com/tailscale/peercred v0.0.0-20250107143737-35a0c7bd7edc/go.mod h1:f93CXfllFsO9ZQVq+Zocb1Gp4G5Fz0b0rXHLOzt/Djc=
 github.com/tailscale/setec v0.0.0-20240930150730-e6eb93658ed3 h1:Zk341hE1rcVUcDwA9XKmed2acHGGlbeFQzje6gvkuFo=
 github.com/tailscale/setec v0.0.0-20240930150730-e6eb93658ed3/go.mod h1:nexjfRM8veJVJ5PTbqYI2YrUj/jbk3deffEHO3DH9Q4=
 github.com/tailscale/squibble v0.0.0-20240909231413-32a80b9743f7 h1:nfklwaP8uNz2IbUygSKOQ1aDzzRRRLaIbPpnQWUUMGc=
 github.com/tailscale/squibble v0.0.0-20240909231413-32a80b9743f7/go.mod h1:YH/J7n7jNZOq10nTxxPANv2ha/Eg47/6J5b7NnOYAhQ=
 github.com/tailscale/tailsql v0.0.0-20241211062219-bf96884c6a49 h1:QFXXdoiYFiUS7a6DH7zE6Uacz3wMzH/1/VvWLnR9To4=
 github.com/tailscale/tailsql v0.0.0-20241211062219-bf96884c6a49/go.mod h1:IX3F8T6iILmg94hZGkkOf6rmjIHJCXNVqxOpiSUwHQQ=
-github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 h1:tdUdyPqJ0C97SJfjB9tW6EylTtreyee9C44de+UBG0g=
-github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
+github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
+github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
-github.com/tailscale/wireguard-go v0.0.0-20241113014420-4e883d38c8d3 h1:dmoPb3dG27tZgMtrvqfD/LW4w7gA6BSWl8prCPNmkCQ=
-github.com/tailscale/wireguard-go v0.0.0-20241113014420-4e883d38c8d3/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
+github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19 h1:BcEJP2ewTIK2ZCsqgl6YGpuO6+oKqqag5HHb7ehljKw=
+github.com/tailscale/wireguard-go v0.0.0-20250107165329-0b8b35511f19/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
 github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
 github.com/tc-hib/winres v0.2.1/go.mod h1:C/JaNhH3KBvhNKVbvdlDWkbMDO9H4fKKDaN7/07SSuk=
-github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
-github.com/tcnksm/go-httpstat v0.2.0/go.mod h1:s3JVJFtQxtBEBC9dwcdTTXS9xFnM3SXAZwPG41aurT8=
 github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e h1:IWllFTiDjjLIf2oeKxpIUmtiDV5sn71VgeQgg6vcE7k=
 github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e/go.mod h1:d7u6HkTYKSv5m6MCKkOQlHwaShTMl3HjqSGW3XtVhXM=
 github.com/tink-crypto/tink-go/v2 v2.1.0 h1:QXFBguwMwTIaU17EgZpEJWsUSc60b1BAGTzBIoMdmok=
 github.com/tink-crypto/tink-go/v2 v2.1.0/go.mod h1:y1TnYFt1i2eZVfx4OGc+C+EMp4CoKWAw2VSEuoicHHI=
 github.com/u-root/u-root v0.12.0 h1:K0AuBFriwr0w/PGS3HawiAw89e3+MU7ks80GpghAsNs=
 github.com/u-root/u-root v0.12.0/go.mod h1:FYjTOh4IkIZHhjsd17lb8nYW6udgXdJhG1c0r6u0arI=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e h1:BA9O3BmlTmpjbvajAwzWx4Wo2TRVdpPXZEeemGQcajw=
-github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e/go.mod h1:eLL9Nub3yfAho7qB0MzZizFhTU2QkLeoVsWdHtDW264=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701 h1:pyC9PaHYZFgEKFdlp3G8RaCKgVpHZnecvArXvPXcFkM=
+github.com/u-root/uio v0.0.0-20240224005618-d2acac8f3701/go.mod h1:P3a5rG4X7tI17Nn3aOIAYr5HbIMukwXG0urG0WuL8OA=
 github.com/vishvananda/netns v0.0.0-20200728191858-db3c7e526aae/go.mod h1:DD4vA1DwXk04H54A1oHXtwZmA0grkVMdPxx/VGLCah0=
 github.com/vishvananda/netns v0.0.4 h1:Oeaw1EM2JMxD51g9uhtC0D7erkIjgmj8+JZc26m1YX8=
 github.com/vishvananda/netns v0.0.4/go.mod h1:SpkAiCQRtJ6TvvxPnOSyH3BMl6unz3xZlaprSwhNNJM=
@@ -526,24 +518,26 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJu
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.opentelemetry.io/otel v1.32.0 h1:WnBN+Xjcteh0zdk01SVqV55d/m62NJLJdIyb4y/WO5U=
-go.opentelemetry.io/otel v1.32.0/go.mod h1:00DCVSB0RQcnzlwyTfqtxSm+DRr9hpYrHjNGiBHVQIg=
-go.opentelemetry.io/otel/metric v1.32.0 h1:xV2umtmNcThh2/a/aCP+h64Xx5wsj8qqnkYZktzNa0M=
-go.opentelemetry.io/otel/metric v1.32.0/go.mod h1:jH7CIbbK6SH2V2wE16W05BHCtIDzauciCRLoc/SyMv8=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw=
+go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I=
+go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ=
+go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M=
 go.opentelemetry.io/otel/sdk v1.31.0 h1:xLY3abVHYZ5HSfOg3l2E5LUj2Cwva5Y7yGxnSW9H5Gk=
 go.opentelemetry.io/otel/sdk v1.31.0/go.mod h1:TfRbMdhvxIIr/B2N2LQW2S5v9m3gOQ/08KsbbO5BPT0=
 go.opentelemetry.io/otel/sdk/metric v1.31.0 h1:i9hxxLJF/9kkvfHppyLL55aW7iIJz4JjxTeYusH7zMc=
 go.opentelemetry.io/otel/sdk/metric v1.31.0/go.mod h1:CRInTMVvNhUKgSAMbKyTMxqOBC0zgyxzW55lZzX43Y8=
-go.opentelemetry.io/otel/trace v1.32.0 h1:WIC9mYrXf8TmY/EXuULKc8hR17vE+Hjv2cssQDe03fM=
-go.opentelemetry.io/otel/trace v1.32.0/go.mod h1:+i4rkvCraA+tG6AzwloGaCtkx53Fa+L+V8e9a7YvhT8=
+go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s=
+go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
-go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
-go4.org/mem v0.0.0-20220726221520-4f986261bf13/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
+go4.org/mem v0.0.0-20240501181205-ae6ca9944745 h1:Tl++JLUCe4sxGu8cTpDzRLd3tN7US4hOxG5YpKCzkek=
+go4.org/mem v0.0.0-20240501181205-ae6ca9944745/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba h1:0b9z3AuHCjxk0x/opv64kcgZLBseWJUpBw5I82+2U4M=
 go4.org/netipx v0.0.0-20231129151722-fdeea329fbba/go.mod h1:PLyyIXexvUFg3Owu6p/WfdlivPbZJsZdgWZlrGope/Y=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -551,15 +545,15 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
+golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e h1:4qufH0hlUYs6AO6XmZC3GqfDPGSXHVXUFR6OND+iJX4=
-golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 h1:yqrTHse8TCMW1M1ZCP+VAR/l0kKxwaAIqN/il7x4voA=
+golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8/go.mod h1:tujkw807nyEEAamNbDrEGzRav+ilXA7PCRAd6xsmwiU=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/image v0.18.0 h1:jGzIakQa/ZXI1I0Fxvaa9W7yP25TqT6cHIHn+6CqvSQ=
-golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
+golang.org/x/image v0.23.0 h1:HseQ7c2OpPKTPVzNjG5fwJsOTCiiwS4QdsYi5XU6H68=
+golang.org/x/image v0.23.0/go.mod h1:wJJBTdLfCCf3tiHa1fNxpZmUI4mmoZvwMCPP0ddoNKY=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
@@ -582,11 +576,11 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
+golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
+golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
-golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.25.0 h1:CY4y7XT9v0cRI9oupztF8AgiIu99L/ksR/Xp/6jrZ70=
+golang.org/x/oauth2 v0.25.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -616,20 +610,18 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220622161953-175b2fd9d664/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220817070843-5a390386f1f2/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab h1:BMkEEWYOjkvOX7+YKOGbp6jCyQ5pR2j0Ah47p1Vdsx4=
+golang.org/x/sys v0.29.1-0.20250107080300-1c14dcadc3ab/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -637,8 +629,8 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -648,8 +640,8 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
+golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -661,8 +653,8 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8=
-golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw=
+golang.org/x/tools v0.29.0 h1:Xx0h3TtM9rzQpQuR4dKLrdglAmCEN5Oi+P74JdhdzXE=
+golang.org/x/tools v0.29.0/go.mod h1:KMQVMRsVxU6nHCFXrBPhDB8XncLNLM0lIy/F14RP588=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -725,8 +717,6 @@ modernc.org/fileutil v1.3.0 h1:gQ5SIzK3H9kdfai/5x41oQiKValumqNTDXMvKo62HvE=
 modernc.org/fileutil v1.3.0/go.mod h1:XatxS8fZi3pS8/hKG2GH/ArUogfxjpEKs3Ku3aK4JyQ=
 modernc.org/gc/v2 v2.4.1 h1:9cNzOqPyMJBvrUipmynX0ZohMhcxPtMccYgGOJdOiBw=
 modernc.org/gc/v2 v2.4.1/go.mod h1:wzN5dK1AzVGoH6XOzc3YZ+ey/jPgYHLuVckd62P0GYU=
-modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 h1:5D53IMaUuA5InSeMu9eJtlQXS2NxAhyWQvkKEgXZhHI=
-modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6/go.mod h1:Qz0X07sNOR1jWYCrJMEnbW/X55x206Q7Vt4mz6/wHp4=
 modernc.org/libc v1.55.3 h1:AzcW1mhlPNrRtjS5sS+eW2ISCgSOLLNyFzRh/V3Qj/U=
 modernc.org/libc v1.55.3/go.mod h1:qFXepLhz+JjFThQ4kzwzOjA/y/artDeg+pcYnY+Q83w=
 modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
@@ -737,16 +727,16 @@ modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
 modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
 modernc.org/sortutil v1.2.0 h1:jQiD3PfS2REGJNzNCMMaLSp/wdMNieTbKX920Cqdgqc=
 modernc.org/sortutil v1.2.0/go.mod h1:TKU2s7kJMf1AE84OoiGppNHJwvB753OYfNl2WRb++Ss=
-modernc.org/sqlite v1.33.1 h1:trb6Z3YYoeM9eDL1O8do81kP+0ejv+YzgyFo+Gwy0nM=
-modernc.org/sqlite v1.33.1/go.mod h1:pXV2xHxhzXZsgT/RtTFAPY6JJDEvOTcTdwADQCCWD4k=
+modernc.org/sqlite v1.34.5 h1:Bb6SR13/fjp15jt70CL4f18JIN7p7dnMExd+UFnF15g=
+modernc.org/sqlite v1.34.5/go.mod h1:YLuNmX9NKs8wRNK2ko1LW1NGYcc9FkBO69JOt1AR9JE=
 modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
 modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
 software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
-tailscale.com v1.79.0-pre h1:iJ4+ox4kxadiTJRlybF+9Co+CEDIa1dflMPuxUb5gRg=
-tailscale.com v1.79.0-pre/go.mod h1:aNv7W0AEQtUsDOByv8mGZAk5ZGT49gQ3vIaPaol1RCc=
+tailscale.com v1.80.0 h1:7joWtDtdHEHJvGmOag10RNITKp1I4Ts7Hrn6pU33/1I=
+tailscale.com v1.80.0/go.mod h1:4tasV1xjJAMHuX2xWMWAnXEmlrAA6M3w1xnc32DlpMk=
 zgo.at/zcache/v2 v2.1.0 h1:USo+ubK+R4vtjw4viGzTe/zjXyPw6R7SK/RL3epBBxs=
 zgo.at/zcache/v2 v2.1.0/go.mod h1:gyCeoLVo01QjDZynjime8xUGHHMbsLiPyUTBpDGd4Gk=
 zombiezen.com/go/postgrestest v1.0.1 h1:aXoADQAJmZDU3+xilYVut0pHhgc0sF8ZspPW9gFNwP4=

hscontrol/app.go

@@ -24,6 +24,7 @@ import (
 	grpcRuntime "github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/capver"
 	"github.com/juanfont/headscale/hscontrol/db"
 	"github.com/juanfont/headscale/hscontrol/derp"
 	derpServer "github.com/juanfont/headscale/hscontrol/derp/server"
@@ -96,7 +97,7 @@ type Headscale struct {
 	mapper       *mapper.Mapper
 	nodeNotifier *notifier.Notifier
 
-	registrationCache *zcache.Cache[string, types.Node]
+	registrationCache *zcache.Cache[types.RegistrationID, types.RegisterNode]
 
 	authProvider AuthProvider
 
@@ -123,7 +124,7 @@ func NewHeadscale(cfg *types.Config) (*Headscale, error) {
 		return nil, fmt.Errorf("failed to read or create Noise protocol private key: %w", err)
 	}
 
-	registrationCache := zcache.New[string, types.Node](
+	registrationCache := zcache.New[types.RegistrationID, types.RegisterNode](
 		registerCacheExpiration,
 		registerCacheCleanup,
 	)
@@ -462,7 +463,7 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
 
 	router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet)
 	router.HandleFunc("/key", h.KeyHandler).Methods(http.MethodGet)
-	router.HandleFunc("/register/{mkey}", h.authProvider.RegisterHandler).Methods(http.MethodGet)
+	router.HandleFunc("/register/{registration_id}", h.authProvider.RegisterHandler).Methods(http.MethodGet)
 
 	if provider, ok := h.authProvider.(*AuthProviderOIDC); ok {
 		router.HandleFunc("/oidc/callback", provider.OIDCCallbackHandler).Methods(http.MethodGet)
@@ -520,29 +521,34 @@ func usersChangedHook(db *db.HSDatabase, polMan policy.PolicyManager, notif *not
 
 // TODO(kradalby): Do a variant of this, and polman which only updates the node that has changed.
 // Maybe we should attempt a new in memory state and not go via the DB?
-func nodesChangedHook(db *db.HSDatabase, polMan policy.PolicyManager, notif *notifier.Notifier) error {
+// A bool is returned indicating if a full update was sent to all nodes
+func nodesChangedHook(db *db.HSDatabase, polMan policy.PolicyManager, notif *notifier.Notifier) (bool, error) {
 	nodes, err := db.ListNodes()
 	if err != nil {
-		return err
+		return false, err
 	}
 
-	changed, err := polMan.SetNodes(nodes)
+	filterChanged, err := polMan.SetNodes(nodes)
 	if err != nil {
-		return err
+		return false, err
 	}
 
-	if changed {
+	if filterChanged {
 		ctx := types.NotifyCtx(context.Background(), "acl-nodes-change", "all")
 		notif.NotifyAll(ctx, types.StateUpdate{
 			Type: types.StateFullUpdate,
 		})
+
+		return true, nil
 	}
 
-	return nil
+	return false, nil
 }
 
 // Serve launches the HTTP and gRPC server service Headscale and the API.
 func (h *Headscale) Serve() error {
+	capver.CanOldCodeBeCleanedUp()
+
 	if profilingEnabled {
 		if profilingPath != "" {
 			err := os.MkdirAll(profilingPath, os.ModePerm)
@@ -560,6 +566,11 @@ func (h *Headscale) Serve() error {
 		spew.Dump(h.cfg)
 	}
 
+	log.Info().
+		Caller().
+		Str("minimum_version", capver.TailscaleVersion(capver.MinSupportedCapabilityVersion)).
+		Msg("Clients with a lower minimum version will be rejected")
+
 	// Fetch an initial DERP Map before we start serving
 	h.DERPMap = derp.GetDERPMap(h.cfg.DERP)
 	h.mapper = mapper.NewMapper(h.db, h.cfg, h.DERPMap, h.nodeNotifier, h.polMan)

hscontrol/auth.go

@@ -2,16 +2,16 @@ package hscontrol
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
+	"strings"
 	"time"
 
 	"github.com/juanfont/headscale/hscontrol/db"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
-	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
@@ -20,692 +20,276 @@ import (
 
 type AuthProvider interface {
 	RegisterHandler(http.ResponseWriter, *http.Request)
-	AuthURL(key.MachinePublic) string
+	AuthURL(types.RegistrationID) string
 }
 
-func logAuthFunc(
-	registerRequest tailcfg.RegisterRequest,
-	machineKey key.MachinePublic,
-) (func(string), func(string), func(error, string)) {
-	return func(msg string) {
-			log.Info().
-				Caller().
-				Str("machine_key", machineKey.ShortString()).
-				Str("node_key", registerRequest.NodeKey.ShortString()).
-				Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
-				Str("node", registerRequest.Hostinfo.Hostname).
-				Str("followup", registerRequest.Followup).
-				Time("expiry", registerRequest.Expiry).
-				Msg(msg)
-		},
-		func(msg string) {
-			log.Trace().
-				Caller().
-				Str("machine_key", machineKey.ShortString()).
-				Str("node_key", registerRequest.NodeKey.ShortString()).
-				Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
-				Str("node", registerRequest.Hostinfo.Hostname).
-				Str("followup", registerRequest.Followup).
-				Time("expiry", registerRequest.Expiry).
-				Msg(msg)
-		},
-		func(err error, msg string) {
-			log.Error().
-				Caller().
-				Str("machine_key", machineKey.ShortString()).
-				Str("node_key", registerRequest.NodeKey.ShortString()).
-				Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
-				Str("node", registerRequest.Hostinfo.Hostname).
-				Str("followup", registerRequest.Followup).
-				Time("expiry", registerRequest.Expiry).
-				Err(err).
-				Msg(msg)
-		}
-}
-
-// handleRegister is the logic for registering a client.
 func (h *Headscale) handleRegister(
-	writer http.ResponseWriter,
-	req *http.Request,
+	ctx context.Context,
 	regReq tailcfg.RegisterRequest,
 	machineKey key.MachinePublic,
-) {
-	logInfo, logTrace, _ := logAuthFunc(regReq, machineKey)
-	now := time.Now().UTC()
-	logTrace("handleRegister called, looking up machine in DB")
-	node, err := h.db.GetNodeByAnyKey(machineKey, regReq.NodeKey, regReq.OldNodeKey)
-	logTrace("handleRegister database lookup has returned")
-	if errors.Is(err, gorm.ErrRecordNotFound) {
-		// If the node has AuthKey set, handle registration via PreAuthKeys
-		if regReq.Auth != nil && regReq.Auth.AuthKey != "" {
-			h.handleAuthKey(writer, regReq, machineKey)
+) (*tailcfg.RegisterResponse, error) {
+	node, err := h.db.GetNodeByNodeKey(regReq.NodeKey)
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, fmt.Errorf("looking up node in database: %w", err)
+	}
 
-			return
+	if node != nil {
+		resp, err := h.handleExistingNode(node, regReq, machineKey)
+		if err != nil {
+			return nil, fmt.Errorf("handling existing node: %w", err)
 		}
 
-		// Check if the node is waiting for interactive login.
-		//
-		// TODO(juan): We could use this field to improve our protocol implementation,
-		// and hold the request until the client closes it, or the interactive
-		// login is completed (i.e., the user registers the node).
-		// This is not implemented yet, as it is no strictly required. The only side-effect
-		// is that the client will hammer headscale with requests until it gets a
-		// successful RegisterResponse.
-		if regReq.Followup != "" {
-			logTrace("register request is a followup")
-			if _, ok := h.registrationCache.Get(machineKey.String()); ok {
-				logTrace("Node is waiting for interactive login")
+		return resp, nil
+	}
 
-				select {
-				case <-req.Context().Done():
-					return
-				case <-time.After(registrationHoldoff):
-					h.handleNewNode(writer, regReq, machineKey)
+	if regReq.Followup != "" {
+		// TODO(kradalby): Does this need to return an error of some sort?
+		// Maybe if the registration fails down the line it can be sent
+		// on the channel and returned here?
+		h.waitForFollowup(ctx, regReq)
+	}
 
-					return
+	if regReq.Auth != nil && regReq.Auth.AuthKey != "" {
+		resp, err := h.handleRegisterWithAuthKey(regReq, machineKey)
+		if err != nil {
+			return nil, fmt.Errorf("handling register with auth key: %w", err)
+		}
+
+		return resp, nil
+	}
+
+	resp, err := h.handleRegisterInteractive(regReq, machineKey)
+	if err != nil {
+		return nil, fmt.Errorf("handling register interactive: %w", err)
+	}
+
+	return resp, nil
+}
+
+func (h *Headscale) handleExistingNode(
+	node *types.Node,
+	regReq tailcfg.RegisterRequest,
+	machineKey key.MachinePublic,
+) (*tailcfg.RegisterResponse, error) {
+	if node.MachineKey != machineKey {
+		return nil, NewHTTPError(http.StatusUnauthorized, "node exist with different machine key", nil)
+	}
+
+	expired := node.IsExpired()
+	if !expired && !regReq.Expiry.IsZero() {
+		requestExpiry := regReq.Expiry
+
+		// The client is trying to extend their key, this is not allowed.
+		if requestExpiry.After(time.Now()) {
+			return nil, NewHTTPError(http.StatusBadRequest, "extending key is not allowed", nil)
+		}
+
+		// If the request expiry is in the past, we consider it a logout.
+		if requestExpiry.Before(time.Now()) {
+			if node.IsEphemeral() {
+				changedNodes, err := h.db.DeleteNode(node, h.nodeNotifier.LikelyConnectedMap())
+				if err != nil {
+					return nil, fmt.Errorf("deleting ephemeral node: %w", err)
+				}
+
+				ctx := types.NotifyCtx(context.Background(), "logout-ephemeral", "na")
+				h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{
+					Type:    types.StatePeerRemoved,
+					Removed: []types.NodeID{node.ID},
+				})
+				if changedNodes != nil {
+					h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{
+						Type:        types.StatePeerChanged,
+						ChangeNodes: changedNodes,
+					})
 				}
 			}
+
+			expired = true
 		}
 
-		logInfo("Node not found in database, creating new")
-
-		// The node did not have a key to authenticate, which means
-		// that we rely on a method that calls back some how (OpenID or CLI)
-		// We create the node and then keep it around until a callback
-		// happens
-		newNode := types.Node{
-			MachineKey: machineKey,
-			Hostname:   regReq.Hostinfo.Hostname,
-			NodeKey:    regReq.NodeKey,
-			LastSeen:   &now,
-			Expiry:     &time.Time{},
+		err := h.db.NodeSetExpiry(node.ID, requestExpiry)
+		if err != nil {
+			return nil, fmt.Errorf("setting node expiry: %w", err)
 		}
 
-		if !regReq.Expiry.IsZero() {
-			logTrace("Non-zero expiry time requested")
-			newNode.Expiry = &regReq.Expiry
-		}
+		ctx := types.NotifyCtx(context.Background(), "logout-expiry", "na")
+		h.nodeNotifier.NotifyWithIgnore(ctx, types.StateUpdateExpire(node.ID, requestExpiry), node.ID)
+	}
 
-		h.registrationCache.Set(
-			machineKey.String(),
-			newNode,
-		)
+	return &tailcfg.RegisterResponse{
+		// TODO(kradalby): Only send for user-owned nodes
+		// and not tagged nodes when tags is working.
+		User:           *node.User.TailscaleUser(),
+		Login:          *node.User.TailscaleLogin(),
+		NodeKeyExpired: expired,
 
-		h.handleNewNode(writer, regReq, machineKey)
+		// Headscale does not implement the concept of machine authorization
+		// so we always return true here.
+		// Revisit this if #2176 gets implemented.
+		MachineAuthorized: true,
+	}, nil
+}
 
+func (h *Headscale) waitForFollowup(
+	ctx context.Context,
+	regReq tailcfg.RegisterRequest,
+) {
+	fu, err := url.Parse(regReq.Followup)
+	if err != nil {
 		return
 	}
 
-	// The node is already in the DB. This could mean one of the following:
-	// - The node is authenticated and ready to /map
-	// - We are doing a key refresh
-	// - The node is logged out (or expired) and pending to be authorized. TODO(juan): We need to keep alive the connection here
-	if node != nil {
-		// (juan): For a while we had a bug where we were not storing the MachineKey for the nodes using the TS2021,
-		// due to a misunderstanding of the protocol https://github.com/juanfont/headscale/issues/1054
-		// So if we have a not valid MachineKey (but we were able to fetch the node with the NodeKeys), we update it.
-		if err != nil || node.MachineKey.IsZero() {
-			if err := h.db.NodeSetMachineKey(node, machineKey); err != nil {
-				log.Error().
-					Caller().
-					Str("func", "RegistrationHandler").
-					Str("node", node.Hostname).
-					Err(err).
-					Msg("Error saving machine key to database")
-
-				return
-			}
-		}
-
-		// If the NodeKey stored in headscale is the same as the key presented in a registration
-		// request, then we have a node that is either:
-		// - Trying to log out (sending a expiry in the past)
-		// - A valid, registered node, looking for /map
-		// - Expired node wanting to reauthenticate
-		if node.NodeKey.String() == regReq.NodeKey.String() {
-			// The client sends an Expiry in the past if the client is requesting to expire the key (aka logout)
-			//   https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L648
-			if !regReq.Expiry.IsZero() &&
-				regReq.Expiry.UTC().Before(now) {
-				h.handleNodeLogOut(writer, *node)
-
-				return
-			}
-
-			// If node is not expired, and it is register, we have a already accepted this node,
-			// let it proceed with a valid registration
-			if !node.IsExpired() {
-				h.handleNodeWithValidRegistration(writer, *node)
-
-				return
-			}
-		}
-
-		// The NodeKey we have matches OldNodeKey, which means this is a refresh after a key expiration
-		if node.NodeKey.String() == regReq.OldNodeKey.String() &&
-			!node.IsExpired() {
-			h.handleNodeKeyRefresh(
-				writer,
-				regReq,
-				*node,
-			)
-
-			return
-		}
-
-		// When logged out and reauthenticating with OIDC, the OldNodeKey is not passed, but the NodeKey has changed
-		if node.NodeKey.String() != regReq.NodeKey.String() &&
-			regReq.OldNodeKey.IsZero() && !node.IsExpired() {
-			h.handleNodeKeyRefresh(
-				writer,
-				regReq,
-				*node,
-			)
-
-			return
-		}
-
-		if regReq.Followup != "" {
-			select {
-			case <-req.Context().Done():
-				return
-			case <-time.After(registrationHoldoff):
-			}
-		}
-
-		// The node has expired or it is logged out
-		h.handleNodeExpiredOrLoggedOut(writer, regReq, *node, machineKey)
-
-		// TODO(juan): RegisterRequest includes an Expiry time, that we could optionally use
-		node.Expiry = &time.Time{}
-
-		// If we are here it means the client needs to be reauthorized,
-		// we need to make sure the NodeKey matches the one in the request
-		// TODO(juan): What happens when using fast user switching between two
-		// headscale-managed tailnets?
-		node.NodeKey = regReq.NodeKey
-		h.registrationCache.Set(
-			machineKey.String(),
-			*node,
-		)
-
+	followupReg, err := types.RegistrationIDFromString(strings.ReplaceAll(fu.Path, "/register/", ""))
+	if err != nil {
 		return
 	}
+
+	if reg, ok := h.registrationCache.Get(followupReg); ok {
+		select {
+		case <-ctx.Done():
+			return
+		case <-reg.Registered:
+			return
+		}
+	}
 }
 
-// handleAuthKey contains the logic to manage auth key client registration
-// When using Noise, the machineKey is Zero.
-func (h *Headscale) handleAuthKey(
-	writer http.ResponseWriter,
-	registerRequest tailcfg.RegisterRequest,
-	machineKey key.MachinePublic,
-) {
-	log.Debug().
-		Caller().
-		Str("node", registerRequest.Hostinfo.Hostname).
-		Msgf("Processing auth key for %s", registerRequest.Hostinfo.Hostname)
-	resp := tailcfg.RegisterResponse{}
-
-	pak, err := h.db.ValidatePreAuthKey(registerRequest.Auth.AuthKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("node", registerRequest.Hostinfo.Hostname).
-			Err(err).
-			Msg("Failed authentication via AuthKey")
-		resp.MachineAuthorized = false
-
-		respBody, err := json.Marshal(resp)
-		if err != nil {
-			log.Error().
-				Caller().
-				Str("node", registerRequest.Hostinfo.Hostname).
-				Err(err).
-				Msg("Cannot encode message")
-			http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-			return
-		}
-
-		writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-		writer.WriteHeader(http.StatusUnauthorized)
-		_, err = writer.Write(respBody)
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-
-		log.Error().
-			Caller().
-			Str("node", registerRequest.Hostinfo.Hostname).
-			Msg("Failed authentication via AuthKey")
-
-		return
+// canUsePreAuthKey checks if a pre auth key can be used.
+func canUsePreAuthKey(pak *types.PreAuthKey) error {
+	if pak == nil {
+		return NewHTTPError(http.StatusUnauthorized, "invalid authkey", nil)
+	}
+	if pak.Expiration != nil && pak.Expiration.Before(time.Now()) {
+		return NewHTTPError(http.StatusUnauthorized, "authkey expired", nil)
 	}
 
-	log.Debug().
-		Caller().
-		Str("node", registerRequest.Hostinfo.Hostname).
-		Msg("Authentication key was valid, proceeding to acquire IP addresses")
+	// we don't need to check if has been used before
+	if pak.Reusable {
+		return nil
+	}
 
-	nodeKey := registerRequest.NodeKey
+	if pak.Used {
+		return NewHTTPError(http.StatusUnauthorized, "authkey already used", nil)
+	}
 
-	// retrieve node information if it exist
-	// The error is not important, because if it does not
-	// exist, then this is a new node and we will move
-	// on to registration.
-	node, _ := h.db.GetNodeByAnyKey(machineKey, registerRequest.NodeKey, registerRequest.OldNodeKey)
-	if node != nil {
-		log.Trace().
-			Caller().
-			Str("node", node.Hostname).
-			Msg("node was already registered before, refreshing with new auth key")
+	return nil
+}
 
-		node.NodeKey = nodeKey
-		if pak.ID != 0 {
-			node.AuthKeyID = ptr.To(pak.ID)
+func (h *Headscale) handleRegisterWithAuthKey(
+	regReq tailcfg.RegisterRequest,
+	machineKey key.MachinePublic,
+) (*tailcfg.RegisterResponse, error) {
+	pak, err := h.db.GetPreAuthKey(regReq.Auth.AuthKey)
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, NewHTTPError(http.StatusUnauthorized, "invalid pre auth key", nil)
 		}
+		return nil, err
+	}
 
-		node.Expiry = &registerRequest.Expiry
-		node.User = pak.User
-		node.UserID = pak.UserID
-		err := h.db.DB.Save(node).Error
-		if err != nil {
-			log.Error().
-				Caller().
-				Str("node", node.Hostname).
-				Err(err).
-				Msg("failed to save node after logging in with auth key")
+	err = canUsePreAuthKey(pak)
+	if err != nil {
+		return nil, err
+	}
 
-			return
-		}
+	nodeToRegister := types.Node{
+		Hostname:       regReq.Hostinfo.Hostname,
+		UserID:         pak.User.ID,
+		User:           pak.User,
+		MachineKey:     machineKey,
+		NodeKey:        regReq.NodeKey,
+		Hostinfo:       regReq.Hostinfo,
+		LastSeen:       ptr.To(time.Now()),
+		RegisterMethod: util.RegisterMethodAuthKey,
 
-		aclTags := pak.Proto().GetAclTags()
-		if len(aclTags) > 0 {
-			// This conditional preserves the existing behaviour, although SaaS would reset the tags on auth-key login
-			err = h.db.SetTags(node.ID, aclTags)
-			if err != nil {
-				log.Error().
-					Caller().
-					Str("node", node.Hostname).
-					Strs("aclTags", aclTags).
-					Err(err).
-					Msg("Failed to set tags after refreshing node")
+		// TODO(kradalby): This should not be set on the node,
+		// they should be looked up through the key, which is
+		// attached to the node.
+		ForcedTags: pak.Proto().GetAclTags(),
+		AuthKey:    pak,
+		AuthKeyID:  &pak.ID,
+	}
 
-				return
-			}
-		}
+	if !regReq.Expiry.IsZero() {
+		nodeToRegister.Expiry = &regReq.Expiry
+	}
 
-		ctx := types.NotifyCtx(context.Background(), "handle-authkey", "na")
-		h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{Type: types.StatePeerChanged, ChangeNodes: []types.NodeID{node.ID}})
-	} else {
-		now := time.Now().UTC()
+	ipv4, ipv6, err := h.ipAlloc.Next()
+	if err != nil {
+		return nil, fmt.Errorf("allocating IPs: %w", err)
+	}
 
-		nodeToRegister := types.Node{
-			Hostname:       registerRequest.Hostinfo.Hostname,
-			UserID:         pak.User.ID,
-			User:           pak.User,
-			MachineKey:     machineKey,
-			RegisterMethod: util.RegisterMethodAuthKey,
-			Expiry:         &registerRequest.Expiry,
-			NodeKey:        nodeKey,
-			LastSeen:       &now,
-			ForcedTags:     pak.Proto().GetAclTags(),
-		}
-
-		ipv4, ipv6, err := h.ipAlloc.Next()
-		if err != nil {
-			log.Error().
-				Caller().
-				Str("func", "RegistrationHandler").
-				Str("hostinfo.name", registerRequest.Hostinfo.Hostname).
-				Err(err).
-				Msg("failed to allocate IP	")
-
-			return
-		}
-
-		pakID := uint(pak.ID)
-		if pakID != 0 {
-			nodeToRegister.AuthKeyID = ptr.To(pak.ID)
-		}
-		node, err = h.db.RegisterNode(
+	node, err := db.Write(h.db.DB, func(tx *gorm.DB) (*types.Node, error) {
+		node, err := db.RegisterNode(tx,
 			nodeToRegister,
 			ipv4, ipv6,
 		)
 		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("could not register node")
-			http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-			return
+			return nil, fmt.Errorf("registering node: %w", err)
 		}
 
-		err = nodesChangedHook(h.db, h.polMan, h.nodeNotifier)
-		if err != nil {
-			http.Error(writer, "Internal server error", http.StatusInternalServerError)
-			return
+		if !pak.Reusable {
+			err = db.UsePreAuthKey(tx, pak)
+			if err != nil {
+				return nil, fmt.Errorf("using pre auth key: %w", err)
+			}
 		}
-	}
 
-	err = h.db.Write(func(tx *gorm.DB) error {
-		return db.UsePreAuthKey(tx, pak)
+		return node, nil
 	})
 	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to use pre-auth key")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-		return
+		return nil, err
 	}
 
-	resp.MachineAuthorized = true
-	resp.User = *pak.User.TailscaleUser()
-	// Provide LoginName when registering with pre-auth key
-	// Otherwise it will need to exec `tailscale up` twice to fetch the *LoginName*
-	resp.Login = *pak.User.TailscaleLogin()
-
-	respBody, err := json.Marshal(resp)
+	updateSent, err := nodesChangedHook(h.db, h.polMan, h.nodeNotifier)
 	if err != nil {
-		log.Error().
-			Caller().
-			Str("node", registerRequest.Hostinfo.Hostname).
-			Err(err).
-			Msg("Cannot encode message")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-		return
-	}
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-		return
+		return nil, fmt.Errorf("nodes changed hook: %w", err)
 	}
 
-	log.Info().
-		Str("node", registerRequest.Hostinfo.Hostname).
-		Msg("Successfully authenticated via AuthKey")
+	if !updateSent {
+		ctx := types.NotifyCtx(context.Background(), "node updated", node.Hostname)
+		h.nodeNotifier.NotifyAll(ctx, types.StateUpdatePeerAdded(node.ID))
+	}
+
+	return &tailcfg.RegisterResponse{
+		MachineAuthorized: true,
+		NodeKeyExpired:    node.IsExpired(),
+		User:              *pak.User.TailscaleUser(),
+		Login:             *pak.User.TailscaleLogin(),
+	}, nil
 }
 
-// handleNewNode returns the authorisation URL to the client based on what type
-// of registration headscale is configured with.
-// This url is then showed to the user by the local Tailscale client.
-func (h *Headscale) handleNewNode(
-	writer http.ResponseWriter,
-	registerRequest tailcfg.RegisterRequest,
-	machineKey key.MachinePublic,
-) {
-	logInfo, logTrace, logErr := logAuthFunc(registerRequest, machineKey)
-
-	resp := tailcfg.RegisterResponse{}
-
-	// The node registration is new, redirect the client to the registration URL
-	logTrace("The node seems to be new, sending auth url")
-
-	resp.AuthURL = h.authProvider.AuthURL(machineKey)
-
-	respBody, err := json.Marshal(resp)
-	if err != nil {
-		logErr(err, "Cannot encode message")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-		return
-	}
-
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		logErr(err, "Failed to write response")
-	}
-
-	logInfo(fmt.Sprintf("Successfully sent auth url: %s", resp.AuthURL))
-}
-
-func (h *Headscale) handleNodeLogOut(
-	writer http.ResponseWriter,
-	node types.Node,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	log.Info().
-		Str("node", node.Hostname).
-		Msg("Client requested logout")
-
-	now := time.Now()
-	err := h.db.NodeSetExpiry(node.ID, now)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to expire node")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-		return
-	}
-
-	ctx := types.NotifyCtx(context.Background(), "logout-expiry", "na")
-	h.nodeNotifier.NotifyWithIgnore(ctx, types.StateUpdateExpire(node.ID, now), node.ID)
-
-	resp.AuthURL = ""
-	resp.MachineAuthorized = false
-	resp.NodeKeyExpired = true
-	resp.User = *node.User.TailscaleUser()
-	respBody, err := json.Marshal(resp)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-		return
-	}
-
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-
-		return
-	}
-
-	if node.IsEphemeral() {
-		changedNodes, err := h.db.DeleteNode(&node, h.nodeNotifier.LikelyConnectedMap())
-		if err != nil {
-			log.Error().
-				Err(err).
-				Str("node", node.Hostname).
-				Msg("Cannot delete ephemeral node from the database")
-		}
-
-		ctx := types.NotifyCtx(context.Background(), "logout-ephemeral", "na")
-		h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{
-			Type:    types.StatePeerRemoved,
-			Removed: []types.NodeID{node.ID},
-		})
-		if changedNodes != nil {
-			h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{
-				Type:        types.StatePeerChanged,
-				ChangeNodes: changedNodes,
-			})
-		}
-
-		return
-	}
-
-	log.Info().
-		Caller().
-		Str("node", node.Hostname).
-		Msg("Successfully logged out")
-}
-
-func (h *Headscale) handleNodeWithValidRegistration(
-	writer http.ResponseWriter,
-	node types.Node,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	// The node registration is valid, respond with redirect to /map
-	log.Debug().
-		Caller().
-		Str("node", node.Hostname).
-		Msg("Client is registered and we have the current NodeKey. All clear to /map")
-
-	resp.AuthURL = ""
-	resp.MachineAuthorized = true
-	resp.User = *node.User.TailscaleUser()
-	resp.Login = *node.User.TailscaleLogin()
-
-	respBody, err := json.Marshal(resp)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-		return
-	}
-
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
-
-	log.Info().
-		Caller().
-		Str("node", node.Hostname).
-		Msg("Node successfully authorized")
-}
-
-func (h *Headscale) handleNodeKeyRefresh(
-	writer http.ResponseWriter,
-	registerRequest tailcfg.RegisterRequest,
-	node types.Node,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	log.Info().
-		Caller().
-		Str("node", node.Hostname).
-		Msg("We have the OldNodeKey in the database. This is a key refresh")
-
-	err := h.db.Write(func(tx *gorm.DB) error {
-		return db.NodeSetNodeKey(tx, &node, registerRequest.NodeKey)
-	})
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to update machine key in the database")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-		return
-	}
-
-	resp.AuthURL = ""
-	resp.User = *node.User.TailscaleUser()
-	respBody, err := json.Marshal(resp)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-		return
-	}
-
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
-
-	log.Info().
-		Caller().
-		Str("node_key", registerRequest.NodeKey.ShortString()).
-		Str("old_node_key", registerRequest.OldNodeKey.ShortString()).
-		Str("node", node.Hostname).
-		Msg("Node key successfully refreshed")
-}
-
-func (h *Headscale) handleNodeExpiredOrLoggedOut(
-	writer http.ResponseWriter,
+func (h *Headscale) handleRegisterInteractive(
 	regReq tailcfg.RegisterRequest,
-	node types.Node,
 	machineKey key.MachinePublic,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	if regReq.Auth != nil && regReq.Auth.AuthKey != "" {
-		h.handleAuthKey(writer, regReq, machineKey)
-
-		return
-	}
-
-	// The client has registered before, but has expired or logged out
-	log.Trace().
-		Caller().
-		Str("node", node.Hostname).
-		Str("machine_key", machineKey.ShortString()).
-		Str("node_key", regReq.NodeKey.ShortString()).
-		Str("node_key_old", regReq.OldNodeKey.ShortString()).
-		Msg("Node registration has expired or logged out. Sending a auth url to register")
-
-	resp.AuthURL = h.authProvider.AuthURL(machineKey)
-
-	respBody, err := json.Marshal(resp)
+) (*tailcfg.RegisterResponse, error) {
+	registrationId, err := types.NewRegistrationID()
 	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-		return
+		return nil, fmt.Errorf("generating registration ID: %w", err)
 	}
 
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
+	newNode := types.RegisterNode{
+		Node: types.Node{
+			Hostname:   regReq.Hostinfo.Hostname,
+			MachineKey: machineKey,
+			NodeKey:    regReq.NodeKey,
+			Hostinfo:   regReq.Hostinfo,
+			LastSeen:   ptr.To(time.Now()),
+		},
+		Registered: make(chan struct{}),
 	}
 
-	log.Trace().
-		Caller().
-		Str("machine_key", machineKey.ShortString()).
-		Str("node_key", regReq.NodeKey.ShortString()).
-		Str("node_key_old", regReq.OldNodeKey.ShortString()).
-		Str("node", node.Hostname).
-		Msg("Node logged out. Sent AuthURL for reauthentication")
+	if !regReq.Expiry.IsZero() {
+		newNode.Node.Expiry = &regReq.Expiry
+	}
+
+	h.registrationCache.Set(
+		registrationId,
+		newNode,
+	)
+
+	return &tailcfg.RegisterResponse{
+		AuthURL: h.authProvider.AuthURL(registrationId),
+	}, nil
 }

hscontrol/auth_noise.go

@@ -1,56 +0,0 @@
-package hscontrol
-
-import (
-	"encoding/json"
-	"io"
-	"net/http"
-
-	"github.com/rs/zerolog/log"
-	"tailscale.com/tailcfg"
-)
-
-// // NoiseRegistrationHandler handles the actual registration process of a node.
-func (ns *noiseServer) NoiseRegistrationHandler(
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
-	log.Trace().Caller().Msgf("Noise registration handler for client %s", req.RemoteAddr)
-	if req.Method != http.MethodPost {
-		http.Error(writer, "Wrong method", http.StatusMethodNotAllowed)
-
-		return
-	}
-
-	log.Trace().
-		Any("headers", req.Header).
-		Caller().
-		Msg("Headers")
-
-	body, _ := io.ReadAll(req.Body)
-	registerRequest := tailcfg.RegisterRequest{}
-	if err := json.Unmarshal(body, &registerRequest); err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot parse RegisterRequest")
-		http.Error(writer, "Internal error", http.StatusInternalServerError)
-
-		return
-	}
-
-	// Reject unsupported versions
-	if registerRequest.Version < MinimumCapVersion {
-		log.Info().
-			Caller().
-			Int("min_version", int(MinimumCapVersion)).
-			Int("client_version", int(registerRequest.Version)).
-			Msg("unsupported client connected")
-		http.Error(writer, "Internal error", http.StatusBadRequest)
-
-		return
-	}
-
-	ns.nodeKey = registerRequest.NodeKey
-
-	ns.headscale.handleRegister(writer, req, registerRequest, ns.conn.Peer())
-}

hscontrol/auth_test.go

@@ -0,0 +1,130 @@
+package hscontrol
+
+import (
+	"net/http"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/juanfont/headscale/hscontrol/types"
+)
+
+func TestCanUsePreAuthKey(t *testing.T) {
+	now := time.Now()
+	past := now.Add(-time.Hour)
+	future := now.Add(time.Hour)
+
+	tests := []struct {
+		name    string
+		pak     *types.PreAuthKey
+		wantErr bool
+		err     HTTPError
+	}{
+		{
+			name: "valid reusable key",
+			pak: &types.PreAuthKey{
+				Reusable:   true,
+				Used:       false,
+				Expiration: &future,
+			},
+			wantErr: false,
+		},
+		{
+			name: "valid non-reusable key",
+			pak: &types.PreAuthKey{
+				Reusable:   false,
+				Used:       false,
+				Expiration: &future,
+			},
+			wantErr: false,
+		},
+		{
+			name: "expired key",
+			pak: &types.PreAuthKey{
+				Reusable:   false,
+				Used:       false,
+				Expiration: &past,
+			},
+			wantErr: true,
+			err:     NewHTTPError(http.StatusUnauthorized, "authkey expired", nil),
+		},
+		{
+			name: "used non-reusable key",
+			pak: &types.PreAuthKey{
+				Reusable:   false,
+				Used:       true,
+				Expiration: &future,
+			},
+			wantErr: true,
+			err:     NewHTTPError(http.StatusUnauthorized, "authkey already used", nil),
+		},
+		{
+			name: "used reusable key",
+			pak: &types.PreAuthKey{
+				Reusable:   true,
+				Used:       true,
+				Expiration: &future,
+			},
+			wantErr: false,
+		},
+		{
+			name: "no expiration date",
+			pak: &types.PreAuthKey{
+				Reusable:   false,
+				Used:       false,
+				Expiration: nil,
+			},
+			wantErr: false,
+		},
+		{
+			name:    "nil preauth key",
+			pak:     nil,
+			wantErr: true,
+			err:     NewHTTPError(http.StatusUnauthorized, "invalid authkey", nil),
+		},
+		{
+			name: "expired and used key",
+			pak: &types.PreAuthKey{
+				Reusable:   false,
+				Used:       true,
+				Expiration: &past,
+			},
+			wantErr: true,
+			err:     NewHTTPError(http.StatusUnauthorized, "authkey expired", nil),
+		},
+		{
+			name: "no expiration and used key",
+			pak: &types.PreAuthKey{
+				Reusable:   false,
+				Used:       true,
+				Expiration: nil,
+			},
+			wantErr: true,
+			err:     NewHTTPError(http.StatusUnauthorized, "authkey already used", nil),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := canUsePreAuthKey(tt.pak)
+			if tt.wantErr {
+				if err == nil {
+					t.Errorf("expected error but got none")
+				} else {
+					httpErr, ok := err.(HTTPError)
+					if !ok {
+						t.Errorf("expected HTTPError but got %T", err)
+					} else {
+						if diff := cmp.Diff(tt.err, httpErr); diff != "" {
+							t.Errorf("unexpected error (-want +got):\n%s", diff)
+						}
+					}
+				}
+			} else {
+				if err != nil {
+					t.Errorf("expected no error but got %v", err)
+				}
+			}
+		})
+	}
+}

hscontrol/capver/capver.go

@@ -0,0 +1,106 @@
+package capver
+
+import (
+	"sort"
+	"strings"
+
+	xmaps "golang.org/x/exp/maps"
+	"tailscale.com/tailcfg"
+	"tailscale.com/util/set"
+)
+
+const MinSupportedCapabilityVersion tailcfg.CapabilityVersion = 88
+
+// CanOldCodeBeCleanedUp is intended to be called on startup to see if
+// there are old code that can ble cleaned up, entries should contain
+// a CapVer where something can be cleaned up and a panic if it can.
+// This is only intended to catch things in tests.
+//
+// All uses of Capability version checks should be listed here.
+func CanOldCodeBeCleanedUp() {
+	if MinSupportedCapabilityVersion >= 111 {
+		panic("LegacyDERP can be cleaned up in tail.go")
+	}
+}
+
+func tailscaleVersSorted() []string {
+	vers := xmaps.Keys(tailscaleToCapVer)
+	sort.Strings(vers)
+	return vers
+}
+
+func capVersSorted() []tailcfg.CapabilityVersion {
+	capVers := xmaps.Keys(capVerToTailscaleVer)
+	sort.Slice(capVers, func(i, j int) bool {
+		return capVers[i] < capVers[j]
+	})
+	return capVers
+}
+
+// TailscaleVersion returns the Tailscale version for the given CapabilityVersion.
+func TailscaleVersion(ver tailcfg.CapabilityVersion) string {
+	return capVerToTailscaleVer[ver]
+}
+
+// CapabilityVersion returns the CapabilityVersion for the given Tailscale version.
+func CapabilityVersion(ver string) tailcfg.CapabilityVersion {
+	if !strings.HasPrefix(ver, "v") {
+		ver = "v" + ver
+	}
+	return tailscaleToCapVer[ver]
+}
+
+// TailscaleLatest returns the n latest Tailscale versions.
+func TailscaleLatest(n int) []string {
+	if n <= 0 {
+		return nil
+	}
+
+	tsSorted := tailscaleVersSorted()
+
+	if n > len(tsSorted) {
+		return tsSorted
+	}
+
+	return tsSorted[len(tsSorted)-n:]
+}
+
+// TailscaleLatestMajorMinor returns the n latest Tailscale versions (e.g. 1.80).
+func TailscaleLatestMajorMinor(n int, stripV bool) []string {
+	if n <= 0 {
+		return nil
+	}
+
+	majors := set.Set[string]{}
+	for _, vers := range tailscaleVersSorted() {
+		if stripV {
+			vers = strings.TrimPrefix(vers, "v")
+		}
+		v := strings.Split(vers, ".")
+		majors.Add(v[0] + "." + v[1])
+	}
+
+	majorSl := majors.Slice()
+	sort.Strings(majorSl)
+
+	if n > len(majorSl) {
+		return majorSl
+	}
+
+	return majorSl[len(majorSl)-n:]
+}
+
+// CapVerLatest returns the n latest CapabilityVersions.
+func CapVerLatest(n int) []tailcfg.CapabilityVersion {
+	if n <= 0 {
+		return nil
+	}
+
+	s := capVersSorted()
+
+	if n > len(s) {
+		return s
+	}
+
+	return s[len(s)-n:]
+}

hscontrol/capver/capver_generated.go

@@ -0,0 +1,56 @@
+package capver
+
+//Generated DO NOT EDIT
+
+import "tailscale.com/tailcfg"
+
+var tailscaleToCapVer = map[string]tailcfg.CapabilityVersion{
+	"v1.44.3": 63,
+	"v1.56.1": 82,
+	"v1.58.0": 85,
+	"v1.58.1": 85,
+	"v1.58.2": 85,
+	"v1.60.0": 87,
+	"v1.60.1": 87,
+	"v1.62.0": 88,
+	"v1.62.1": 88,
+	"v1.64.0": 90,
+	"v1.64.1": 90,
+	"v1.64.2": 90,
+	"v1.66.0": 95,
+	"v1.66.1": 95,
+	"v1.66.2": 95,
+	"v1.66.3": 95,
+	"v1.66.4": 95,
+	"v1.68.0": 97,
+	"v1.68.1": 97,
+	"v1.68.2": 97,
+	"v1.70.0": 102,
+	"v1.72.0": 104,
+	"v1.72.1": 104,
+	"v1.74.0": 106,
+	"v1.74.1": 106,
+	"v1.76.0": 106,
+	"v1.76.1": 106,
+	"v1.76.6": 106,
+	"v1.78.0": 109,
+	"v1.78.1": 109,
+	"v1.80.0": 113,
+}
+
+
+var capVerToTailscaleVer = map[tailcfg.CapabilityVersion]string{
+	63:		"v1.44.3",
+	82:		"v1.56.1",
+	85:		"v1.58.0",
+	87:		"v1.60.0",
+	88:		"v1.62.0",
+	90:		"v1.64.0",
+	95:		"v1.66.0",
+	97:		"v1.68.0",
+	102:		"v1.70.0",
+	104:		"v1.72.0",
+	106:		"v1.74.0",
+	109:		"v1.78.0",
+	113:		"v1.80.0",
+}

hscontrol/capver/capver_test.go

@@ -0,0 +1,66 @@
+package capver
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"tailscale.com/tailcfg"
+)
+
+func TestTailscaleLatestMajorMinor(t *testing.T) {
+	tests := []struct {
+		n        int
+		stripV   bool
+		expected []string
+	}{
+		{3, false, []string{"v1.76", "v1.78", "v1.80"}},
+		{2, true, []string{"1.78", "1.80"}},
+		// Lazy way to see all supported versions
+		{10, true, []string{
+			"1.62",
+			"1.64",
+			"1.66",
+			"1.68",
+			"1.70",
+			"1.72",
+			"1.74",
+			"1.76",
+			"1.78",
+			"1.80",
+		}},
+		{0, false, nil},
+	}
+
+	for _, test := range tests {
+		t.Run("", func(t *testing.T) {
+			output := TailscaleLatestMajorMinor(test.n, test.stripV)
+			if diff := cmp.Diff(output, test.expected); diff != "" {
+				t.Errorf("TailscaleLatestMajorMinor(%d, %v) mismatch (-want +got):\n%s", test.n, test.stripV, diff)
+			}
+		})
+	}
+}
+
+func TestCapVerMinimumTailscaleVersion(t *testing.T) {
+	tests := []struct {
+		input    tailcfg.CapabilityVersion
+		expected string
+	}{
+		{85, "v1.58.0"},
+		{90, "v1.64.0"},
+		{95, "v1.66.0"},
+		{106, "v1.74.0"},
+		{109, "v1.78.0"},
+		{9001, ""}, // Test case for a version higher than any in the map
+		{60, ""},   // Test case for a version lower than any in the map
+	}
+
+	for _, test := range tests {
+		t.Run("", func(t *testing.T) {
+			output := TailscaleVersion(test.input)
+			if output != test.expected {
+				t.Errorf("CapVerFromTailscaleVersion(%d) = %s; want %s", test.input, output, test.expected)
+			}
+		})
+	}
+}

hscontrol/capver/gen/main.go

@@ -0,0 +1,157 @@
+package main
+
+//go:generate go run main.go
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+
+	xmaps "golang.org/x/exp/maps"
+	"tailscale.com/tailcfg"
+)
+
+const (
+	releasesURL = "https://api.github.com/repos/tailscale/tailscale/releases"
+	rawFileURL  = "https://github.com/tailscale/tailscale/raw/refs/tags/%s/tailcfg/tailcfg.go"
+	outputFile  = "../capver_generated.go"
+)
+
+type Release struct {
+	Name string `json:"name"`
+}
+
+func getCapabilityVersions() (map[string]tailcfg.CapabilityVersion, error) {
+	// Fetch the releases
+	resp, err := http.Get(releasesURL)
+	if err != nil {
+		return nil, fmt.Errorf("error fetching releases: %w", err)
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("error reading response body: %w", err)
+	}
+
+	var releases []Release
+	err = json.Unmarshal(body, &releases)
+	if err != nil {
+		return nil, fmt.Errorf("error unmarshalling JSON: %w", err)
+	}
+
+	// Regular expression to find the CurrentCapabilityVersion line
+	re := regexp.MustCompile(`const CurrentCapabilityVersion CapabilityVersion = (\d+)`)
+
+	versions := make(map[string]tailcfg.CapabilityVersion)
+
+	for _, release := range releases {
+		version := strings.TrimSpace(release.Name)
+		if !strings.HasPrefix(version, "v") {
+			version = "v" + version
+		}
+
+		// Fetch the raw Go file
+		rawURL := fmt.Sprintf(rawFileURL, version)
+		resp, err := http.Get(rawURL)
+		if err != nil {
+			fmt.Printf("Error fetching raw file for version %s: %v\n", version, err)
+			continue
+		}
+		defer resp.Body.Close()
+
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			fmt.Printf("Error reading raw file for version %s: %v\n", version, err)
+			continue
+		}
+
+		// Find the CurrentCapabilityVersion
+		matches := re.FindStringSubmatch(string(body))
+		if len(matches) > 1 {
+			capabilityVersionStr := matches[1]
+			capabilityVersion, _ := strconv.Atoi(capabilityVersionStr)
+			versions[version] = tailcfg.CapabilityVersion(capabilityVersion)
+		} else {
+			fmt.Printf("Version: %s, CurrentCapabilityVersion not found\n", version)
+		}
+	}
+
+	return versions, nil
+}
+
+func writeCapabilityVersionsToFile(versions map[string]tailcfg.CapabilityVersion) error {
+	// Open the output file
+	file, err := os.Create(outputFile)
+	if err != nil {
+		return fmt.Errorf("error creating file: %w", err)
+	}
+	defer file.Close()
+
+	// Write the package declaration and variable
+	file.WriteString("package capver\n\n")
+	file.WriteString("//Generated DO NOT EDIT\n\n")
+	file.WriteString(`import "tailscale.com/tailcfg"`)
+	file.WriteString("\n\n")
+	file.WriteString("var tailscaleToCapVer = map[string]tailcfg.CapabilityVersion{\n")
+
+	sortedVersions := xmaps.Keys(versions)
+	sort.Strings(sortedVersions)
+	for _, version := range sortedVersions {
+		file.WriteString(fmt.Sprintf("\t\"%s\": %d,\n", version, versions[version]))
+	}
+	file.WriteString("}\n")
+
+	file.WriteString("\n\n")
+	file.WriteString("var capVerToTailscaleVer = map[tailcfg.CapabilityVersion]string{\n")
+
+	capVarToTailscaleVer := make(map[tailcfg.CapabilityVersion]string)
+	for _, v := range sortedVersions {
+		cap := versions[v]
+		log.Printf("cap for v: %d, %s", cap, v)
+
+		// If it is already set, skip and continue,
+		// we only want the first tailscale vsion per
+		// capability vsion.
+		if _, ok := capVarToTailscaleVer[cap]; ok {
+			log.Printf("Skipping %d, %s", cap, v)
+			continue
+		}
+		log.Printf("Storing %d, %s", cap, v)
+		capVarToTailscaleVer[cap] = v
+	}
+
+	capsSorted := xmaps.Keys(capVarToTailscaleVer)
+	sort.Slice(capsSorted, func(i, j int) bool {
+		return capsSorted[i] < capsSorted[j]
+	})
+	for _, capVer := range capsSorted {
+		file.WriteString(fmt.Sprintf("\t%d:\t\t\"%s\",\n", capVer, capVarToTailscaleVer[capVer]))
+	}
+	file.WriteString("}\n")
+
+	return nil
+}
+
+func main() {
+	versions, err := getCapabilityVersions()
+	if err != nil {
+		fmt.Println("Error:", err)
+		return
+	}
+
+	err = writeCapabilityVersionsToFile(versions)
+	if err != nil {
+		fmt.Println("Error writing to file:", err)
+		return
+	}
+
+	fmt.Println("Capability versions written to", outputFile)
+}

hscontrol/db/db.go

@@ -41,7 +41,7 @@ type KV struct {
 type HSDatabase struct {
 	DB       *gorm.DB
 	cfg      *types.DatabaseConfig
-	regCache *zcache.Cache[string, types.Node]
+	regCache *zcache.Cache[types.RegistrationID, types.RegisterNode]
 
 	baseDomain string
 }
@@ -51,7 +51,7 @@ type HSDatabase struct {
 func NewHeadscaleDatabase(
 	cfg types.DatabaseConfig,
 	baseDomain string,
-	regCache *zcache.Cache[string, types.Node],
+	regCache *zcache.Cache[types.RegistrationID, types.RegisterNode],
 ) (*HSDatabase, error) {
 	dbConn, err := openDB(cfg)
 	if err != nil {
@@ -103,7 +103,7 @@ func NewHeadscaleDatabase(
 
 					dbConn.Model(&types.Node{}).Where("auth_key_id = ?", 0).Update("auth_key_id", nil)
 					// If the Node table has a column for registered,
-					// find all occourences of "false" and drop them. Then
+					// find all occurrences of "false" and drop them. Then
 					// remove the column.
 					if tx.Migrator().HasColumn(&types.Node{}, "registered") {
 						log.Info().
@@ -512,7 +512,7 @@ COMMIT;
 
 					err := tx.AutoMigrate(&types.User{})
 					if err != nil {
-						return err
+						return fmt.Errorf("automigrating types.User: %w", err)
 					}
 
 					return nil
@@ -527,7 +527,7 @@ COMMIT;
 				Migrate: func(tx *gorm.DB) error {
 					err := tx.AutoMigrate(&types.User{})
 					if err != nil {
-						return err
+						return fmt.Errorf("automigrating types.User: %w", err)
 					}
 
 					// Set up indexes and unique constraints outside of GORM, it does not support
@@ -575,7 +575,47 @@ COMMIT;
 
 					err := tx.AutoMigrate(&types.Route{})
 					if err != nil {
-						return err
+						return fmt.Errorf("automigrating types.Route: %w", err)
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
+			// Add back constraint so you cannot delete preauth keys that
+			// is still used by a node.
+			{
+				ID: "202501311657",
+				Migrate: func(tx *gorm.DB) error {
+					err := tx.AutoMigrate(&types.PreAuthKey{})
+					if err != nil {
+						return fmt.Errorf("automigrating types.PreAuthKey: %w", err)
+					}
+					err = tx.AutoMigrate(&types.Node{})
+					if err != nil {
+						return fmt.Errorf("automigrating types.Node: %w", err)
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
+			// Ensure there are no nodes refering to a deleted preauthkey.
+			{
+				ID: "202502070949",
+				Migrate: func(tx *gorm.DB) error {
+					if tx.Migrator().HasTable(&types.PreAuthKey{}) {
+						err := tx.Exec(`
+UPDATE nodes
+SET auth_key_id = NULL
+WHERE auth_key_id IS NOT NULL
+AND auth_key_id NOT IN (
+    SELECT id FROM pre_auth_keys
+);
+							`).Error
+						if err != nil {
+							return fmt.Errorf("setting auth_key to null on nodes with non-existing keys: %w", err)
+						}
 					}
 
 					return nil
@@ -649,7 +689,7 @@ func openDB(cfg types.DatabaseConfig) (*gorm.DB, error) {
 		}
 
 		// The pure Go SQLite library does not handle locking in
-		// the same way as the C based one and we cant use the gorm
+		// the same way as the C based one and we can't use the gorm
 		// connection pool as of 2022/02/23.
 		sqlDB, _ := db.DB()
 		sqlDB.SetMaxIdleConns(1)
@@ -712,7 +752,7 @@ func openDB(cfg types.DatabaseConfig) (*gorm.DB, error) {
 }
 
 func runMigrations(cfg types.DatabaseConfig, dbConn *gorm.DB, migrations *gormigrate.Gormigrate) error {
-	// Turn off foreign keys for the duration of the migration if using sqllite to
+	// Turn off foreign keys for the duration of the migration if using sqlite to
 	// prevent data loss due to the way the GORM migrator handles certain schema
 	// changes.
 	if cfg.Type == types.DatabaseSqlite {

hscontrol/db/db_test.go

@@ -201,6 +201,26 @@ func TestMigrationsSQLite(t *testing.T) {
 				}
 			},
 		},
+		{
+			dbPath: "testdata/failing-node-preauth-constraint.sqlite",
+			wantFunc: func(t *testing.T, h *HSDatabase) {
+				nodes, err := Read(h.DB, func(rx *gorm.DB) (types.Nodes, error) {
+					return ListNodes(rx)
+				})
+				require.NoError(t, err)
+
+				for _, node := range nodes {
+					assert.Falsef(t, node.MachineKey.IsZero(), "expected non zero machinekey")
+					assert.Contains(t, node.MachineKey.String(), "mkey:")
+					assert.Falsef(t, node.NodeKey.IsZero(), "expected non zero nodekey")
+					assert.Contains(t, node.NodeKey.String(), "nodekey:")
+					assert.Falsef(t, node.DiscoKey.IsZero(), "expected non zero discokey")
+					assert.Contains(t, node.DiscoKey.String(), "discokey:")
+					assert.Nil(t, node.AuthKey)
+					assert.Nil(t, node.AuthKeyID)
+				}
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -260,8 +280,8 @@ func testCopyOfDatabase(src string) (string, error) {
 	return dst, err
 }
 
-func emptyCache() *zcache.Cache[string, types.Node] {
-	return zcache.New[string, types.Node](time.Minute, time.Hour)
+func emptyCache() *zcache.Cache[types.RegistrationID, types.RegisterNode] {
+	return zcache.New[types.RegistrationID, types.RegisterNode](time.Minute, time.Hour)
 }
 
 // requireConstraintFailed checks if the error is a constraint failure with

hscontrol/db/node.go

@@ -158,36 +158,28 @@ func GetNodeByMachineKey(
 	return &mach, nil
 }
 
-func (hsdb *HSDatabase) GetNodeByAnyKey(
-	machineKey key.MachinePublic,
-	nodeKey key.NodePublic,
-	oldNodeKey key.NodePublic,
-) (*types.Node, error) {
+func (hsdb *HSDatabase) GetNodeByNodeKey(nodeKey key.NodePublic) (*types.Node, error) {
 	return Read(hsdb.DB, func(rx *gorm.DB) (*types.Node, error) {
-		return GetNodeByAnyKey(rx, machineKey, nodeKey, oldNodeKey)
+		return GetNodeByNodeKey(rx, nodeKey)
 	})
 }
 
-// GetNodeByAnyKey finds a Node by its MachineKey, its current NodeKey or the old one, and returns the Node struct.
-// TODO(kradalby): see if we can remove this.
-func GetNodeByAnyKey(
+// GetNodeByNodeKey finds a Node by its NodeKey and returns the Node struct.
+func GetNodeByNodeKey(
 	tx *gorm.DB,
-	machineKey key.MachinePublic, nodeKey key.NodePublic, oldNodeKey key.NodePublic,
+	nodeKey key.NodePublic,
 ) (*types.Node, error) {
-	node := types.Node{}
+	mach := types.Node{}
 	if result := tx.
 		Preload("AuthKey").
 		Preload("AuthKey.User").
 		Preload("User").
 		Preload("Routes").
-		First(&node, "machine_key = ? OR node_key = ? OR node_key = ?",
-			machineKey.String(),
-			nodeKey.String(),
-			oldNodeKey.String()); result.Error != nil {
+		First(&mach, "node_key = ?", nodeKey.String()); result.Error != nil {
 		return nil, result.Error
 	}
 
-	return &node, nil
+	return &mach, nil
 }
 
 func (hsdb *HSDatabase) SetTags(
@@ -319,60 +311,83 @@ func SetLastSeen(tx *gorm.DB, nodeID types.NodeID, lastSeen time.Time) error {
 	return tx.Model(&types.Node{}).Where("id = ?", nodeID).Update("last_seen", lastSeen).Error
 }
 
-func (hsdb *HSDatabase) RegisterNodeFromAuthCallback(
-	mkey key.MachinePublic,
+// HandleNodeFromAuthPath is called from the OIDC or CLI auth path
+// with a registrationID to register or reauthenticate a node.
+// If the node found in the registration cache is not already registered,
+// it will be registered with the user and the node will be removed from the cache.
+// If the node is already registered, the expiry will be updated.
+// The node, and a boolean indicating if it was a new node or not, will be returned.
+func (hsdb *HSDatabase) HandleNodeFromAuthPath(
+	registrationID types.RegistrationID,
 	userID types.UserID,
 	nodeExpiry *time.Time,
 	registrationMethod string,
 	ipv4 *netip.Addr,
 	ipv6 *netip.Addr,
-) (*types.Node, error) {
-	return Write(hsdb.DB, func(tx *gorm.DB) (*types.Node, error) {
-		if node, ok := hsdb.regCache.Get(mkey.String()); ok {
-			user, err := GetUserByID(tx, userID)
-			if err != nil {
-				return nil, fmt.Errorf(
-					"failed to find user in register node from auth callback, %w",
-					err,
+) (*types.Node, bool, error) {
+	var newNode bool
+	node, err := Write(hsdb.DB, func(tx *gorm.DB) (*types.Node, error) {
+		if reg, ok := hsdb.regCache.Get(registrationID); ok {
+			if node, _ := GetNodeByNodeKey(tx, reg.Node.NodeKey); node == nil {
+				user, err := GetUserByID(tx, userID)
+				if err != nil {
+					return nil, fmt.Errorf(
+						"failed to find user in register node from auth callback, %w",
+						err,
+					)
+				}
+
+				log.Debug().
+					Str("registration_id", registrationID.String()).
+					Str("username", user.Username()).
+					Str("registrationMethod", registrationMethod).
+					Str("expiresAt", fmt.Sprintf("%v", nodeExpiry)).
+					Msg("Registering node from API/CLI or auth callback")
+
+				// TODO(kradalby): This looks quite wrong? why ID 0?
+				// Why not always?
+				// Registration of expired node with different user
+				if reg.Node.ID != 0 &&
+					reg.Node.UserID != user.ID {
+					return nil, ErrDifferentRegisteredUser
+				}
+
+				reg.Node.UserID = user.ID
+				reg.Node.User = *user
+				reg.Node.RegisterMethod = registrationMethod
+
+				if nodeExpiry != nil {
+					reg.Node.Expiry = nodeExpiry
+				}
+
+				node, err := RegisterNode(
+					tx,
+					reg.Node,
+					ipv4, ipv6,
 				)
+
+				if err == nil {
+					hsdb.regCache.Delete(registrationID)
+				}
+
+				// Signal to waiting clients that the machine has been registered.
+				close(reg.Registered)
+				newNode = true
+				return node, err
+			} else {
+				// If the node is already registered, this is a refresh.
+				err := NodeSetExpiry(tx, node.ID, *nodeExpiry)
+				if err != nil {
+					return nil, err
+				}
+				return node, nil
 			}
-
-			log.Debug().
-				Str("machine_key", mkey.ShortString()).
-				Str("username", user.Username()).
-				Str("registrationMethod", registrationMethod).
-				Str("expiresAt", fmt.Sprintf("%v", nodeExpiry)).
-				Msg("Registering node from API/CLI or auth callback")
-
-			// Registration of expired node with different user
-			if node.ID != 0 &&
-				node.UserID != user.ID {
-				return nil, ErrDifferentRegisteredUser
-			}
-
-			node.UserID = user.ID
-			node.User = *user
-			node.RegisterMethod = registrationMethod
-
-			if nodeExpiry != nil {
-				node.Expiry = nodeExpiry
-			}
-
-			node, err := RegisterNode(
-				tx,
-				node,
-				ipv4, ipv6,
-			)
-
-			if err == nil {
-				hsdb.regCache.Delete(mkey.String())
-			}
-
-			return node, err
 		}
 
 		return nil, ErrNodeNotFoundRegistrationCache
 	})
+
+	return node, newNode, err
 }
 
 func (hsdb *HSDatabase) RegisterNode(node types.Node, ipv4 *netip.Addr, ipv6 *netip.Addr) (*types.Node, error) {
@@ -390,6 +405,18 @@ func RegisterNode(tx *gorm.DB, node types.Node, ipv4 *netip.Addr, ipv6 *netip.Ad
 		Str("user", node.User.Username()).
 		Msg("Registering node")
 
+	// If the a new node is registered with the same machine key, to the same user,
+	// update the existing node.
+	// If the same node is registered again, but to a new user, then that is considered
+	// a new node.
+	oldNode, _ := GetNodeByMachineKey(tx, node.MachineKey)
+	if oldNode != nil && oldNode.UserID == node.UserID {
+		node.ID = oldNode.ID
+		node.GivenName = oldNode.GivenName
+		ipv4 = oldNode.IPv4
+		ipv6 = oldNode.IPv6
+	}
+
 	// If the node exists and it already has IP(s), we just save it
 	// so we store the node.Expire and node.Nodekey that has been set when
 	// adding it to the registrationCache

hscontrol/db/node_test.go

@@ -84,37 +84,6 @@ func (s *Suite) TestGetNodeByID(c *check.C) {
 	c.Assert(err, check.IsNil)
 }
 
-func (s *Suite) TestGetNodeByAnyNodeKey(c *check.C) {
-	user, err := db.CreateUser(types.User{Name: "test"})
-	c.Assert(err, check.IsNil)
-
-	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
-	c.Assert(err, check.IsNil)
-
-	_, err = db.GetNodeByID(0)
-	c.Assert(err, check.NotNil)
-
-	nodeKey := key.NewNode()
-	oldNodeKey := key.NewNode()
-
-	machineKey := key.NewMachine()
-
-	node := types.Node{
-		ID:             0,
-		MachineKey:     machineKey.Public(),
-		NodeKey:        nodeKey.Public(),
-		Hostname:       "testnode",
-		UserID:         user.ID,
-		RegisterMethod: util.RegisterMethodAuthKey,
-		AuthKeyID:      ptr.To(pak.ID),
-	}
-	trx := db.DB.Save(&node)
-	c.Assert(trx.Error, check.IsNil)
-
-	_, err = db.GetNodeByAnyKey(machineKey.Public(), nodeKey.Public(), oldNodeKey.Public())
-	c.Assert(err, check.IsNil)
-}
-
 func (s *Suite) TestHardDeleteNode(c *check.C) {
 	user, err := db.CreateUser(types.User{Name: "test"})
 	c.Assert(err, check.IsNil)

hscontrol/db/preauth_keys.go

@@ -10,7 +10,6 @@ import (
 
 	"github.com/juanfont/headscale/hscontrol/types"
 	"gorm.io/gorm"
-	"tailscale.com/types/ptr"
 	"tailscale.com/util/set"
 )
 
@@ -64,6 +63,7 @@ func CreatePreAuthKey(
 	}
 
 	now := time.Now().UTC()
+	// TODO(kradalby): unify the key generations spread all over the code.
 	kstr, err := generateKey()
 	if err != nil {
 		return nil, err
@@ -108,18 +108,21 @@ func ListPreAuthKeysByUser(tx *gorm.DB, uid types.UserID) ([]types.PreAuthKey, e
 	return keys, nil
 }
 
-// GetPreAuthKey returns a PreAuthKey for a given key.
-func GetPreAuthKey(tx *gorm.DB, user string, key string) (*types.PreAuthKey, error) {
-	pak, err := ValidatePreAuthKey(tx, key)
-	if err != nil {
-		return nil, err
+func (hsdb *HSDatabase) GetPreAuthKey(key string) (*types.PreAuthKey, error) {
+	return Read(hsdb.DB, func(rx *gorm.DB) (*types.PreAuthKey, error) {
+		return GetPreAuthKey(rx, key)
+	})
+}
+
+// GetPreAuthKey returns a PreAuthKey for a given key. The caller is responsible
+// for checking if the key is usable (expired or used).
+func GetPreAuthKey(tx *gorm.DB, key string) (*types.PreAuthKey, error) {
+	pak := types.PreAuthKey{}
+	if err := tx.Preload("User").First(&pak, "key = ?", key).Error; err != nil {
+		return nil, ErrPreAuthKeyNotFound
 	}
 
-	if pak.User.Name != user {
-		return nil, ErrUserMismatch
-	}
-
-	return pak, nil
+	return &pak, nil
 }
 
 // DestroyPreAuthKey destroys a preauthkey. Returns error if the PreAuthKey
@@ -140,15 +143,6 @@ func (hsdb *HSDatabase) ExpirePreAuthKey(k *types.PreAuthKey) error {
 	})
 }
 
-// MarkExpirePreAuthKey marks a PreAuthKey as expired.
-func ExpirePreAuthKey(tx *gorm.DB, k *types.PreAuthKey) error {
-	if err := tx.Model(&k).Update("Expiration", time.Now()).Error; err != nil {
-		return err
-	}
-
-	return nil
-}
-
 // UsePreAuthKey marks a PreAuthKey as used.
 func UsePreAuthKey(tx *gorm.DB, k *types.PreAuthKey) error {
 	k.Used = true
@@ -159,44 +153,13 @@ func UsePreAuthKey(tx *gorm.DB, k *types.PreAuthKey) error {
 	return nil
 }
 
-func (hsdb *HSDatabase) ValidatePreAuthKey(k string) (*types.PreAuthKey, error) {
-	return Read(hsdb.DB, func(rx *gorm.DB) (*types.PreAuthKey, error) {
-		return ValidatePreAuthKey(rx, k)
-	})
-}
-
-// ValidatePreAuthKey does the heavy lifting for validation of the PreAuthKey coming from a node
-// If returns no error and a PreAuthKey, it can be used.
-func ValidatePreAuthKey(tx *gorm.DB, k string) (*types.PreAuthKey, error) {
-	pak := types.PreAuthKey{}
-	if result := tx.Preload("User").First(&pak, "key = ?", k); errors.Is(
-		result.Error,
-		gorm.ErrRecordNotFound,
-	) {
-		return nil, ErrPreAuthKeyNotFound
+// MarkExpirePreAuthKey marks a PreAuthKey as expired.
+func ExpirePreAuthKey(tx *gorm.DB, k *types.PreAuthKey) error {
+	if err := tx.Model(&k).Update("Expiration", time.Now()).Error; err != nil {
+		return err
 	}
 
-	if pak.Expiration != nil && pak.Expiration.Before(time.Now()) {
-		return nil, ErrPreAuthKeyExpired
-	}
-
-	if pak.Reusable { // we don't need to check if has been used before
-		return &pak, nil
-	}
-
-	nodes := types.Nodes{}
-	if err := tx.
-		Preload("AuthKey").
-		Where(&types.Node{AuthKeyID: ptr.To(pak.ID)}).
-		Find(&nodes).Error; err != nil {
-		return nil, err
-	}
-
-	if len(nodes) != 0 || pak.Used {
-		return nil, ErrSingleUseAuthKeyHasBeenUsed
-	}
-
-	return &pak, nil
+	return nil
 }
 
 func generateKey() (string, error) {

hscontrol/db/preauth_keys_test.go

@@ -2,12 +2,15 @@ package db
 
 import (
 	"sort"
-	"time"
+	"testing"
 
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
-	"gopkg.in/check.v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"tailscale.com/types/ptr"
+
+	"gopkg.in/check.v1"
 )
 
 func (*Suite) TestCreatePreAuthKey(c *check.C) {
@@ -40,123 +43,6 @@ func (*Suite) TestCreatePreAuthKey(c *check.C) {
 	c.Assert((keys)[0].User.ID, check.Equals, user.ID)
 }
 
-func (*Suite) TestExpiredPreAuthKey(c *check.C) {
-	user, err := db.CreateUser(types.User{Name: "test2"})
-	c.Assert(err, check.IsNil)
-
-	now := time.Now().Add(-5 * time.Second)
-	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, &now, nil)
-	c.Assert(err, check.IsNil)
-
-	key, err := db.ValidatePreAuthKey(pak.Key)
-	c.Assert(err, check.Equals, ErrPreAuthKeyExpired)
-	c.Assert(key, check.IsNil)
-}
-
-func (*Suite) TestPreAuthKeyDoesNotExist(c *check.C) {
-	key, err := db.ValidatePreAuthKey("potatoKey")
-	c.Assert(err, check.Equals, ErrPreAuthKeyNotFound)
-	c.Assert(key, check.IsNil)
-}
-
-func (*Suite) TestValidateKeyOk(c *check.C) {
-	user, err := db.CreateUser(types.User{Name: "test3"})
-	c.Assert(err, check.IsNil)
-
-	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, nil, nil)
-	c.Assert(err, check.IsNil)
-
-	key, err := db.ValidatePreAuthKey(pak.Key)
-	c.Assert(err, check.IsNil)
-	c.Assert(key.ID, check.Equals, pak.ID)
-}
-
-func (*Suite) TestAlreadyUsedKey(c *check.C) {
-	user, err := db.CreateUser(types.User{Name: "test4"})
-	c.Assert(err, check.IsNil)
-
-	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
-	c.Assert(err, check.IsNil)
-
-	node := types.Node{
-		ID:             0,
-		Hostname:       "testest",
-		UserID:         user.ID,
-		RegisterMethod: util.RegisterMethodAuthKey,
-		AuthKeyID:      ptr.To(pak.ID),
-	}
-	trx := db.DB.Save(&node)
-	c.Assert(trx.Error, check.IsNil)
-
-	key, err := db.ValidatePreAuthKey(pak.Key)
-	c.Assert(err, check.Equals, ErrSingleUseAuthKeyHasBeenUsed)
-	c.Assert(key, check.IsNil)
-}
-
-func (*Suite) TestReusableBeingUsedKey(c *check.C) {
-	user, err := db.CreateUser(types.User{Name: "test5"})
-	c.Assert(err, check.IsNil)
-
-	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, nil, nil)
-	c.Assert(err, check.IsNil)
-
-	node := types.Node{
-		ID:             1,
-		Hostname:       "testest",
-		UserID:         user.ID,
-		RegisterMethod: util.RegisterMethodAuthKey,
-		AuthKeyID:      ptr.To(pak.ID),
-	}
-	trx := db.DB.Save(&node)
-	c.Assert(trx.Error, check.IsNil)
-
-	key, err := db.ValidatePreAuthKey(pak.Key)
-	c.Assert(err, check.IsNil)
-	c.Assert(key.ID, check.Equals, pak.ID)
-}
-
-func (*Suite) TestNotReusableNotBeingUsedKey(c *check.C) {
-	user, err := db.CreateUser(types.User{Name: "test6"})
-	c.Assert(err, check.IsNil)
-
-	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
-	c.Assert(err, check.IsNil)
-
-	key, err := db.ValidatePreAuthKey(pak.Key)
-	c.Assert(err, check.IsNil)
-	c.Assert(key.ID, check.Equals, pak.ID)
-}
-
-func (*Suite) TestExpirePreauthKey(c *check.C) {
-	user, err := db.CreateUser(types.User{Name: "test3"})
-	c.Assert(err, check.IsNil)
-
-	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), true, false, nil, nil)
-	c.Assert(err, check.IsNil)
-	c.Assert(pak.Expiration, check.IsNil)
-
-	err = db.ExpirePreAuthKey(pak)
-	c.Assert(err, check.IsNil)
-	c.Assert(pak.Expiration, check.NotNil)
-
-	key, err := db.ValidatePreAuthKey(pak.Key)
-	c.Assert(err, check.Equals, ErrPreAuthKeyExpired)
-	c.Assert(key, check.IsNil)
-}
-
-func (*Suite) TestNotReusableMarkedAsUsed(c *check.C) {
-	user, err := db.CreateUser(types.User{Name: "test6"})
-	c.Assert(err, check.IsNil)
-
-	pak, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, nil)
-	c.Assert(err, check.IsNil)
-	pak.Used = true
-	db.DB.Save(&pak)
-
-	_, err = db.ValidatePreAuthKey(pak.Key)
-	c.Assert(err, check.Equals, ErrSingleUseAuthKeyHasBeenUsed)
-}
-
 func (*Suite) TestPreAuthKeyACLTags(c *check.C) {
 	user, err := db.CreateUser(types.User{Name: "test8"})
 	c.Assert(err, check.IsNil)
@@ -175,3 +61,25 @@ func (*Suite) TestPreAuthKeyACLTags(c *check.C) {
 	sort.Sort(sort.StringSlice(gotTags))
 	c.Assert(gotTags, check.DeepEquals, tags)
 }
+
+func TestCannotDeleteAssignedPreAuthKey(t *testing.T) {
+	db, err := newSQLiteTestDB()
+	require.NoError(t, err)
+	user, err := db.CreateUser(types.User{Name: "test8"})
+	assert.NoError(t, err)
+
+	key, err := db.CreatePreAuthKey(types.UserID(user.ID), false, false, nil, []string{"tag:good"})
+	assert.NoError(t, err)
+
+	node := types.Node{
+		ID:             0,
+		Hostname:       "testest",
+		UserID:         user.ID,
+		RegisterMethod: util.RegisterMethodAuthKey,
+		AuthKeyID:      ptr.To(key.ID),
+	}
+	db.DB.Save(&node)
+
+	err = db.DB.Delete(key).Error
+	require.ErrorContains(t, err, "constraint failed: FOREIGN KEY constraint failed")
+}

hscontrol/db/users.go

@@ -24,7 +24,7 @@ func (hsdb *HSDatabase) CreateUser(user types.User) (*types.User, error) {
 // CreateUser creates a new User. Returns error if could not be created
 // or another user already exists.
 func CreateUser(tx *gorm.DB, user types.User) (*types.User, error) {
-	err := util.CheckForFQDNRules(user.Name)
+	err := util.ValidateUsername(user.Name)
 	if err != nil {
 		return nil, err
 	}
@@ -81,6 +81,8 @@ func (hsdb *HSDatabase) RenameUser(uid types.UserID, newName string) error {
 	})
 }
 
+var ErrCannotChangeOIDCUser = errors.New("cannot edit OIDC user")
+
 // RenameUser renames a User. Returns error if the User does
 // not exist or if another User exists with the new name.
 func RenameUser(tx *gorm.DB, uid types.UserID, newName string) error {
@@ -89,11 +91,15 @@ func RenameUser(tx *gorm.DB, uid types.UserID, newName string) error {
 	if err != nil {
 		return err
 	}
-	err = util.CheckForFQDNRules(newName)
+	err = util.ValidateUsername(newName)
 	if err != nil {
 		return err
 	}
 
+	if oldUser.Provider == util.RegisterMethodOIDC {
+		return ErrCannotChangeOIDCUser
+	}
+
 	oldUser.Name = newName
 
 	if err := tx.Save(&oldUser).Error; err != nil {

hscontrol/grpcv1.go

@@ -181,11 +181,15 @@ func (api headscaleV1APIServer) ExpirePreAuthKey(
 	request *v1.ExpirePreAuthKeyRequest,
 ) (*v1.ExpirePreAuthKeyResponse, error) {
 	err := api.h.db.Write(func(tx *gorm.DB) error {
-		preAuthKey, err := db.GetPreAuthKey(tx, request.GetUser(), request.Key)
+		preAuthKey, err := db.GetPreAuthKey(tx, request.Key)
 		if err != nil {
 			return err
 		}
 
+		if preAuthKey.User.Name != request.GetUser() {
+			return fmt.Errorf("preauth key does not belong to user")
+		}
+
 		return db.ExpirePreAuthKey(tx, preAuthKey)
 	})
 	if err != nil {
@@ -227,11 +231,10 @@ func (api headscaleV1APIServer) RegisterNode(
 ) (*v1.RegisterNodeResponse, error) {
 	log.Trace().
 		Str("user", request.GetUser()).
-		Str("machine_key", request.GetKey()).
+		Str("registration_id", request.GetKey()).
 		Msg("Registering node")
 
-	var mkey key.MachinePublic
-	err := mkey.UnmarshalText([]byte(request.GetKey()))
+	registrationId, err := types.RegistrationIDFromString(request.GetKey())
 	if err != nil {
 		return nil, err
 	}
@@ -246,8 +249,8 @@ func (api headscaleV1APIServer) RegisterNode(
 		return nil, fmt.Errorf("looking up user: %w", err)
 	}
 
-	node, err := api.h.db.RegisterNodeFromAuthCallback(
-		mkey,
+	node, _, err := api.h.db.HandleNodeFromAuthPath(
+		registrationId,
 		types.UserID(user.ID),
 		nil,
 		util.RegisterMethodCLI,
@@ -257,10 +260,17 @@ func (api headscaleV1APIServer) RegisterNode(
 		return nil, err
 	}
 
-	err = nodesChangedHook(api.h.db, api.h.polMan, api.h.nodeNotifier)
+	updateSent, err := nodesChangedHook(api.h.db, api.h.polMan, api.h.nodeNotifier)
 	if err != nil {
 		return nil, fmt.Errorf("updating resources using node: %w", err)
 	}
+	if !updateSent {
+		ctx = types.NotifyCtx(context.Background(), "web-node-login", node.Hostname)
+		api.h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{
+			Type:        types.StatePeerChanged,
+			ChangeNodes: []types.NodeID{node.ID},
+		})
+	}
 
 	return &v1.RegisterNodeResponse{Node: node.Proto()}, nil
 }
@@ -839,36 +849,36 @@ func (api headscaleV1APIServer) DebugCreateNode(
 		Hostname:    "DebugTestNode",
 	}
 
-	var mkey key.MachinePublic
-	err = mkey.UnmarshalText([]byte(request.GetKey()))
+	registrationId, err := types.RegistrationIDFromString(request.GetKey())
 	if err != nil {
 		return nil, err
 	}
 
-	nodeKey := key.NewNode()
+	newNode := types.RegisterNode{
+		Node: types.Node{
+			NodeKey:    key.NewNode().Public(),
+			MachineKey: key.NewMachine().Public(),
+			Hostname:   request.GetName(),
+			User:       *user,
 
-	newNode := types.Node{
-		MachineKey: mkey,
-		NodeKey:    nodeKey.Public(),
-		Hostname:   request.GetName(),
-		User:       *user,
+			Expiry:   &time.Time{},
+			LastSeen: &time.Time{},
 
-		Expiry:   &time.Time{},
-		LastSeen: &time.Time{},
-
-		Hostinfo: &hostinfo,
+			Hostinfo: &hostinfo,
+		},
+		Registered: make(chan struct{}),
 	}
 
 	log.Debug().
-		Str("machine_key", mkey.ShortString()).
+		Str("registration_id", registrationId.String()).
 		Msg("adding debug machine via CLI, appending to registration cache")
 
 	api.h.registrationCache.Set(
-		mkey.String(),
+		registrationId,
 		newNode,
 	)
 
-	return &v1.DebugCreateNodeResponse{Node: newNode.Proto()}, nil
+	return &v1.DebugCreateNodeResponse{Node: newNode.Node.Proto()}, nil
 }
 
 func (api headscaleV1APIServer) mustEmbedUnimplementedHeadscaleServiceServer() {}

hscontrol/handlers.go

@@ -8,16 +8,13 @@ import (
 	"net/http"
 	"strconv"
 	"strings"
-	"time"
 
-	"github.com/chasefleming/elem-go"
-	"github.com/chasefleming/elem-go/attrs"
 	"github.com/chasefleming/elem-go/styles"
 	"github.com/gorilla/mux"
 	"github.com/juanfont/headscale/hscontrol/templates"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog/log"
 	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
 )
 
 const (
@@ -32,11 +29,38 @@ const (
 	// See also https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go
 	NoiseCapabilityVersion = 39
 
-	// TODO(juan): remove this once https://github.com/juanfont/headscale/issues/727 is fixed.
-	registrationHoldoff        = time.Second * 5
 	reservedResponseHeaderSize = 4
 )
 
+// httpError logs an error and sends an HTTP error response with the given
+func httpError(w http.ResponseWriter, err error) {
+	var herr HTTPError
+	if errors.As(err, &herr) {
+		http.Error(w, herr.Msg, herr.Code)
+		log.Error().Err(herr.Err).Int("code", herr.Code).Msgf("user msg: %s", herr.Msg)
+	} else {
+		http.Error(w, "internal server error", http.StatusInternalServerError)
+		log.Error().Err(err).Int("code", http.StatusInternalServerError).Msg("http internal server error")
+	}
+}
+
+// HTTPError represents an error that is surfaced to the user via web.
+type HTTPError struct {
+	Code int    // HTTP response code to send to client; 0 means 500
+	Msg  string // Response body to send to client
+	Err  error  // Detailed error to log on the server
+}
+
+func (e HTTPError) Error() string { return fmt.Sprintf("http error[%d]: %s, %s", e.Code, e.Msg, e.Err) }
+func (e HTTPError) Unwrap() error { return e.Err }
+
+// Error returns an HTTPError containing the given information.
+func NewHTTPError(code int, msg string, err error) HTTPError {
+	return HTTPError{Code: code, Msg: msg, Err: err}
+}
+
+var errMethodNotAllowed = NewHTTPError(http.StatusMethodNotAllowed, "method not allowed", nil)
+
 var ErrRegisterMethodCLIDoesNotSupportExpire = errors.New(
 	"machines registered with CLI does not support expire",
 )
@@ -46,18 +70,18 @@ func parseCabailityVersion(req *http.Request) (tailcfg.CapabilityVersion, error)
 	clientCapabilityStr := req.URL.Query().Get("v")
 
 	if clientCapabilityStr == "" {
-		return 0, ErrNoCapabilityVersion
+		return 0, NewHTTPError(http.StatusBadRequest, "capability version must be set", nil)
 	}
 
 	clientCapabilityVersion, err := strconv.Atoi(clientCapabilityStr)
 	if err != nil {
-		return 0, fmt.Errorf("failed to parse capability version: %w", err)
+		return 0, NewHTTPError(http.StatusBadRequest, "invalid capability version", fmt.Errorf("failed to parse capability version: %w", err))
 	}
 
 	return tailcfg.CapabilityVersion(clientCapabilityVersion), nil
 }
 
-func (h *Headscale) handleVerifyRequest(
+func (h *Headscale) derpRequestIsAllowed(
 	req *http.Request,
 ) (bool, error) {
 	body, err := io.ReadAll(req.Body)
@@ -84,21 +108,14 @@ func (h *Headscale) VerifyHandler(
 	req *http.Request,
 ) {
 	if req.Method != http.MethodPost {
-		http.Error(writer, "Wrong method", http.StatusMethodNotAllowed)
-
+		httpError(writer, errMethodNotAllowed)
 		return
 	}
-	log.Debug().
-		Str("handler", "/verify").
-		Msg("verify client")
 
-	allow, err := h.handleVerifyRequest(req)
+	allow, err := h.derpRequestIsAllowed(req)
 	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to verify client")
-		http.Error(writer, "Internal error", http.StatusInternalServerError)
+		httpError(writer, err)
+		return
 	}
 
 	resp := tailcfg.DERPAdmitClientResponse{
@@ -106,14 +123,7 @@ func (h *Headscale) VerifyHandler(
 	}
 
 	writer.Header().Set("Content-Type", "application/json")
-	writer.WriteHeader(http.StatusOK)
-	err = json.NewEncoder(writer).Encode(resp)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
+	json.NewEncoder(writer).Encode(resp)
 }
 
 // KeyHandler provides the Headscale pub key
@@ -125,35 +135,17 @@ func (h *Headscale) KeyHandler(
 	// New Tailscale clients send a 'v' parameter to indicate the CurrentCapabilityVersion
 	capVer, err := parseCabailityVersion(req)
 	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("could not get capability version")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		writer.WriteHeader(http.StatusInternalServerError)
-
+		httpError(writer, err)
 		return
 	}
 
-	log.Debug().
-		Str("handler", "/key").
-		Int("cap_ver", int(capVer)).
-		Msg("New noise client")
-
 	// TS2021 (Tailscale v2 protocol) requires to have a different key
 	if capVer >= NoiseCapabilityVersion {
 		resp := tailcfg.OverTLSPublicKeyResponse{
 			PublicKey: h.noisePrivateKey.Public(),
 		}
 		writer.Header().Set("Content-Type", "application/json")
-		writer.WriteHeader(http.StatusOK)
-		err = json.NewEncoder(writer).Encode(resp)
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
+		json.NewEncoder(writer).Encode(resp)
 
 		return
 	}
@@ -174,18 +166,10 @@ func (h *Headscale) HealthHandler(
 
 		if err != nil {
 			writer.WriteHeader(http.StatusInternalServerError)
-			log.Error().Caller().Err(err).Msg("health check failed")
 			res.Status = "fail"
 		}
 
-		buf, err := json.Marshal(res)
-		if err != nil {
-			log.Error().Caller().Err(err).Msg("marshal failed")
-		}
-		_, err = writer.Write(buf)
-		if err != nil {
-			log.Error().Caller().Err(err).Msg("write failed")
-		}
+		json.NewEncoder(writer).Encode(res)
 	}
 
 	if err := h.db.PingDB(req.Context()); err != nil {
@@ -204,31 +188,6 @@ var codeStyleRegisterWebAPI = styles.Props{
 	styles.BackgroundColor: "#eee",
 }
 
-func registerWebHTML(key string) *elem.Element {
-	return elem.Html(nil,
-		elem.Head(
-			nil,
-			elem.Title(nil, elem.Text("Registration - Headscale")),
-			elem.Meta(attrs.Props{
-				attrs.Name:    "viewport",
-				attrs.Content: "width=device-width, initial-scale=1",
-			}),
-		),
-		elem.Body(attrs.Props{
-			attrs.Style: styles.Props{
-				styles.FontFamily: "sans",
-			}.ToInline(),
-		},
-			elem.H1(nil, elem.Text("headscale")),
-			elem.H2(nil, elem.Text("Machine registration")),
-			elem.P(nil, elem.Text("Run the command below in the headscale server to add this machine to your network:")),
-			elem.Code(attrs.Props{attrs.Style: codeStyleRegisterWebAPI.ToInline()},
-				elem.Text(fmt.Sprintf("headscale nodes register --user USERNAME --key %s", key)),
-			),
-		),
-	)
-}
-
 type AuthProviderWeb struct {
 	serverURL string
 }
@@ -239,15 +198,15 @@ func NewAuthProviderWeb(serverURL string) *AuthProviderWeb {
 	}
 }
 
-func (a *AuthProviderWeb) AuthURL(mKey key.MachinePublic) string {
+func (a *AuthProviderWeb) AuthURL(registrationId types.RegistrationID) string {
 	return fmt.Sprintf(
 		"%s/register/%s",
 		strings.TrimSuffix(a.serverURL, "/"),
-		mKey.String())
+		registrationId.String())
 }
 
 // RegisterWebAPI shows a simple message in the browser to point to the CLI
-// Listens in /register/:nkey.
+// Listens in /register/:registration_id.
 //
 // This is not part of the Tailscale control API, as we could send whatever URL
 // in the RegisterResponse.AuthURL field.
@@ -256,39 +215,18 @@ func (a *AuthProviderWeb) RegisterHandler(
 	req *http.Request,
 ) {
 	vars := mux.Vars(req)
-	machineKeyStr := vars["mkey"]
+	registrationIdStr := vars["registration_id"]
 
 	// We need to make sure we dont open for XSS style injections, if the parameter that
 	// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
 	// the template and log an error.
-	var machineKey key.MachinePublic
-	err := machineKey.UnmarshalText(
-		[]byte(machineKeyStr),
-	)
+	registrationId, err := types.RegistrationIDFromString(registrationIdStr)
 	if err != nil {
-		log.Warn().Err(err).Msg("Failed to parse incoming machinekey")
-
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		writer.WriteHeader(http.StatusBadRequest)
-		_, err := writer.Write([]byte("Wrong params"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-
+		httpError(writer, NewHTTPError(http.StatusBadRequest, "invalid registration id", err))
 		return
 	}
 
 	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
 	writer.WriteHeader(http.StatusOK)
-	if _, err := writer.Write([]byte(registerWebHTML(machineKey.String()).Render())); err != nil {
-		if _, err := writer.Write([]byte(templates.RegisterWeb(machineKey.String()).Render())); err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-	}
+	writer.Write([]byte(templates.RegisterWeb(registrationId).Render()))
 }

hscontrol/mapper/mapper_test.go

@@ -227,7 +227,8 @@ func Test_fullMapResponse(t *testing.T) {
 			tsaddr.AllIPv4(),
 			netip.MustParsePrefix("192.168.0.0/24"),
 		},
-		DERP:              "127.3.3.40:0",
+		HomeDERP:          0,
+		LegacyDERPString:  "127.3.3.40:0",
 		Hostinfo:          hiview(tailcfg.Hostinfo{}),
 		Created:           created,
 		Tags:              []string{},
@@ -282,7 +283,8 @@ func Test_fullMapResponse(t *testing.T) {
 		),
 		Addresses:         []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
 		AllowedIPs:        []netip.Prefix{netip.MustParsePrefix("100.64.0.2/32")},
-		DERP:              "127.3.3.40:0",
+		HomeDERP:          0,
+		LegacyDERPString:  "127.3.3.40:0",
 		Hostinfo:          hiview(tailcfg.Hostinfo{}),
 		Created:           created,
 		Tags:              []string{},

hscontrol/mapper/tail.go

@@ -62,11 +62,16 @@ func tailNode(
 		}
 	}
 
-	var derp string
+	var derp int
+
+	// TODO(kradalby): legacyDERP was removed in tailscale/tailscale@2fc4455e6dd9ab7f879d4e2f7cffc2be81f14077
+	// and should be removed after 111 is the minimum capver.
+	var legacyDERP string
 	if node.Hostinfo != nil && node.Hostinfo.NetInfo != nil {
-		derp = fmt.Sprintf("127.3.3.40:%d", node.Hostinfo.NetInfo.PreferredDERP)
+		legacyDERP = fmt.Sprintf("127.3.3.40:%d", node.Hostinfo.NetInfo.PreferredDERP)
+		derp = node.Hostinfo.NetInfo.PreferredDERP
 	} else {
-		derp = "127.3.3.40:0" // Zero means disconnected or unknown.
+		legacyDERP = "127.3.3.40:0" // Zero means disconnected or unknown.
 	}
 
 	var keyExpiry time.Time
@@ -95,14 +100,15 @@ func tailNode(
 		Key:       node.NodeKey,
 		KeyExpiry: keyExpiry.UTC(),
 
-		Machine:    node.MachineKey,
-		DiscoKey:   node.DiscoKey,
-		Addresses:  addrs,
-		AllowedIPs: allowedIPs,
-		Endpoints:  node.Endpoints,
-		DERP:       derp,
-		Hostinfo:   node.Hostinfo.View(),
-		Created:    node.CreatedAt.UTC(),
+		Machine:          node.MachineKey,
+		DiscoKey:         node.DiscoKey,
+		Addresses:        addrs,
+		AllowedIPs:       allowedIPs,
+		Endpoints:        node.Endpoints,
+		HomeDERP:         derp,
+		LegacyDERPString: legacyDERP,
+		Hostinfo:         node.Hostinfo.View(),
+		Created:          node.CreatedAt.UTC(),
 
 		Online: node.IsOnline,
 

hscontrol/mapper/tail_test.go

@@ -68,7 +68,8 @@ func TestTailNode(t *testing.T) {
 				StableID:          "0",
 				Addresses:         []netip.Prefix{},
 				AllowedIPs:        []netip.Prefix{},
-				DERP:              "127.3.3.40:0",
+				HomeDERP:          0,
+				LegacyDERPString:  "127.3.3.40:0",
 				Hostinfo:          hiview(tailcfg.Hostinfo{}),
 				Tags:              []string{},
 				PrimaryRoutes:     []netip.Prefix{},
@@ -156,9 +157,10 @@ func TestTailNode(t *testing.T) {
 					tsaddr.AllIPv4(),
 					netip.MustParsePrefix("192.168.0.0/24"),
 				},
-				DERP:     "127.3.3.40:0",
-				Hostinfo: hiview(tailcfg.Hostinfo{}),
-				Created:  created,
+				HomeDERP:         0,
+				LegacyDERPString: "127.3.3.40:0",
+				Hostinfo:         hiview(tailcfg.Hostinfo{}),
+				Created:          created,
 
 				Tags: []string{},
 

hscontrol/noise.go

@@ -3,13 +3,17 @@ package hscontrol
 import (
 	"encoding/binary"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"io"
 	"net/http"
 
 	"github.com/gorilla/mux"
+	"github.com/juanfont/headscale/hscontrol/capver"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/net/http2"
+	"gorm.io/gorm"
 	"tailscale.com/control/controlbase"
 	"tailscale.com/control/controlhttp/controlhttpserver"
 	"tailscale.com/tailcfg"
@@ -79,9 +83,7 @@ func (h *Headscale) NoiseUpgradeHandler(
 		noiseServer.earlyNoise,
 	)
 	if err != nil {
-		log.Error().Err(err).Msg("noise upgrade failed")
-		http.Error(writer, err.Error(), http.StatusInternalServerError)
-
+		httpError(writer, fmt.Errorf("noise upgrade failed: %w", err))
 		return
 	}
 
@@ -115,18 +117,8 @@ func (h *Headscale) NoiseUpgradeHandler(
 }
 
 func (ns *noiseServer) earlyNoise(protocolVersion int, writer io.Writer) error {
-	log.Trace().
-		Caller().
-		Int("protocol_version", protocolVersion).
-		Str("challenge", ns.challenge.Public().String()).
-		Msg("earlyNoise called")
-
-	if protocolVersion < earlyNoiseCapabilityVersion {
-		log.Trace().
-			Caller().
-			Msgf("protocol version %d does not support early noise", protocolVersion)
-
-		return nil
+	if !isSupportedVersion(tailcfg.CapabilityVersion(protocolVersion)) {
+		return fmt.Errorf("unsupported client version: %d", protocolVersion)
 	}
 
 	earlyJSON, err := json.Marshal(&tailcfg.EarlyNoise{
@@ -158,9 +150,34 @@ func (ns *noiseServer) earlyNoise(protocolVersion int, writer io.Writer) error {
 	return nil
 }
 
-const (
-	MinimumCapVersion tailcfg.CapabilityVersion = 82
-)
+func isSupportedVersion(version tailcfg.CapabilityVersion) bool {
+	return version >= capver.MinSupportedCapabilityVersion
+}
+
+func rejectUnsupported(
+	writer http.ResponseWriter,
+	version tailcfg.CapabilityVersion,
+	mkey key.MachinePublic,
+	nkey key.NodePublic,
+) bool {
+	// Reject unsupported versions
+	if !isSupportedVersion(version) {
+		log.Error().
+			Caller().
+			Int("minimum_cap_ver", int(capver.MinSupportedCapabilityVersion)).
+			Int("client_cap_ver", int(version)).
+			Str("minimum_version", capver.TailscaleVersion(capver.MinSupportedCapabilityVersion)).
+			Str("client_version", capver.TailscaleVersion(version)).
+			Str("node_key", nkey.ShortString()).
+			Str("machine_key", mkey.ShortString()).
+			Msg("unsupported client connected")
+		http.Error(writer, "unsupported client version", http.StatusBadRequest)
+
+		return true
+	}
+
+	return false
+}
 
 // NoisePollNetMapHandler takes care of /machine/:id/map using the Noise protocol
 //
@@ -177,50 +194,26 @@ func (ns *noiseServer) NoisePollNetMapHandler(
 ) {
 	body, _ := io.ReadAll(req.Body)
 
-	mapRequest := tailcfg.MapRequest{}
+	var mapRequest tailcfg.MapRequest
 	if err := json.Unmarshal(body, &mapRequest); err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot parse MapRequest")
-		http.Error(writer, "Internal error", http.StatusInternalServerError)
-
+		httpError(writer, err)
 		return
 	}
 
-	log.Trace().
-		Caller().
-		Str("handler", "NoisePollNetMap").
-		Any("headers", req.Header).
-		Str("node", mapRequest.Hostinfo.Hostname).
-		Int("capver", int(mapRequest.Version)).
-		Msg("PollNetMapHandler called")
-
 	// Reject unsupported versions
-	if mapRequest.Version < MinimumCapVersion {
-		log.Info().
-			Caller().
-			Int("min_version", int(MinimumCapVersion)).
-			Int("client_version", int(mapRequest.Version)).
-			Msg("unsupported client connected")
-		http.Error(writer, "Internal error", http.StatusBadRequest)
-
+	if rejectUnsupported(writer, mapRequest.Version, ns.machineKey, mapRequest.NodeKey) {
 		return
 	}
 
 	ns.nodeKey = mapRequest.NodeKey
 
-	node, err := ns.headscale.db.GetNodeByAnyKey(
-		ns.conn.Peer(),
-		mapRequest.NodeKey,
-		key.NodePublic{},
-	)
+	node, err := ns.headscale.db.GetNodeByNodeKey(mapRequest.NodeKey)
 	if err != nil {
-		log.Error().
-			Str("handler", "NoisePollNetMap").
-			Msgf("Failed to fetch node from the database with node key: %s", mapRequest.NodeKey.String())
-		http.Error(writer, "Internal error", http.StatusInternalServerError)
-
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			httpError(writer, NewHTTPError(http.StatusNotFound, "node not found", nil))
+			return
+		}
+		httpError(writer, err)
 		return
 	}
 
@@ -232,3 +225,64 @@ func (ns *noiseServer) NoisePollNetMapHandler(
 		sess.serveLongPoll()
 	}
 }
+
+// NoiseRegistrationHandler handles the actual registration process of a node.
+func (ns *noiseServer) NoiseRegistrationHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	if req.Method != http.MethodPost {
+		httpError(writer, errMethodNotAllowed)
+
+		return
+	}
+
+	registerRequest, registerResponse, err := func() (*tailcfg.RegisterRequest, []byte, error) {
+		body, err := io.ReadAll(req.Body)
+		if err != nil {
+			return nil, nil, err
+		}
+		var registerRequest tailcfg.RegisterRequest
+		if err := json.Unmarshal(body, &registerRequest); err != nil {
+			return nil, nil, err
+		}
+
+		ns.nodeKey = registerRequest.NodeKey
+
+		resp, err := ns.headscale.handleRegister(req.Context(), registerRequest, ns.conn.Peer())
+		// TODO(kradalby): Here we could have two error types, one that is surfaced to the client
+		// and one that returns 500.
+		if err != nil {
+			return nil, nil, err
+		}
+
+		respBody, err := json.Marshal(resp)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		return &registerRequest, respBody, nil
+	}()
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Error handling registration")
+		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+	}
+
+	// Reject unsupported versions
+	if rejectUnsupported(writer, registerRequest.Version, ns.machineKey, registerRequest.NodeKey) {
+		return
+	}
+
+	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err = writer.Write(registerResponse)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
+}

hscontrol/notifier/notifier.go

@@ -153,7 +153,7 @@ func (n *Notifier) IsConnected(nodeID types.NodeID) bool {
 }
 
 // IsLikelyConnected reports if a node is connected to headscale and has a
-// poll session open, but doesnt lock, so might be wrong.
+// poll session open, but doesn't lock, so might be wrong.
 func (n *Notifier) IsLikelyConnected(nodeID types.NodeID) bool {
 	if val, ok := n.connected.Load(nodeID); ok {
 		return val

hscontrol/notifier/notifier_test.go

@@ -223,7 +223,7 @@ func TestBatcher(t *testing.T) {
 					// so do not run the worker.
 					BatchChangeDelay: time.Hour,
 
-					// Since we do not load the config, we wont get the
+					// Since we do not load the config, we won't get the
 					// default, so set it manually so we dont time out
 					// and have flakes.
 					NotifierSendTimeout: time.Second,

hscontrol/oidc.go

@@ -21,7 +21,6 @@ import (
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/oauth2"
-	"tailscale.com/types/key"
 	"zgo.at/zcache/v2"
 )
 
@@ -49,8 +48,8 @@ var (
 
 // RegistrationInfo contains both machine key and verifier information for OIDC validation.
 type RegistrationInfo struct {
-	MachineKey key.MachinePublic
-	Verifier   *string
+	RegistrationID types.RegistrationID
+	Verifier       *string
 }
 
 type AuthProviderOIDC struct {
@@ -112,11 +111,11 @@ func NewAuthProviderOIDC(
 	}, nil
 }
 
-func (a *AuthProviderOIDC) AuthURL(mKey key.MachinePublic) string {
+func (a *AuthProviderOIDC) AuthURL(registrationID types.RegistrationID) string {
 	return fmt.Sprintf(
 		"%s/register/%s",
 		strings.TrimSuffix(a.serverURL, "/"),
-		mKey.String())
+		registrationID.String())
 }
 
 func (a *AuthProviderOIDC) determineNodeExpiry(idTokenExpiration time.Time) time.Time {
@@ -129,49 +128,40 @@ func (a *AuthProviderOIDC) determineNodeExpiry(idTokenExpiration time.Time) time
 
 // RegisterOIDC redirects to the OIDC provider for authentication
 // Puts NodeKey in cache so the callback can retrieve it using the oidc state param
-// Listens in /register/:mKey.
+// Listens in /register/:registration_id.
 func (a *AuthProviderOIDC) RegisterHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
 	vars := mux.Vars(req)
-	machineKeyStr, ok := vars["mkey"]
-
-	log.Debug().
-		Caller().
-		Str("machine_key", machineKeyStr).
-		Bool("ok", ok).
-		Msg("Received oidc register call")
+	registrationIdStr, _ := vars["registration_id"]
 
 	// We need to make sure we dont open for XSS style injections, if the parameter that
 	// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
 	// the template and log an error.
-	var machineKey key.MachinePublic
-	err := machineKey.UnmarshalText(
-		[]byte(machineKeyStr),
-	)
+	registrationId, err := types.RegistrationIDFromString(registrationIdStr)
 	if err != nil {
-		http.Error(writer, err.Error(), http.StatusBadRequest)
+		httpError(writer, NewHTTPError(http.StatusBadRequest, "invalid registration id", err))
 		return
 	}
 
 	// Set the state and nonce cookies to protect against CSRF attacks
 	state, err := setCSRFCookie(writer, req, "state")
 	if err != nil {
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+		httpError(writer, err)
 		return
 	}
 
 	// Set the state and nonce cookies to protect against CSRF attacks
 	nonce, err := setCSRFCookie(writer, req, "nonce")
 	if err != nil {
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+		httpError(writer, err)
 		return
 	}
 
 	// Initialize registration info with machine key
 	registrationInfo := RegistrationInfo{
-		MachineKey: machineKey,
+		RegistrationID: registrationId,
 	}
 
 	extras := make([]oauth2.AuthCodeOption, 0, len(a.cfg.ExtraParams)+defaultOAuthOptionsCount)
@@ -229,35 +219,34 @@ func (a *AuthProviderOIDC) OIDCCallbackHandler(
 ) {
 	code, state, err := extractCodeAndStateParamFromRequest(req)
 	if err != nil {
-		http.Error(writer, err.Error(), http.StatusBadRequest)
+		httpError(writer, err)
 		return
 	}
 
-	log.Debug().Interface("cookies", req.Cookies()).Msg("Received oidc callback")
 	cookieState, err := req.Cookie("state")
 	if err != nil {
-		http.Error(writer, "state not found", http.StatusBadRequest)
+		httpError(writer, NewHTTPError(http.StatusBadRequest, "state not found", err))
 		return
 	}
 
 	if state != cookieState.Value {
-		http.Error(writer, "state did not match", http.StatusBadRequest)
+		httpError(writer, NewHTTPError(http.StatusForbidden, "state did not match", nil))
 		return
 	}
 
 	idToken, err := a.extractIDToken(req.Context(), code, state)
 	if err != nil {
-		http.Error(writer, err.Error(), http.StatusBadRequest)
+		httpError(writer, err)
 		return
 	}
 
 	nonce, err := req.Cookie("nonce")
 	if err != nil {
-		http.Error(writer, "nonce not found", http.StatusBadRequest)
+		httpError(writer, NewHTTPError(http.StatusBadRequest, "nonce not found", err))
 		return
 	}
 	if idToken.Nonce != nonce.Value {
-		http.Error(writer, "nonce did not match", http.StatusBadRequest)
+		httpError(writer, NewHTTPError(http.StatusForbidden, "nonce did not match", nil))
 		return
 	}
 
@@ -265,76 +254,54 @@ func (a *AuthProviderOIDC) OIDCCallbackHandler(
 
 	var claims types.OIDCClaims
 	if err := idToken.Claims(&claims); err != nil {
-		http.Error(writer, fmt.Errorf("failed to decode ID token claims: %w", err).Error(), http.StatusInternalServerError)
+		httpError(writer, fmt.Errorf("decoding ID token claims: %w", err))
 		return
 	}
 
 	if err := validateOIDCAllowedDomains(a.cfg.AllowedDomains, &claims); err != nil {
-		http.Error(writer, err.Error(), http.StatusUnauthorized)
+		httpError(writer, err)
 		return
 	}
 
 	if err := validateOIDCAllowedGroups(a.cfg.AllowedGroups, &claims); err != nil {
-		http.Error(writer, err.Error(), http.StatusUnauthorized)
+		httpError(writer, err)
 		return
 	}
 
 	if err := validateOIDCAllowedUsers(a.cfg.AllowedUsers, &claims); err != nil {
-		http.Error(writer, err.Error(), http.StatusUnauthorized)
+		httpError(writer, err)
 		return
 	}
 
 	user, err := a.createOrUpdateUserFromClaim(&claims)
 	if err != nil {
-		http.Error(writer, err.Error(), http.StatusInternalServerError)
+		httpError(writer, err)
 		return
 	}
 
-	// Retrieve the node and the machine key from the state cache and
-	// database.
+	// TODO(kradalby): Is this comment right?
 	// If the node exists, then the node should be reauthenticated,
 	// if the node does not exist, and the machine key exists, then
 	// this is a new node that should be registered.
-	node, mKey := a.getMachineKeyFromState(state)
+	registrationId := a.getRegistrationIDFromState(state)
 
-	// Reauthenticate the node if it does exists.
-	if node != nil {
-		err := a.reauthenticateNode(node, nodeExpiry)
+	// Register the node if it does not exist.
+	if registrationId != nil {
+		verb := "Reauthenticated"
+		newNode, err := a.handleRegistration(user, *registrationId, nodeExpiry)
 		if err != nil {
-			http.Error(writer, err.Error(), http.StatusInternalServerError)
+			httpError(writer, err)
 			return
 		}
 
+		if newNode {
+			verb = "Authenticated"
+		}
+
 		// TODO(kradalby): replace with go-elem
-		var content bytes.Buffer
-		if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
-			User: user.DisplayNameOrUsername(),
-			Verb: "Reauthenticated",
-		}); err != nil {
-			http.Error(writer, fmt.Errorf("rendering OIDC callback template: %w", err).Error(), http.StatusInternalServerError)
-			return
-		}
-
-		writer.Header().Set("Content-Type", "text/html; charset=utf-8")
-		writer.WriteHeader(http.StatusOK)
-		_, err = writer.Write(content.Bytes())
+		content, err := renderOIDCCallbackTemplate(user, verb)
 		if err != nil {
-			util.LogErr(err, "Failed to write response")
-		}
-
-		return
-	}
-
-	// Register the node if it does not exist.
-	if mKey != nil {
-		if err := a.registerNode(user, mKey, nodeExpiry); err != nil {
-			http.Error(writer, err.Error(), http.StatusInternalServerError)
-			return
-		}
-
-		content, err := renderOIDCCallbackTemplate(user)
-		if err != nil {
-			http.Error(writer, err.Error(), http.StatusInternalServerError)
+			httpError(writer, err)
 			return
 		}
 
@@ -349,7 +316,7 @@ func (a *AuthProviderOIDC) OIDCCallbackHandler(
 
 	// Neither node nor machine key was found in the state cache meaning
 	// that we could not reauth nor register the node.
-	http.Error(writer, "login session expired, try again", http.StatusInternalServerError)
+	httpError(writer, NewHTTPError(http.StatusGone, "login session expired, try again", nil))
 	return
 }
 
@@ -360,7 +327,7 @@ func extractCodeAndStateParamFromRequest(
 	state := req.URL.Query().Get("state")
 
 	if code == "" || state == "" {
-		return "", "", errEmptyOIDCCallbackParams
+		return "", "", NewHTTPError(http.StatusBadRequest, "missing code or state parameter", errEmptyOIDCCallbackParams)
 	}
 
 	return code, state, nil
@@ -378,7 +345,7 @@ func (a *AuthProviderOIDC) extractIDToken(
 	if a.cfg.PKCE.Enabled {
 		regInfo, ok := a.registrationCache.Get(state)
 		if !ok {
-			return nil, errNoOIDCRegistrationInfo
+			return nil, NewHTTPError(http.StatusNotFound, "registration not found", errNoOIDCRegistrationInfo)
 		}
 		if regInfo.Verifier != nil {
 			exchangeOpts = []oauth2.AuthCodeOption{oauth2.VerifierOption(*regInfo.Verifier)}
@@ -387,18 +354,18 @@ func (a *AuthProviderOIDC) extractIDToken(
 
 	oauth2Token, err := a.oauth2Config.Exchange(ctx, code, exchangeOpts...)
 	if err != nil {
-		return nil, fmt.Errorf("could not exchange code for token: %w", err)
+		return nil, NewHTTPError(http.StatusForbidden, "invalid code", fmt.Errorf("could not exchange code for token: %w", err))
 	}
 
 	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
 	if !ok {
-		return nil, errNoOIDCIDToken
+		return nil, NewHTTPError(http.StatusBadRequest, "no id_token", errNoOIDCIDToken)
 	}
 
 	verifier := a.oidcProvider.Verifier(&oidc.Config{ClientID: a.cfg.ClientID})
 	idToken, err := verifier.Verify(ctx, rawIDToken)
 	if err != nil {
-		return nil, fmt.Errorf("failed to verify ID token: %w", err)
+		return nil, NewHTTPError(http.StatusForbidden, "failed to verify id_token", fmt.Errorf("failed to verify ID token: %w", err))
 	}
 
 	return idToken, nil
@@ -413,7 +380,7 @@ func validateOIDCAllowedDomains(
 	if len(allowedDomains) > 0 {
 		if at := strings.LastIndex(claims.Email, "@"); at < 0 ||
 			!slices.Contains(allowedDomains, claims.Email[at+1:]) {
-			return errOIDCAllowedDomains
+			return NewHTTPError(http.StatusUnauthorized, "unauthorised domain", errOIDCAllowedDomains)
 		}
 	}
 
@@ -435,7 +402,7 @@ func validateOIDCAllowedGroups(
 			}
 		}
 
-		return errOIDCAllowedGroups
+		return NewHTTPError(http.StatusUnauthorized, "unauthorised group", errOIDCAllowedGroups)
 	}
 
 	return nil
@@ -449,56 +416,20 @@ func validateOIDCAllowedUsers(
 ) error {
 	if len(allowedUsers) > 0 &&
 		!slices.Contains(allowedUsers, claims.Email) {
-		log.Trace().Msg("authenticated principal does not match any allowed user")
-		return errOIDCAllowedUsers
+		return NewHTTPError(http.StatusUnauthorized, "unauthorised user", errOIDCAllowedUsers)
 	}
 
 	return nil
 }
 
-// getMachineKeyFromState retrieves the machine key from the state
-// cache. If the machine key is found, it will try retrieve the
-// node information from the database.
-func (a *AuthProviderOIDC) getMachineKeyFromState(state string) (*types.Node, *key.MachinePublic) {
+// getRegistrationIDFromState retrieves the registration ID from the state.
+func (a *AuthProviderOIDC) getRegistrationIDFromState(state string) *types.RegistrationID {
 	regInfo, ok := a.registrationCache.Get(state)
 	if !ok {
-		return nil, nil
+		return nil
 	}
 
-	// retrieve node information if it exist
-	// The error is not important, because if it does not
-	// exist, then this is a new node and we will move
-	// on to registration.
-	node, _ := a.db.GetNodeByMachineKey(regInfo.MachineKey)
-
-	return node, &regInfo.MachineKey
-}
-
-// reauthenticateNode updates the node expiry in the database
-// and notifies the node and its peers about the change.
-func (a *AuthProviderOIDC) reauthenticateNode(
-	node *types.Node,
-	expiry time.Time,
-) error {
-	err := a.db.NodeSetExpiry(node.ID, expiry)
-	if err != nil {
-		return err
-	}
-
-	ctx := types.NotifyCtx(context.Background(), "oidc-expiry-self", node.Hostname)
-	a.notifier.NotifyByNodeID(
-		ctx,
-		types.StateUpdate{
-			Type:        types.StateSelfUpdate,
-			ChangeNodes: []types.NodeID{node.ID},
-		},
-		node.ID,
-	)
-
-	ctx = types.NotifyCtx(context.Background(), "oidc-expiry-peers", node.Hostname)
-	a.notifier.NotifyWithIgnore(ctx, types.StateUpdateExpire(node.ID, expiry), node.ID)
-
-	return nil
+	return &regInfo.RegistrationID
 }
 
 func (a *AuthProviderOIDC) createOrUpdateUserFromClaim(
@@ -556,43 +487,60 @@ func (a *AuthProviderOIDC) createOrUpdateUserFromClaim(
 	return user, nil
 }
 
-func (a *AuthProviderOIDC) registerNode(
+func (a *AuthProviderOIDC) handleRegistration(
 	user *types.User,
-	machineKey *key.MachinePublic,
+	registrationID types.RegistrationID,
 	expiry time.Time,
-) error {
+) (bool, error) {
 	ipv4, ipv6, err := a.ipAlloc.Next()
 	if err != nil {
-		return err
+		return false, err
 	}
 
-	if _, err := a.db.RegisterNodeFromAuthCallback(
-		*machineKey,
+	node, newNode, err := a.db.HandleNodeFromAuthPath(
+		registrationID,
 		types.UserID(user.ID),
 		&expiry,
 		util.RegisterMethodOIDC,
 		ipv4, ipv6,
-	); err != nil {
-		return fmt.Errorf("could not register node: %w", err)
-	}
-
-	err = nodesChangedHook(a.db, a.polMan, a.notifier)
+	)
 	if err != nil {
-		return fmt.Errorf("updating resources using node: %w", err)
+		return false, fmt.Errorf("could not register node: %w", err)
 	}
 
-	return nil
+	// Send an update to all nodes if this is a new node that they need to know
+	// about.
+	// If this is a refresh, just send new expiry updates.
+	updateSent, err := nodesChangedHook(a.db, a.polMan, a.notifier)
+	if err != nil {
+		return false, fmt.Errorf("updating resources using node: %w", err)
+	}
+
+	if !updateSent {
+		ctx := types.NotifyCtx(context.Background(), "oidc-expiry-self", node.Hostname)
+		a.notifier.NotifyByNodeID(
+			ctx,
+			types.StateSelf(node.ID),
+			node.ID,
+		)
+
+		ctx = types.NotifyCtx(context.Background(), "oidc-expiry-peers", node.Hostname)
+		a.notifier.NotifyWithIgnore(ctx, types.StateUpdatePeerAdded(node.ID), node.ID)
+	}
+
+	return newNode, nil
 }
 
 // TODO(kradalby):
 // Rewrite in elem-go.
 func renderOIDCCallbackTemplate(
 	user *types.User,
+	verb string,
 ) (*bytes.Buffer, error) {
 	var content bytes.Buffer
 	if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
 		User: user.DisplayNameOrUsername(),
-		Verb: "Authenticated",
+		Verb: verb,
 	}); err != nil {
 		return nil, fmt.Errorf("rendering OIDC callback template: %w", err)
 	}

hscontrol/platform_config.go

@@ -10,7 +10,6 @@ import (
 	"github.com/gofrs/uuid/v5"
 	"github.com/gorilla/mux"
 	"github.com/juanfont/headscale/hscontrol/templates"
-	"github.com/rs/zerolog/log"
 )
 
 // WindowsConfigMessage shows a simple message in the browser for how to configure the Windows Tailscale client.
@@ -20,13 +19,7 @@ func (h *Headscale) WindowsConfigMessage(
 ) {
 	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
 	writer.WriteHeader(http.StatusOK)
-
-	if _, err := writer.Write([]byte(templates.Windows(h.cfg.ServerURL).Render())); err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
+	writer.Write([]byte(templates.Windows(h.cfg.ServerURL).Render()))
 }
 
 // AppleConfigMessage shows a simple message in the browser to point the user to the iOS/MacOS profile and instructions for how to install it.
@@ -36,13 +29,7 @@ func (h *Headscale) AppleConfigMessage(
 ) {
 	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
 	writer.WriteHeader(http.StatusOK)
-
-	if _, err := writer.Write([]byte(templates.Apple(h.cfg.ServerURL).Render())); err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
+	writer.Write([]byte(templates.Apple(h.cfg.ServerURL).Render()))
 }
 
 func (h *Headscale) ApplePlatformConfig(
@@ -52,51 +39,19 @@ func (h *Headscale) ApplePlatformConfig(
 	vars := mux.Vars(req)
 	platform, ok := vars["platform"]
 	if !ok {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Msg("No platform specified")
-		http.Error(writer, "No platform specified", http.StatusBadRequest)
-
+		httpError(writer, NewHTTPError(http.StatusBadRequest, "no platform specified", nil))
 		return
 	}
 
 	id, err := uuid.NewV4()
 	if err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Failed not create UUID")
-
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		writer.WriteHeader(http.StatusInternalServerError)
-		_, err := writer.Write([]byte("Failed to create UUID"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-
+		httpError(writer, err)
 		return
 	}
 
 	contentID, err := uuid.NewV4()
 	if err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Failed not create UUID")
-
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		writer.WriteHeader(http.StatusInternalServerError)
-		_, err := writer.Write([]byte("Failed to create content UUID"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-
+		httpError(writer, err)
 		return
 	}
 
@@ -106,68 +61,25 @@ func (h *Headscale) ApplePlatformConfig(
 	}
 
 	var payload bytes.Buffer
-	handleMacError := func(ierr error) {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(ierr).
-			Msg("Could not render Apple macOS template")
-
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		writer.WriteHeader(http.StatusInternalServerError)
-		_, err := writer.Write([]byte("Could not render Apple macOS template"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-	}
 
 	switch platform {
 	case "macos-standalone":
 		if err := macosStandaloneTemplate.Execute(&payload, platformConfig); err != nil {
-			handleMacError(err)
-
+			httpError(writer, err)
 			return
 		}
 	case "macos-app-store":
 		if err := macosAppStoreTemplate.Execute(&payload, platformConfig); err != nil {
-			handleMacError(err)
-
+			httpError(writer, err)
 			return
 		}
 	case "ios":
 		if err := iosTemplate.Execute(&payload, platformConfig); err != nil {
-			log.Error().
-				Str("handler", "ApplePlatformConfig").
-				Err(err).
-				Msg("Could not render Apple iOS template")
-
-			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-			writer.WriteHeader(http.StatusInternalServerError)
-			_, err := writer.Write([]byte("Could not render Apple iOS template"))
-			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
-
+			httpError(writer, err)
 			return
 		}
 	default:
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		writer.WriteHeader(http.StatusBadRequest)
-		_, err := writer.Write(
-			[]byte("Invalid platform. Only ios, macos-app-store and macos-standalone are supported"),
-		)
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-
+		httpError(writer, NewHTTPError(http.StatusBadRequest, "platform must be ios, macos-app-store or macos-standalone", nil))
 		return
 	}
 
@@ -179,34 +91,14 @@ func (h *Headscale) ApplePlatformConfig(
 
 	var content bytes.Buffer
 	if err := commonTemplate.Execute(&content, config); err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Could not render Apple platform template")
-
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		writer.WriteHeader(http.StatusInternalServerError)
-		_, err := writer.Write([]byte("Could not render Apple platform template"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-
+		httpError(writer, err)
 		return
 	}
 
 	writer.Header().
 		Set("Content-Type", "application/x-apple-aspen-config; charset=utf-8")
 	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(content.Bytes())
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
+	writer.Write(content.Bytes())
 }
 
 type AppleMobileConfig struct {

hscontrol/policy/acls.go

@@ -61,7 +61,7 @@ func theInternet() *netipx.IPSet {
 	internetBuilder.RemovePrefix(tsaddr.TailscaleULARange())
 	internetBuilder.RemovePrefix(tsaddr.CGNATRange())
 
-	// Delete "cant find DHCP networks"
+	// Delete "can't find DHCP networks"
 	internetBuilder.RemovePrefix(netip.MustParsePrefix("fe80::/10")) // link-local
 	internetBuilder.RemovePrefix(netip.MustParsePrefix("169.254.0.0/16"))
 
@@ -251,7 +251,7 @@ func ReduceFilterRules(node *types.Node, rules []tailcfg.FilterRule) []tailcfg.F
 	DEST_LOOP:
 		for _, dest := range rule.DstPorts {
 			expanded, err := util.ParseIPSet(dest.IP, nil)
-			// Fail closed, if we cant parse it, then we should not allow
+			// Fail closed, if we can't parse it, then we should not allow
 			// access.
 			if err != nil {
 				continue DEST_LOOP
@@ -934,7 +934,7 @@ func (pol *ACLPolicy) expandIPsFromIPPrefix(
 	build.AddPrefix(prefix)
 
 	// This is suboptimal and quite expensive, but if we only add the prefix, we will miss all the relevant IPv6
-	// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
+	// addresses for the hosts that belong to tailscale. This doesn't really affect stuff like subnet routers.
 	for _, node := range nodes {
 		for _, ip := range node.IPs() {
 			// log.Trace().

hscontrol/poll.go

@@ -156,7 +156,7 @@ func (m *mapSession) serve() {
 	// current configuration.
 	//
 	// If OmitPeers is true, Stream is false, and ReadOnly is false,
-	// then te server will let clients update their endpoints without
+	// then the server will let clients update their endpoints without
 	// breaking existing long-polling (Stream == true) connections.
 	// In this case, the server can omit the entire response; the client
 	// only checks the HTTP response status code.
@@ -691,7 +691,7 @@ func hostInfoChanged(old, new *tailcfg.Hostinfo) (bool, bool) {
 	}
 
 	// Services is mostly useful for discovery and not critical,
-	// except for peerapi, which is how nodes talk to eachother.
+	// except for peerapi, which is how nodes talk to each other.
 	// If peerapi was not part of the initial mapresponse, we
 	// need to make sure its sent out later as it is needed for
 	// Taildrop.

hscontrol/templates/register_web.go

@@ -6,6 +6,7 @@ import (
 	"github.com/chasefleming/elem-go"
 	"github.com/chasefleming/elem-go/attrs"
 	"github.com/chasefleming/elem-go/styles"
+	"github.com/juanfont/headscale/hscontrol/types"
 )
 
 var codeStyleRegisterWebAPI = styles.Props{
@@ -15,7 +16,7 @@ var codeStyleRegisterWebAPI = styles.Props{
 	styles.BackgroundColor: "#eee",
 }
 
-func RegisterWeb(key string) *elem.Element {
+func RegisterWeb(registrationID types.RegistrationID) *elem.Element {
 	return HtmlStructure(
 		elem.Title(nil, elem.Text("Registration - Headscale")),
 		elem.Body(attrs.Props{
@@ -27,7 +28,7 @@ func RegisterWeb(key string) *elem.Element {
 			elem.H2(nil, elem.Text("Machine registration")),
 			elem.P(nil, elem.Text("Run the command below in the headscale server to add this machine to your network: ")),
 			elem.Code(attrs.Props{attrs.Style: codeStyleRegisterWebAPI.ToInline()},
-				elem.Text(fmt.Sprintf("headscale nodes register --user USERNAME --key %s", key)),
+				elem.Text(fmt.Sprintf("headscale nodes register --user USERNAME --key %s", registrationID.String())),
 			),
 		),
 	)

hscontrol/types/common.go

@@ -3,8 +3,10 @@ package types
 import (
 	"context"
 	"errors"
+	"fmt"
 	"time"
 
+	"github.com/juanfont/headscale/hscontrol/util"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/ctxkey"
 )
@@ -100,6 +102,20 @@ func (su *StateUpdate) Empty() bool {
 	return false
 }
 
+func StateSelf(nodeID NodeID) StateUpdate {
+	return StateUpdate{
+		Type:        StateSelfUpdate,
+		ChangeNodes: []NodeID{nodeID},
+	}
+}
+
+func StateUpdatePeerAdded(nodeIDs ...NodeID) StateUpdate {
+	return StateUpdate{
+		Type:        StatePeerChanged,
+		ChangeNodes: nodeIDs,
+	}
+}
+
 func StateUpdateExpire(nodeID NodeID, expiry time.Time) StateUpdate {
 	return StateUpdate{
 		Type: StatePeerChangedPatch,
@@ -123,3 +139,40 @@ func NotifyCtx(ctx context.Context, origin, hostname string) context.Context {
 	ctx2 = NotifyHostnameKey.WithValue(ctx2, hostname)
 	return ctx2
 }
+
+const RegistrationIDLength = 24
+
+type RegistrationID string
+
+func NewRegistrationID() (RegistrationID, error) {
+	rid, err := util.GenerateRandomStringURLSafe(RegistrationIDLength)
+	if err != nil {
+		return "", err
+	}
+
+	return RegistrationID(rid), nil
+}
+
+func MustRegistrationID() RegistrationID {
+	rid, err := NewRegistrationID()
+	if err != nil {
+		panic(err)
+	}
+	return rid
+}
+
+func RegistrationIDFromString(str string) (RegistrationID, error) {
+	if len(str) != RegistrationIDLength {
+		return "", fmt.Errorf("registration ID must be %d characters long", RegistrationIDLength)
+	}
+	return RegistrationID(str), nil
+}
+
+func (r RegistrationID) String() string {
+	return string(r)
+}
+
+type RegisterNode struct {
+	Node       Node
+	Registered chan struct{}
+}

hscontrol/types/config.go

@@ -319,7 +319,7 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("oidc.only_start_if_oidc_is_available", true)
 	viper.SetDefault("oidc.expiry", "180d")
 	viper.SetDefault("oidc.use_expiry_from_token", false)
-	viper.SetDefault("oidc.map_legacy_users", true)
+	viper.SetDefault("oidc.map_legacy_users", false)
 	viper.SetDefault("oidc.pkce.enabled", false)
 	viper.SetDefault("oidc.pkce.method", "S256")
 

hscontrol/types/node.go

@@ -77,9 +77,12 @@ type Node struct {
 
 	ForcedTags []string `gorm:"serializer:json"`
 
-	// TODO(kradalby): This seems like irrelevant information?
-	AuthKeyID *uint64     `sql:"DEFAULT:NULL"`
-	AuthKey   *PreAuthKey `gorm:"constraint:OnDelete:SET NULL;"`
+	// When a node has been created with a PreAuthKey, we need to
+	// prevent the preauthkey from being deleted before the node.
+	// The preauthkey can define "tags" of the node so we need it
+	// around.
+	AuthKeyID *uint64 `sql:"DEFAULT:NULL"`
+	AuthKey   *PreAuthKey
 
 	LastSeen *time.Time
 	Expiry   *time.Time
@@ -105,7 +108,7 @@ func (node *Node) GivenNameHasBeenChanged() bool {
 // IsExpired returns whether the node registration has expired.
 func (node Node) IsExpired() bool {
 	// If Expiry is not set, the client has not indicated that
-	// it wants an expiry time, it is therefor considered
+	// it wants an expiry time, it is therefore considered
 	// to mean "not expired"
 	if node.Expiry == nil || node.Expiry.IsZero() {
 		return false
@@ -180,7 +183,7 @@ func (node *Node) CanAccess(filter []tailcfg.FilterRule, node2 *Node) bool {
 	src := node.IPs()
 	allowedIPs := node2.IPs()
 
-	// TODO(kradalby): Regenerate this everytime the filter change, instead of
+	// TODO(kradalby): Regenerate this every time the filter change, instead of
 	// every time we use it.
 	matchers := make([]matcher.Match, len(filter))
 	for i, rule := range filter {

hscontrol/types/preauth_key.go

@@ -14,7 +14,7 @@ type PreAuthKey struct {
 	ID        uint64 `gorm:"primary_key"`
 	Key       string
 	UserID    uint
-	User      User `gorm:"constraint:OnDelete:CASCADE;"`
+	User      User `gorm:"constraint:OnDelete:SET NULL;"`
 	Reusable  bool
 	Ephemeral bool     `gorm:"default:false"`
 	Used      bool     `gorm:"default:false"`

hscontrol/types/users.go

@@ -80,10 +80,8 @@ func (u *User) profilePicURL() string {
 func (u *User) TailscaleUser() *tailcfg.User {
 	user := tailcfg.User{
 		ID:            tailcfg.UserID(u.ID),
-		LoginName:     u.Username(),
 		DisplayName:   u.DisplayNameOrUsername(),
 		ProfilePicURL: u.profilePicURL(),
-		Logins:        []tailcfg.LoginID{},
 		Created:       u.CreatedAt,
 	}
 

hscontrol/util/dns.go

@@ -65,6 +65,11 @@ func ValidateUsername(username string) error {
 }
 
 func CheckForFQDNRules(name string) error {
+	// Ensure the username meets the minimum length requirement
+	if len(name) < 2 {
+		return errors.New("name must be at least 2 characters long")
+	}
+
 	if len(name) > LabelHostnameLength {
 		return fmt.Errorf(
 			"DNS segment must not be over 63 chars. %v doesn't comply with this rule: %w",
@@ -81,7 +86,7 @@ func CheckForFQDNRules(name string) error {
 	}
 	if invalidDNSRegex.MatchString(name) {
 		return fmt.Errorf(
-			"DNS segment should only be composed of lowercase ASCII letters numbers, hyphen and dots. %v doesn't comply with theses rules: %w",
+			"DNS segment should only be composed of lowercase ASCII letters numbers, hyphen and dots. %v doesn't comply with these rules: %w",
 			name,
 			ErrInvalidUserName,
 		)

hscontrol/util/string.go

@@ -32,7 +32,8 @@ func GenerateRandomBytes(n int) ([]byte, error) {
 func GenerateRandomStringURLSafe(n int) (string, error) {
 	b, err := GenerateRandomBytes(n)
 
-	return base64.RawURLEncoding.EncodeToString(b), err
+	uenc := base64.RawURLEncoding.EncodeToString(b)
+	return uenc[:n], err
 }
 
 // GenerateRandomStringDNSSafe returns a DNS-safe

integration/acl_test.go

@@ -124,7 +124,7 @@ func TestACLHostsInNetMapTable(t *testing.T) {
 			},
 		},
 		// Test that when we have two users, which cannot see
-		// eachother, each node has only the number of pairs from
+		// each other, each node has only the number of pairs from
 		// their own user.
 		"two-isolated-users": {
 			users: map[string]int{

integration/auth_key_test.go

@@ -0,0 +1,230 @@
+package integration
+
+import (
+	"fmt"
+	"net/netip"
+	"testing"
+	"time"
+
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/samber/lo"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAuthKeyLogoutAndReloginSameUser(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	for _, https := range []bool{true, false} {
+		t.Run(fmt.Sprintf("with-https-%t", https), func(t *testing.T) {
+			scenario, err := NewScenario(dockertestMaxWait())
+			assertNoErr(t, err)
+			defer scenario.ShutdownAssertNoPanics(t)
+
+			spec := map[string]int{
+				"user1": len(MustTestVersions),
+				"user2": len(MustTestVersions),
+			}
+
+			opts := []hsic.Option{hsic.WithTestName("pingallbyip")}
+			if https {
+				opts = append(opts, []hsic.Option{
+					hsic.WithTLS(),
+				}...)
+			}
+
+			err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, opts...)
+			assertNoErrHeadscaleEnv(t, err)
+
+			allClients, err := scenario.ListTailscaleClients()
+			assertNoErrListClients(t, err)
+
+			err = scenario.WaitForTailscaleSync()
+			assertNoErrSync(t, err)
+
+			// assertClientsState(t, allClients)
+
+			clientIPs := make(map[TailscaleClient][]netip.Addr)
+			for _, client := range allClients {
+				ips, err := client.IPs()
+				if err != nil {
+					t.Fatalf("failed to get IPs for client %s: %s", client.Hostname(), err)
+				}
+				clientIPs[client] = ips
+			}
+
+			headscale, err := scenario.Headscale()
+			assertNoErrGetHeadscale(t, err)
+
+			listNodes, err := headscale.ListNodes()
+			assert.Equal(t, len(listNodes), len(allClients))
+			nodeCountBeforeLogout := len(listNodes)
+			t.Logf("node count before logout: %d", nodeCountBeforeLogout)
+
+			for _, client := range allClients {
+				err := client.Logout()
+				if err != nil {
+					t.Fatalf("failed to logout client %s: %s", client.Hostname(), err)
+				}
+			}
+
+			err = scenario.WaitForTailscaleLogout()
+			assertNoErrLogout(t, err)
+
+			t.Logf("all clients logged out")
+
+			// if the server is not running with HTTPS, we have to wait a bit before
+			// reconnection as the newest Tailscale client has a measure that will only
+			// reconnect over HTTPS if they saw a noise connection previously.
+			// https://github.com/tailscale/tailscale/commit/1eaad7d3deb0815e8932e913ca1a862afa34db38
+			// https://github.com/juanfont/headscale/issues/2164
+			if !https {
+				time.Sleep(5 * time.Minute)
+			}
+
+			for userName := range spec {
+				key, err := scenario.CreatePreAuthKey(userName, true, false)
+				if err != nil {
+					t.Fatalf("failed to create pre-auth key for user %s: %s", userName, err)
+				}
+
+				err = scenario.RunTailscaleUp(userName, headscale.GetEndpoint(), key.GetKey())
+				if err != nil {
+					t.Fatalf("failed to run tailscale up for user %s: %s", userName, err)
+				}
+			}
+
+			listNodes, err = headscale.ListNodes()
+			require.Equal(t, nodeCountBeforeLogout, len(listNodes))
+
+			allIps, err := scenario.ListTailscaleClientsIPs()
+			assertNoErrListClientIPs(t, err)
+
+			allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
+				return x.String()
+			})
+
+			success := pingAllHelper(t, allClients, allAddrs)
+			t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+
+			for _, client := range allClients {
+				ips, err := client.IPs()
+				if err != nil {
+					t.Fatalf("failed to get IPs for client %s: %s", client.Hostname(), err)
+				}
+
+				// lets check if the IPs are the same
+				if len(ips) != len(clientIPs[client]) {
+					t.Fatalf("IPs changed for client %s", client.Hostname())
+				}
+
+				for _, ip := range ips {
+					found := false
+					for _, oldIP := range clientIPs[client] {
+						if ip == oldIP {
+							found = true
+
+							break
+						}
+					}
+
+					if !found {
+						t.Fatalf(
+							"IPs changed for client %s. Used to be %v now %v",
+							client.Hostname(),
+							clientIPs[client],
+							ips,
+						)
+					}
+				}
+			}
+		})
+	}
+}
+
+// This test will first log in two sets of nodes to two sets of users, then
+// it will log out all users from user2 and log them in as user1.
+// This should leave us with all nodes connected to user1, while user2
+// still has nodes, but they are not connected.
+func TestAuthKeyLogoutAndReloginNewUser(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario(dockertestMaxWait())
+	assertNoErr(t, err)
+	defer scenario.ShutdownAssertNoPanics(t)
+
+	spec := map[string]int{
+		"user1": len(MustTestVersions),
+		"user2": len(MustTestVersions),
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{},
+		hsic.WithTestName("keyrelognewuser"),
+		hsic.WithTLS(),
+	)
+	assertNoErrHeadscaleEnv(t, err)
+
+	allClients, err := scenario.ListTailscaleClients()
+	assertNoErrListClients(t, err)
+
+	err = scenario.WaitForTailscaleSync()
+	assertNoErrSync(t, err)
+
+	// assertClientsState(t, allClients)
+
+	headscale, err := scenario.Headscale()
+	assertNoErrGetHeadscale(t, err)
+
+	listNodes, err := headscale.ListNodes()
+	assert.Equal(t, len(listNodes), len(allClients))
+	nodeCountBeforeLogout := len(listNodes)
+	t.Logf("node count before logout: %d", nodeCountBeforeLogout)
+
+	for _, client := range allClients {
+		err := client.Logout()
+		if err != nil {
+			t.Fatalf("failed to logout client %s: %s", client.Hostname(), err)
+		}
+	}
+
+	err = scenario.WaitForTailscaleLogout()
+	assertNoErrLogout(t, err)
+
+	t.Logf("all clients logged out")
+
+	// Create a new authkey for user1, to be used for all clients
+	key, err := scenario.CreatePreAuthKey("user1", true, false)
+	if err != nil {
+		t.Fatalf("failed to create pre-auth key for user1: %s", err)
+	}
+
+	// Log in all clients as user1, iterating over the spec only returns the
+	// clients, not the usernames.
+	for userName := range spec {
+		err = scenario.RunTailscaleUp(userName, headscale.GetEndpoint(), key.GetKey())
+		if err != nil {
+			t.Fatalf("failed to run tailscale up for user %s: %s", userName, err)
+		}
+	}
+
+	user1Nodes, err := headscale.ListNodes("user1")
+	assertNoErr(t, err)
+	assert.Len(t, user1Nodes, len(allClients))
+
+	// Validate that all the old nodes are still present with user2
+	user2Nodes, err := headscale.ListNodes("user2")
+	assertNoErr(t, err)
+	assert.Len(t, user2Nodes, len(allClients)/2)
+
+	for _, client := range allClients {
+		status, err := client.Status()
+		if err != nil {
+			t.Fatalf("failed to get status for client %s: %s", client.Hostname(), err)
+		}
+
+		assert.Equal(t, "user1@test.no", status.User[status.Self.UserID].LoginName)
+	}
+}

integration/auth_oidc_test.go

@@ -11,8 +11,8 @@ import (
 	"net"
 	"net/http"
 	"net/http/cookiejar"
-	"net/http/httptest"
 	"net/netip"
+	"net/url"
 	"sort"
 	"strconv"
 	"testing"
@@ -56,7 +56,7 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
 	scenario := AuthOIDCScenario{
 		Scenario: baseScenario,
 	}
-	// defer scenario.ShutdownAssertNoPanics(t)
+	defer scenario.ShutdownAssertNoPanics(t)
 
 	// Logins to MockOIDC is served by a queue with a strict order,
 	// if we use more than one node per user, the order of the logins
@@ -91,7 +91,6 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
 		hsic.WithTestName("oidcauthping"),
 		hsic.WithConfigEnv(oidcMap),
 		hsic.WithTLS(),
-		hsic.WithHostnameAsServerURL(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(oidcConfig.ClientSecret)),
 	)
 	assertNoErrHeadscaleEnv(t, err)
@@ -117,20 +116,10 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
 	headscale, err := scenario.Headscale()
 	assertNoErr(t, err)
 
-	var listUsers []v1.User
-	err = executeAndUnmarshal(headscale,
-		[]string{
-			"headscale",
-			"users",
-			"list",
-			"--output",
-			"json",
-		},
-		&listUsers,
-	)
+	listUsers, err := headscale.ListUsers()
 	assertNoErr(t, err)
 
-	want := []v1.User{
+	want := []*v1.User{
 		{
 			Id:    1,
 			Name:  "user1",
@@ -206,7 +195,6 @@ func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
 		spec,
 		hsic.WithTestName("oidcexpirenodes"),
 		hsic.WithConfigEnv(oidcMap),
-		hsic.WithHostnameAsServerURL(),
 	)
 	assertNoErrHeadscaleEnv(t, err)
 
@@ -230,7 +218,7 @@ func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
 
 	// This is not great, but this sadly is a time dependent test, so the
 	// safe thing to do is wait out the whole TTL time before checking if
-	// the clients have logged out. The Wait function cant do it itself
+	// the clients have logged out. The Wait function can't do it itself
 	// as it has an upper bound of 1 min.
 	time.Sleep(shortAccessTTL)
 
@@ -251,7 +239,7 @@ func TestOIDC024UserCreation(t *testing.T) {
 		emailVerified bool
 		cliUsers      []string
 		oidcUsers     []string
-		want          func(iss string) []v1.User
+		want          func(iss string) []*v1.User
 	}{
 		{
 			name: "no-migration-verified-email",
@@ -261,8 +249,8 @@ func TestOIDC024UserCreation(t *testing.T) {
 			emailVerified: true,
 			cliUsers:      []string{"user1", "user2"},
 			oidcUsers:     []string{"user1", "user2"},
-			want: func(iss string) []v1.User {
-				return []v1.User{
+			want: func(iss string) []*v1.User {
+				return []*v1.User{
 					{
 						Id:    1,
 						Name:  "user1",
@@ -298,8 +286,8 @@ func TestOIDC024UserCreation(t *testing.T) {
 			emailVerified: false,
 			cliUsers:      []string{"user1", "user2"},
 			oidcUsers:     []string{"user1", "user2"},
-			want: func(iss string) []v1.User {
-				return []v1.User{
+			want: func(iss string) []*v1.User {
+				return []*v1.User{
 					{
 						Id:    1,
 						Name:  "user1",
@@ -334,8 +322,8 @@ func TestOIDC024UserCreation(t *testing.T) {
 			emailVerified: true,
 			cliUsers:      []string{"user1", "user2"},
 			oidcUsers:     []string{"user1", "user2"},
-			want: func(iss string) []v1.User {
-				return []v1.User{
+			want: func(iss string) []*v1.User {
+				return []*v1.User{
 					{
 						Id:         1,
 						Name:       "user1",
@@ -362,8 +350,8 @@ func TestOIDC024UserCreation(t *testing.T) {
 			emailVerified: false,
 			cliUsers:      []string{"user1", "user2"},
 			oidcUsers:     []string{"user1", "user2"},
-			want: func(iss string) []v1.User {
-				return []v1.User{
+			want: func(iss string) []*v1.User {
+				return []*v1.User{
 					{
 						Id:    1,
 						Name:  "user1",
@@ -398,8 +386,8 @@ func TestOIDC024UserCreation(t *testing.T) {
 			emailVerified: true,
 			cliUsers:      []string{"user1.headscale.net", "user2.headscale.net"},
 			oidcUsers:     []string{"user1", "user2"},
-			want: func(iss string) []v1.User {
-				return []v1.User{
+			want: func(iss string) []*v1.User {
+				return []*v1.User{
 					// Hmm I think we will have to overwrite the initial name here
 					// createuser with "user1.headscale.net", but oidc with "user1"
 					{
@@ -428,8 +416,8 @@ func TestOIDC024UserCreation(t *testing.T) {
 			emailVerified: false,
 			cliUsers:      []string{"user1.headscale.net", "user2.headscale.net"},
 			oidcUsers:     []string{"user1", "user2"},
-			want: func(iss string) []v1.User {
-				return []v1.User{
+			want: func(iss string) []*v1.User {
+				return []*v1.User{
 					{
 						Id:    1,
 						Name:  "user1.headscale.net",
@@ -497,7 +485,6 @@ func TestOIDC024UserCreation(t *testing.T) {
 				hsic.WithTestName("oidcmigration"),
 				hsic.WithConfigEnv(oidcMap),
 				hsic.WithTLS(),
-				hsic.WithHostnameAsServerURL(),
 				hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(oidcConfig.ClientSecret)),
 			)
 			assertNoErrHeadscaleEnv(t, err)
@@ -512,17 +499,7 @@ func TestOIDC024UserCreation(t *testing.T) {
 
 			want := tt.want(oidcConfig.Issuer)
 
-			var listUsers []v1.User
-			err = executeAndUnmarshal(headscale,
-				[]string{
-					"headscale",
-					"users",
-					"list",
-					"--output",
-					"json",
-				},
-				&listUsers,
-			)
+			listUsers, err := headscale.ListUsers()
 			assertNoErr(t, err)
 
 			sort.Slice(listUsers, func(i, j int) bool {
@@ -576,7 +553,6 @@ func TestOIDCAuthenticationWithPKCE(t *testing.T) {
 		hsic.WithTestName("oidcauthpkce"),
 		hsic.WithConfigEnv(oidcMap),
 		hsic.WithTLS(),
-		hsic.WithHostnameAsServerURL(),
 		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(oidcConfig.ClientSecret)),
 	)
 	assertNoErrHeadscaleEnv(t, err)
@@ -591,23 +567,6 @@ func TestOIDCAuthenticationWithPKCE(t *testing.T) {
 	err = scenario.WaitForTailscaleSync()
 	assertNoErrSync(t, err)
 
-	// Verify PKCE was used in authentication
-	headscale, err := scenario.Headscale()
-	assertNoErr(t, err)
-
-	var listUsers []v1.User
-	err = executeAndUnmarshal(headscale,
-		[]string{
-			"headscale",
-			"users",
-			"list",
-			"--output",
-			"json",
-		},
-		&listUsers,
-	)
-	assertNoErr(t, err)
-
 	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
 		return x.String()
 	})
@@ -616,6 +575,228 @@ func TestOIDCAuthenticationWithPKCE(t *testing.T) {
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 }
 
+func TestOIDCReloginSameNodeNewUser(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	baseScenario, err := NewScenario(dockertestMaxWait())
+	assertNoErr(t, err)
+
+	scenario := AuthOIDCScenario{
+		Scenario: baseScenario,
+	}
+	defer scenario.ShutdownAssertNoPanics(t)
+
+	// Create no nodes and no users
+	spec := map[string]int{}
+
+	// First login creates the first OIDC user
+	// Second login logs in the same node, which creates a new node
+	// Third login logs in the same node back into the original user
+	mockusers := []mockoidc.MockUser{
+		oidcMockUser("user1", true),
+		oidcMockUser("user2", true),
+		oidcMockUser("user1", true),
+	}
+
+	oidcConfig, err := scenario.runMockOIDC(defaultAccessTTL, mockusers)
+	assertNoErrf(t, "failed to run mock OIDC server: %s", err)
+	// defer scenario.mockOIDC.Close()
+
+	oidcMap := map[string]string{
+		"HEADSCALE_OIDC_ISSUER":             oidcConfig.Issuer,
+		"HEADSCALE_OIDC_CLIENT_ID":          oidcConfig.ClientID,
+		"CREDENTIALS_DIRECTORY_TEST":        "/tmp",
+		"HEADSCALE_OIDC_CLIENT_SECRET_PATH": "${CREDENTIALS_DIRECTORY_TEST}/hs_client_oidc_secret",
+		// TODO(kradalby): Remove when strip_email_domain is removed
+		// after #2170 is cleaned up
+		"HEADSCALE_OIDC_MAP_LEGACY_USERS":   "0",
+		"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN": "0",
+	}
+
+	err = scenario.CreateHeadscaleEnv(
+		spec,
+		hsic.WithTestName("oidcauthrelog"),
+		hsic.WithConfigEnv(oidcMap),
+		hsic.WithTLS(),
+		hsic.WithFileInContainer("/tmp/hs_client_oidc_secret", []byte(oidcConfig.ClientSecret)),
+		hsic.WithEmbeddedDERPServerOnly(),
+	)
+	assertNoErrHeadscaleEnv(t, err)
+
+	headscale, err := scenario.Headscale()
+	assertNoErr(t, err)
+
+	listUsers, err := headscale.ListUsers()
+	assertNoErr(t, err)
+	assert.Len(t, listUsers, 0)
+
+	ts, err := scenario.CreateTailscaleNode("unstable")
+	assertNoErr(t, err)
+
+	u, err := ts.LoginWithURL(headscale.GetEndpoint())
+	assertNoErr(t, err)
+
+	_, err = doLoginURL(ts.Hostname(), u)
+	assertNoErr(t, err)
+
+	listUsers, err = headscale.ListUsers()
+	assertNoErr(t, err)
+	assert.Len(t, listUsers, 1)
+	wantUsers := []*v1.User{
+		{
+			Id:         1,
+			Name:       "user1",
+			Email:      "user1@headscale.net",
+			Provider:   "oidc",
+			ProviderId: oidcConfig.Issuer + "/user1",
+		},
+	}
+
+	sort.Slice(listUsers, func(i, j int) bool {
+		return listUsers[i].GetId() < listUsers[j].GetId()
+	})
+
+	if diff := cmp.Diff(wantUsers, listUsers, cmpopts.IgnoreUnexported(v1.User{}), cmpopts.IgnoreFields(v1.User{}, "CreatedAt")); diff != "" {
+		t.Fatalf("unexpected users: %s", diff)
+	}
+
+	listNodes, err := headscale.ListNodes()
+	assertNoErr(t, err)
+	assert.Len(t, listNodes, 1)
+
+	// Log out user1 and log in user2, this should create a new node
+	// for user2, the node should have the same machine key and
+	// a new node key.
+	err = ts.Logout()
+	assertNoErr(t, err)
+
+	time.Sleep(5 * time.Second)
+
+	// TODO(kradalby): Not sure why we need to logout twice, but it fails and
+	// logs in immediately after the first logout and I cannot reproduce it
+	// manually.
+	err = ts.Logout()
+	assertNoErr(t, err)
+
+	u, err = ts.LoginWithURL(headscale.GetEndpoint())
+	assertNoErr(t, err)
+
+	_, err = doLoginURL(ts.Hostname(), u)
+	assertNoErr(t, err)
+
+	listUsers, err = headscale.ListUsers()
+	assertNoErr(t, err)
+	assert.Len(t, listUsers, 2)
+	wantUsers = []*v1.User{
+		{
+			Id:         1,
+			Name:       "user1",
+			Email:      "user1@headscale.net",
+			Provider:   "oidc",
+			ProviderId: oidcConfig.Issuer + "/user1",
+		},
+		{
+			Id:         2,
+			Name:       "user2",
+			Email:      "user2@headscale.net",
+			Provider:   "oidc",
+			ProviderId: oidcConfig.Issuer + "/user2",
+		},
+	}
+
+	sort.Slice(listUsers, func(i, j int) bool {
+		return listUsers[i].GetId() < listUsers[j].GetId()
+	})
+
+	if diff := cmp.Diff(wantUsers, listUsers, cmpopts.IgnoreUnexported(v1.User{}), cmpopts.IgnoreFields(v1.User{}, "CreatedAt")); diff != "" {
+		t.Fatalf("unexpected users: %s", diff)
+	}
+
+	listNodesAfterNewUserLogin, err := headscale.ListNodes()
+	assertNoErr(t, err)
+	assert.Len(t, listNodesAfterNewUserLogin, 2)
+
+	// Machine key is the same as the "machine" has not changed,
+	// but Node key is not as it is a new node
+	assert.Equal(t, listNodes[0].MachineKey, listNodesAfterNewUserLogin[0].MachineKey)
+	assert.Equal(t, listNodesAfterNewUserLogin[0].MachineKey, listNodesAfterNewUserLogin[1].MachineKey)
+	assert.NotEqual(t, listNodesAfterNewUserLogin[0].NodeKey, listNodesAfterNewUserLogin[1].NodeKey)
+
+	// Log out user2, and log into user1, no new node should be created,
+	// the node should now "become" node1 again
+	err = ts.Logout()
+	assertNoErr(t, err)
+
+	time.Sleep(5 * time.Second)
+
+	// TODO(kradalby): Not sure why we need to logout twice, but it fails and
+	// logs in immediately after the first logout and I cannot reproduce it
+	// manually.
+	err = ts.Logout()
+	assertNoErr(t, err)
+
+	u, err = ts.LoginWithURL(headscale.GetEndpoint())
+	assertNoErr(t, err)
+
+	_, err = doLoginURL(ts.Hostname(), u)
+	assertNoErr(t, err)
+
+	listUsers, err = headscale.ListUsers()
+	assertNoErr(t, err)
+	assert.Len(t, listUsers, 2)
+	wantUsers = []*v1.User{
+		{
+			Id:         1,
+			Name:       "user1",
+			Email:      "user1@headscale.net",
+			Provider:   "oidc",
+			ProviderId: oidcConfig.Issuer + "/user1",
+		},
+		{
+			Id:         2,
+			Name:       "user2",
+			Email:      "user2@headscale.net",
+			Provider:   "oidc",
+			ProviderId: oidcConfig.Issuer + "/user2",
+		},
+	}
+
+	sort.Slice(listUsers, func(i, j int) bool {
+		return listUsers[i].GetId() < listUsers[j].GetId()
+	})
+
+	if diff := cmp.Diff(wantUsers, listUsers, cmpopts.IgnoreUnexported(v1.User{}), cmpopts.IgnoreFields(v1.User{}, "CreatedAt")); diff != "" {
+		t.Fatalf("unexpected users: %s", diff)
+	}
+
+	listNodesAfterLoggingBackIn, err := headscale.ListNodes()
+	assertNoErr(t, err)
+	assert.Len(t, listNodesAfterLoggingBackIn, 2)
+
+	// Validate that the machine we had when we logged in the first time, has the same
+	// machine key, but a different ID than the newly logged in version of the same
+	// machine.
+	assert.Equal(t, listNodes[0].MachineKey, listNodesAfterNewUserLogin[0].MachineKey)
+	assert.Equal(t, listNodes[0].NodeKey, listNodesAfterNewUserLogin[0].NodeKey)
+	assert.Equal(t, listNodes[0].Id, listNodesAfterNewUserLogin[0].Id)
+	assert.Equal(t, listNodes[0].MachineKey, listNodesAfterNewUserLogin[1].MachineKey)
+	assert.NotEqual(t, listNodes[0].Id, listNodesAfterNewUserLogin[1].Id)
+	assert.NotEqual(t, listNodes[0].User.Id, listNodesAfterNewUserLogin[1].User.Id)
+
+	// Even tho we are logging in again with the same user, the previous key has been expired
+	// and a new one has been generated. The node entry in the database should be the same
+	// as the user + machinekey still matches.
+	assert.Equal(t, listNodes[0].MachineKey, listNodesAfterLoggingBackIn[0].MachineKey)
+	assert.NotEqual(t, listNodes[0].NodeKey, listNodesAfterLoggingBackIn[0].NodeKey)
+	assert.Equal(t, listNodes[0].Id, listNodesAfterLoggingBackIn[0].Id)
+
+	// The "logged back in" machine should have the same machinekey but a different nodekey
+	// than the version logged in with a different user.
+	assert.Equal(t, listNodesAfterLoggingBackIn[0].MachineKey, listNodesAfterLoggingBackIn[1].MachineKey)
+	assert.NotEqual(t, listNodesAfterLoggingBackIn[0].NodeKey, listNodesAfterLoggingBackIn[1].NodeKey)
+}
+
 func (s *AuthOIDCScenario) CreateHeadscaleEnv(
 	users map[string]int,
 	opts ...hsic.Option,
@@ -770,11 +951,6 @@ func (t LoggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error
 func (s *AuthOIDCScenario) runTailscaleUp(
 	userStr, loginServer string,
 ) error {
-	headscale, err := s.Headscale()
-	if err != nil {
-		return err
-	}
-
 	log.Printf("running tailscale up for user %s", userStr)
 	if user, ok := s.users[userStr]; ok {
 		for _, client := range user.Clients {
@@ -785,59 +961,11 @@ func (s *AuthOIDCScenario) runTailscaleUp(
 					log.Printf("%s failed to run tailscale up: %s", tsc.Hostname(), err)
 				}
 
-				loginURL.Host = fmt.Sprintf("%s:8080", headscale.GetHostname())
-				loginURL.Scheme = "http"
-
-				if len(headscale.GetCert()) > 0 {
-					loginURL.Scheme = "https"
-				}
-
-				httptest.NewRecorder()
-				hc := &http.Client{
-					Transport: LoggingRoundTripper{},
-				}
-				hc.Jar, err = cookiejar.New(nil)
+				_, err = doLoginURL(tsc.Hostname(), loginURL)
 				if err != nil {
-					log.Printf("failed to create cookie jar: %s", err)
-				}
-
-				log.Printf("%s login url: %s\n", tsc.Hostname(), loginURL.String())
-
-				log.Printf("%s logging in with url", tsc.Hostname())
-				ctx := context.Background()
-				req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
-				resp, err := hc.Do(req)
-				if err != nil {
-					log.Printf(
-						"%s failed to login using url %s: %s",
-						tsc.Hostname(),
-						loginURL,
-						err,
-					)
-
 					return err
 				}
 
-				log.Printf("cookies: %+v", hc.Jar.Cookies(loginURL))
-
-				if resp.StatusCode != http.StatusOK {
-					log.Printf("%s response code of oidc login request was %s", tsc.Hostname(), resp.Status)
-					body, _ := io.ReadAll(resp.Body)
-					log.Printf("body: %s", body)
-
-					return errStatusCodeNotOK
-				}
-
-				defer resp.Body.Close()
-
-				_, err = io.ReadAll(resp.Body)
-				if err != nil {
-					log.Printf("%s failed to read response body: %s", tsc.Hostname(), err)
-
-					return err
-				}
-
-				log.Printf("Finished request for %s to join tailnet", tsc.Hostname())
 				return nil
 			})
 
@@ -865,6 +993,49 @@ func (s *AuthOIDCScenario) runTailscaleUp(
 	return fmt.Errorf("failed to up tailscale node: %w", errNoUserAvailable)
 }
 
+// doLoginURL visits the given login URL and returns the body as a
+// string.
+func doLoginURL(hostname string, loginURL *url.URL) (string, error) {
+	log.Printf("%s login url: %s\n", hostname, loginURL.String())
+
+	var err error
+	hc := &http.Client{
+		Transport: LoggingRoundTripper{},
+	}
+	hc.Jar, err = cookiejar.New(nil)
+	if err != nil {
+		return "", fmt.Errorf("%s failed to create cookiejar	: %w", hostname, err)
+	}
+
+	log.Printf("%s logging in with url", hostname)
+	ctx := context.Background()
+	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
+	resp, err := hc.Do(req)
+	if err != nil {
+		return "", fmt.Errorf("%s failed to send http request: %w", hostname, err)
+	}
+
+	log.Printf("cookies: %+v", hc.Jar.Cookies(loginURL))
+
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		log.Printf("body: %s", body)
+
+		return "", fmt.Errorf("%s response code of login request was %w", hostname, err)
+	}
+
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		log.Printf("%s failed to read response body: %s", hostname, err)
+
+		return "", fmt.Errorf("%s failed to read response body: %w", hostname, err)
+	}
+
+	return string(body), nil
+}
+
 func (s *AuthOIDCScenario) Shutdown() {
 	err := s.pool.Purge(s.mockOIDC)
 	if err != nil {

integration/auth_web_flow_test.go

@@ -1,13 +1,9 @@
 package integration
 
 import (
-	"context"
-	"crypto/tls"
 	"errors"
 	"fmt"
-	"io"
 	"log"
-	"net/http"
 	"net/netip"
 	"net/url"
 	"strings"
@@ -15,6 +11,8 @@ import (
 
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/samber/lo"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 var errParseAuthPage = errors.New("failed to parse auth page")
@@ -47,7 +45,6 @@ func TestAuthWebFlowAuthenticationPingAll(t *testing.T) {
 		hsic.WithTestName("webauthping"),
 		hsic.WithEmbeddedDERPServerOnly(),
 		hsic.WithTLS(),
-		hsic.WithHostnameAsServerURL(),
 	)
 	assertNoErrHeadscaleEnv(t, err)
 
@@ -87,7 +84,10 @@ func TestAuthWebFlowLogoutAndRelogin(t *testing.T) {
 		"user2": len(MustTestVersions),
 	}
 
-	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("weblogout"))
+	err = scenario.CreateHeadscaleEnv(spec,
+		hsic.WithTestName("weblogout"),
+		hsic.WithTLS(),
+	)
 	assertNoErrHeadscaleEnv(t, err)
 
 	allClients, err := scenario.ListTailscaleClients()
@@ -108,6 +108,14 @@ func TestAuthWebFlowLogoutAndRelogin(t *testing.T) {
 	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 
+	headscale, err := scenario.Headscale()
+	assertNoErrGetHeadscale(t, err)
+
+	listNodes, err := headscale.ListNodes()
+	assert.Equal(t, len(listNodes), len(allClients))
+	nodeCountBeforeLogout := len(listNodes)
+	t.Logf("node count before logout: %d", nodeCountBeforeLogout)
+
 	clientIPs := make(map[TailscaleClient][]netip.Addr)
 	for _, client := range allClients {
 		ips, err := client.IPs()
@@ -129,21 +137,15 @@ func TestAuthWebFlowLogoutAndRelogin(t *testing.T) {
 
 	t.Logf("all clients logged out")
 
-	headscale, err := scenario.Headscale()
-	assertNoErrGetHeadscale(t, err)
-
 	for userName := range spec {
 		err = scenario.runTailscaleUp(userName, headscale.GetEndpoint())
 		if err != nil {
-			t.Fatalf("failed to run tailscale up: %s", err)
+			t.Fatalf("failed to run tailscale up (%q): %s", headscale.GetEndpoint(), err)
 		}
 	}
 
 	t.Logf("all clients logged in again")
 
-	allClients, err = scenario.ListTailscaleClients()
-	assertNoErrListClients(t, err)
-
 	allIps, err = scenario.ListTailscaleClientsIPs()
 	assertNoErrListClientIPs(t, err)
 
@@ -154,6 +156,10 @@ func TestAuthWebFlowLogoutAndRelogin(t *testing.T) {
 	success = pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 
+	listNodes, err = headscale.ListNodes()
+	require.Equal(t, nodeCountBeforeLogout, len(listNodes))
+	t.Logf("node count first login: %d, after relogin: %d", nodeCountBeforeLogout, len(listNodes))
+
 	for _, client := range allClients {
 		ips, err := client.IPs()
 		if err != nil {
@@ -227,11 +233,12 @@ func (s *AuthWebFlowScenario) CreateHeadscaleEnv(
 func (s *AuthWebFlowScenario) runTailscaleUp(
 	userStr, loginServer string,
 ) error {
-	log.Printf("running tailscale up for user %s", userStr)
+	log.Printf("running tailscale up for user %q", userStr)
 	if user, ok := s.users[userStr]; ok {
 		for _, client := range user.Clients {
 			c := client
 			user.joinWaitGroup.Go(func() error {
+				log.Printf("logging %q into %q", c.Hostname(), loginServer)
 				loginURL, err := c.LoginWithURL(loginServer)
 				if err != nil {
 					log.Printf("failed to run tailscale up (%s): %s", c.Hostname(), err)
@@ -273,39 +280,11 @@ func (s *AuthWebFlowScenario) runTailscaleUp(
 }
 
 func (s *AuthWebFlowScenario) runHeadscaleRegister(userStr string, loginURL *url.URL) error {
-	headscale, err := s.Headscale()
+	body, err := doLoginURL("web-auth-not-set", loginURL)
 	if err != nil {
 		return err
 	}
 
-	log.Printf("loginURL: %s", loginURL)
-	loginURL.Host = fmt.Sprintf("%s:8080", headscale.GetIP())
-	loginURL.Scheme = "http"
-
-	if len(headscale.GetCert()) > 0 {
-		loginURL.Scheme = "https"
-	}
-
-	insecureTransport := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // nolint
-	}
-	httpClient := &http.Client{
-		Transport: insecureTransport,
-	}
-	ctx := context.Background()
-	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
-	resp, err := httpClient.Do(req)
-	if err != nil {
-		return err
-	}
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return err
-	}
-
-	defer resp.Body.Close()
-
 	// see api.go HTML template
 	codeSep := strings.Split(string(body), "</code>")
 	if len(codeSep) != 2 {

integration/cli_test.go

@@ -12,6 +12,7 @@ import (
 	"github.com/google/go-cmp/cmp/cmpopts"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/stretchr/testify/assert"
@@ -544,7 +545,6 @@ func TestPreAuthKeyCorrectUserLoggedInCommand(t *testing.T) {
 		hsic.WithTestName("clipak"),
 		hsic.WithEmbeddedDERPServerOnly(),
 		hsic.WithTLS(),
-		hsic.WithHostnameAsServerURL(),
 	)
 	assertNoErr(t, err)
 
@@ -606,22 +606,12 @@ func TestPreAuthKeyCorrectUserLoggedInCommand(t *testing.T) {
 		t.Fatalf("expected node to be logged in as userid:2, got: %s", status.Self.UserID.String())
 	}
 
-	var listNodes []v1.Node
-	err = executeAndUnmarshal(
-		headscale,
-		[]string{
-			"headscale",
-			"nodes",
-			"list",
-			"--output",
-			"json",
-		},
-		&listNodes,
-	)
+	listNodes, err := headscale.ListNodes()
 	assert.Nil(t, err)
-	assert.Len(t, listNodes, 1)
+	assert.Len(t, listNodes, 2)
 
-	assert.Equal(t, "user2", listNodes[0].GetUser().GetName())
+	assert.Equal(t, "user1", listNodes[0].GetUser().GetName())
+	assert.Equal(t, "user2", listNodes[1].GetUser().GetName())
 }
 
 func TestApiKeyCommand(t *testing.T) {
@@ -812,14 +802,14 @@ func TestNodeTagCommand(t *testing.T) {
 	headscale, err := scenario.Headscale()
 	assertNoErr(t, err)
 
-	machineKeys := []string{
-		"mkey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"mkey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+	regIDs := []string{
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
 	}
-	nodes := make([]*v1.Node, len(machineKeys))
+	nodes := make([]*v1.Node, len(regIDs))
 	assert.Nil(t, err)
 
-	for index, machineKey := range machineKeys {
+	for index, regID := range regIDs {
 		_, err := headscale.Execute(
 			[]string{
 				"headscale",
@@ -830,7 +820,7 @@ func TestNodeTagCommand(t *testing.T) {
 				"--user",
 				"user1",
 				"--key",
-				machineKey,
+				regID,
 				"--output",
 				"json",
 			},
@@ -847,7 +837,7 @@ func TestNodeTagCommand(t *testing.T) {
 				"user1",
 				"register",
 				"--key",
-				machineKey,
+				regID,
 				"--output",
 				"json",
 			},
@@ -857,7 +847,7 @@ func TestNodeTagCommand(t *testing.T) {
 
 		nodes[index] = &node
 	}
-	assert.Len(t, nodes, len(machineKeys))
+	assert.Len(t, nodes, len(regIDs))
 
 	var node v1.Node
 	err = executeAndUnmarshal(
@@ -889,7 +879,7 @@ func TestNodeTagCommand(t *testing.T) {
 	assert.ErrorContains(t, err, "tag must start with the string 'tag:'")
 
 	// Test list all nodes after added seconds
-	resultMachines := make([]*v1.Node, len(machineKeys))
+	resultMachines := make([]*v1.Node, len(regIDs))
 	err = executeAndUnmarshal(
 		headscale,
 		[]string{
@@ -1054,18 +1044,17 @@ func TestNodeCommand(t *testing.T) {
 	headscale, err := scenario.Headscale()
 	assertNoErr(t, err)
 
-	// Pregenerated machine keys
-	machineKeys := []string{
-		"mkey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"mkey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"mkey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"mkey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+	regIDs := []string{
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
 	}
-	nodes := make([]*v1.Node, len(machineKeys))
+	nodes := make([]*v1.Node, len(regIDs))
 	assert.Nil(t, err)
 
-	for index, machineKey := range machineKeys {
+	for index, regID := range regIDs {
 		_, err := headscale.Execute(
 			[]string{
 				"headscale",
@@ -1076,7 +1065,7 @@ func TestNodeCommand(t *testing.T) {
 				"--user",
 				"node-user",
 				"--key",
-				machineKey,
+				regID,
 				"--output",
 				"json",
 			},
@@ -1093,7 +1082,7 @@ func TestNodeCommand(t *testing.T) {
 				"node-user",
 				"register",
 				"--key",
-				machineKey,
+				regID,
 				"--output",
 				"json",
 			},
@@ -1104,7 +1093,7 @@ func TestNodeCommand(t *testing.T) {
 		nodes[index] = &node
 	}
 
-	assert.Len(t, nodes, len(machineKeys))
+	assert.Len(t, nodes, len(regIDs))
 
 	// Test list all nodes after added seconds
 	var listAll []v1.Node
@@ -1135,14 +1124,14 @@ func TestNodeCommand(t *testing.T) {
 	assert.Equal(t, "node-4", listAll[3].GetName())
 	assert.Equal(t, "node-5", listAll[4].GetName())
 
-	otherUserMachineKeys := []string{
-		"mkey:b5b444774186d4217adcec407563a1223929465ee2c68a4da13af0d0185b4f8e",
-		"mkey:dc721977ac7415aafa87f7d4574cbe07c6b171834a6d37375782bdc1fb6b3584",
+	otherUserRegIDs := []string{
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
 	}
-	otherUserMachines := make([]*v1.Node, len(otherUserMachineKeys))
+	otherUserMachines := make([]*v1.Node, len(otherUserRegIDs))
 	assert.Nil(t, err)
 
-	for index, machineKey := range otherUserMachineKeys {
+	for index, regID := range otherUserRegIDs {
 		_, err := headscale.Execute(
 			[]string{
 				"headscale",
@@ -1153,7 +1142,7 @@ func TestNodeCommand(t *testing.T) {
 				"--user",
 				"other-user",
 				"--key",
-				machineKey,
+				regID,
 				"--output",
 				"json",
 			},
@@ -1170,7 +1159,7 @@ func TestNodeCommand(t *testing.T) {
 				"other-user",
 				"register",
 				"--key",
-				machineKey,
+				regID,
 				"--output",
 				"json",
 			},
@@ -1181,7 +1170,7 @@ func TestNodeCommand(t *testing.T) {
 		otherUserMachines[index] = &node
 	}
 
-	assert.Len(t, otherUserMachines, len(otherUserMachineKeys))
+	assert.Len(t, otherUserMachines, len(otherUserRegIDs))
 
 	// Test list all nodes after added otherUser
 	var listAllWithotherUser []v1.Node
@@ -1294,17 +1283,16 @@ func TestNodeExpireCommand(t *testing.T) {
 	headscale, err := scenario.Headscale()
 	assertNoErr(t, err)
 
-	// Pregenerated machine keys
-	machineKeys := []string{
-		"mkey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"mkey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"mkey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"mkey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+	regIDs := []string{
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
 	}
-	nodes := make([]*v1.Node, len(machineKeys))
+	nodes := make([]*v1.Node, len(regIDs))
 
-	for index, machineKey := range machineKeys {
+	for index, regID := range regIDs {
 		_, err := headscale.Execute(
 			[]string{
 				"headscale",
@@ -1315,7 +1303,7 @@ func TestNodeExpireCommand(t *testing.T) {
 				"--user",
 				"node-expire-user",
 				"--key",
-				machineKey,
+				regID,
 				"--output",
 				"json",
 			},
@@ -1332,7 +1320,7 @@ func TestNodeExpireCommand(t *testing.T) {
 				"node-expire-user",
 				"register",
 				"--key",
-				machineKey,
+				regID,
 				"--output",
 				"json",
 			},
@@ -1343,7 +1331,7 @@ func TestNodeExpireCommand(t *testing.T) {
 		nodes[index] = &node
 	}
 
-	assert.Len(t, nodes, len(machineKeys))
+	assert.Len(t, nodes, len(regIDs))
 
 	var listAll []v1.Node
 	err = executeAndUnmarshal(
@@ -1421,18 +1409,17 @@ func TestNodeRenameCommand(t *testing.T) {
 	headscale, err := scenario.Headscale()
 	assertNoErr(t, err)
 
-	// Pregenerated machine keys
-	machineKeys := []string{
-		"mkey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
-		"mkey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"mkey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"mkey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"mkey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+	regIDs := []string{
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
+		types.MustRegistrationID().String(),
 	}
-	nodes := make([]*v1.Node, len(machineKeys))
+	nodes := make([]*v1.Node, len(regIDs))
 	assert.Nil(t, err)
 
-	for index, machineKey := range machineKeys {
+	for index, regID := range regIDs {
 		_, err := headscale.Execute(
 			[]string{
 				"headscale",
@@ -1443,7 +1430,7 @@ func TestNodeRenameCommand(t *testing.T) {
 				"--user",
 				"node-rename-command",
 				"--key",
-				machineKey,
+				regID,
 				"--output",
 				"json",
 			},
@@ -1460,7 +1447,7 @@ func TestNodeRenameCommand(t *testing.T) {
 				"node-rename-command",
 				"register",
 				"--key",
-				machineKey,
+				regID,
 				"--output",
 				"json",
 			},
@@ -1471,7 +1458,7 @@ func TestNodeRenameCommand(t *testing.T) {
 		nodes[index] = &node
 	}
 
-	assert.Len(t, nodes, len(machineKeys))
+	assert.Len(t, nodes, len(regIDs))
 
 	var listAll []v1.Node
 	err = executeAndUnmarshal(
@@ -1589,7 +1576,7 @@ func TestNodeMoveCommand(t *testing.T) {
 	assertNoErr(t, err)
 
 	// Randomly generated node key
-	machineKey := "mkey:688411b767663479632d44140f08a9fde87383adc7cdeb518f62ce28a17ef0aa"
+	regID := types.MustRegistrationID()
 
 	_, err = headscale.Execute(
 		[]string{
@@ -1601,7 +1588,7 @@ func TestNodeMoveCommand(t *testing.T) {
 			"--user",
 			"old-user",
 			"--key",
-			machineKey,
+			regID.String(),
 			"--output",
 			"json",
 		},
@@ -1618,7 +1605,7 @@ func TestNodeMoveCommand(t *testing.T) {
 			"old-user",
 			"register",
 			"--key",
-			machineKey,
+			regID.String(),
 			"--output",
 			"json",
 		},
@@ -1840,7 +1827,7 @@ func TestPolicyBrokenConfigCommand(t *testing.T) {
 			{
 				// This is an unknown action, so it will return an error
 				// and the config will not be applied.
-				Action:       "acccept",
+				Action:       "unknown-action",
 				Sources:      []string{"*"},
 				Destinations: []string{"*:*"},
 			},

integration/control.go

@@ -17,7 +17,8 @@ type ControlServer interface {
 	WaitForRunning() error
 	CreateUser(user string) error
 	CreateAuthKey(user string, reusable bool, ephemeral bool) (*v1.PreAuthKey, error)
-	ListNodesInUser(user string) ([]*v1.Node, error)
+	ListNodes(users ...string) ([]*v1.Node, error)
+	ListUsers() ([]*v1.User, error)
 	GetCert() []byte
 	GetHostname() string
 	GetIP() string

integration/derp_verify_endpoint_test.go

@@ -69,7 +69,6 @@ func TestDERPVerifyEndpoint(t *testing.T) {
 		hsic.WithHostname(hostname),
 		hsic.WithPort(headscalePort),
 		hsic.WithCustomTLS(certHeadscale, keyHeadscale),
-		hsic.WithHostnameAsServerURL(),
 		hsic.WithDERPConfig(derpMap))
 	assertNoErrHeadscaleEnv(t, err)
 

integration/dns_test.go

@@ -123,7 +123,6 @@ func TestResolveMagicDNSExtraRecordsPath(t *testing.T) {
 		hsic.WithFileInContainer(erPath, b),
 		hsic.WithEmbeddedDERPServerOnly(),
 		hsic.WithTLS(),
-		hsic.WithHostnameAsServerURL(),
 	)
 	assertNoErrHeadscaleEnv(t, err)
 
@@ -270,7 +269,7 @@ func TestValidateResolvConf(t *testing.T) {
 				"HEADSCALE_DNS_NAMESERVERS_GLOBAL": "",
 			},
 			wantConfCompareFunc: func(t *testing.T, got string) {
-				assert.NotContains(t, got, "100.100.100.100")
+				assert.Contains(t, got, "Generated by Docker Engine")
 			},
 		},
 		{
@@ -349,7 +348,7 @@ func TestValidateResolvConf(t *testing.T) {
 				"HEADSCALE_DNS_BASE_DOMAIN":        "all-of.it",
 				"HEADSCALE_DNS_NAMESERVERS_GLOBAL": `8.8.8.8`,
 				"HEADSCALE_DNS_SEARCH_DOMAINS":     "test1.no test2.no",
-				// TODO(kradalby): this currently isnt working, need to fix it
+				// TODO(kradalby): this currently isn't working, need to fix it
 				// "HEADSCALE_DNS_NAMESERVERS_SPLIT": `{foo.bar.com: ["1.1.1.1"]}`,
 				// "HEADSCALE_DNS_EXTRA_RECORDS":     `[{ name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.4" }]`,
 			},

integration/dockertestutil/network.go

@@ -3,6 +3,7 @@ package dockertestutil
 import (
 	"errors"
 	"net"
+	"fmt"
 
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
@@ -12,7 +13,10 @@ var ErrContainerNotFound = errors.New("container not found")
 
 func GetFirstOrCreateNetwork(pool *dockertest.Pool, name string) (*dockertest.Network, error) {
 	networks, err := pool.NetworksByName(name)
-	if err != nil || len(networks) == 0 {
+	if err != nil {
+		return nil, fmt.Errorf("looking up network names: %w", err)
+	}
+	if len(networks) == 0 {
 		if _, err := pool.CreateNetwork(name); err == nil {
 			// Create does not give us an updated version of the resource, so we need to
 			// get it again.
@@ -22,6 +26,8 @@ func GetFirstOrCreateNetwork(pool *dockertest.Pool, name string) (*dockertest.Ne
 			}
 
 			return &networks[0], nil
+		} else {
+			return nil, fmt.Errorf("creating network: %w", err)
 		}
 	}
 
@@ -50,7 +56,7 @@ func AddContainerToNetwork(
 		return err
 	}
 
-	// TODO(kradalby): This doesnt work reliably, but calling the exact same functions
+	// TODO(kradalby): This doesn't work reliably, but calling the exact same functions
 	// seem to work fine...
 	// if container, ok := pool.ContainerByName("/" + testContainer); ok {
 	// 	err := container.ConnectToNetwork(network)

integration/dsic/dsic.go

@@ -163,8 +163,8 @@ func New(
 		runOptions.WorkingDir = dsic.workdir
 	}
 
-	// dockertest isnt very good at handling containers that has already
-	// been created, this is an attempt to make sure this container isnt
+	// dockertest isn't very good at handling containers that has already
+	// been created, this is an attempt to make sure this container isn't
 	// present.
 	err = pool.RemoveContainerByName(hostname)
 	if err != nil {

integration/embedded_derp_test.go

@@ -105,7 +105,6 @@ func derpServerScenario(
 		hsic.WithEmbeddedDERPServerOnly(),
 		hsic.WithPort(443),
 		hsic.WithTLS(),
-		hsic.WithHostnameAsServerURL(),
 		hsic.WithConfigEnv(map[string]string{
 			"HEADSCALE_DERP_AUTO_UPDATE_ENABLED": "true",
 			"HEADSCALE_DERP_UPDATE_FREQUENCY":    "10s",

integration/general_test.go

@@ -44,7 +44,6 @@ func TestPingAllByIP(t *testing.T) {
 		hsic.WithTestName("pingallbyip"),
 		hsic.WithEmbeddedDERPServerOnly(),
 		hsic.WithTLS(),
-		hsic.WithHostnameAsServerURL(),
 		hsic.WithIPAllocationStrategy(types.IPAllocationStrategyRandom),
 	)
 	assertNoErrHeadscaleEnv(t, err)
@@ -106,140 +105,6 @@ func TestPingAllByIPPublicDERP(t *testing.T) {
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 }
 
-func TestAuthKeyLogoutAndRelogin(t *testing.T) {
-	IntegrationSkip(t)
-	t.Parallel()
-
-	for _, https := range []bool{true, false} {
-		t.Run(fmt.Sprintf("with-https-%t", https), func(t *testing.T) {
-			scenario, err := NewScenario(dockertestMaxWait())
-			assertNoErr(t, err)
-			defer scenario.ShutdownAssertNoPanics(t)
-
-			spec := map[string]int{
-				"user1": len(MustTestVersions),
-				"user2": len(MustTestVersions),
-			}
-
-			opts := []hsic.Option{hsic.WithTestName("pingallbyip")}
-			if https {
-				opts = []hsic.Option{
-					hsic.WithTestName("pingallbyip"),
-					hsic.WithEmbeddedDERPServerOnly(),
-					hsic.WithTLS(),
-					hsic.WithHostnameAsServerURL(),
-				}
-			}
-
-			err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, opts...)
-			assertNoErrHeadscaleEnv(t, err)
-
-			allClients, err := scenario.ListTailscaleClients()
-			assertNoErrListClients(t, err)
-
-			err = scenario.WaitForTailscaleSync()
-			assertNoErrSync(t, err)
-
-			// assertClientsState(t, allClients)
-
-			clientIPs := make(map[TailscaleClient][]netip.Addr)
-			for _, client := range allClients {
-				ips, err := client.IPs()
-				if err != nil {
-					t.Fatalf("failed to get IPs for client %s: %s", client.Hostname(), err)
-				}
-				clientIPs[client] = ips
-			}
-
-			for _, client := range allClients {
-				err := client.Logout()
-				if err != nil {
-					t.Fatalf("failed to logout client %s: %s", client.Hostname(), err)
-				}
-			}
-
-			err = scenario.WaitForTailscaleLogout()
-			assertNoErrLogout(t, err)
-
-			t.Logf("all clients logged out")
-
-			headscale, err := scenario.Headscale()
-			assertNoErrGetHeadscale(t, err)
-
-			// if the server is not running with HTTPS, we have to wait a bit before
-			// reconnection as the newest Tailscale client has a measure that will only
-			// reconnect over HTTPS if they saw a noise connection previously.
-			// https://github.com/tailscale/tailscale/commit/1eaad7d3deb0815e8932e913ca1a862afa34db38
-			// https://github.com/juanfont/headscale/issues/2164
-			if !https {
-				time.Sleep(3 * time.Minute)
-			}
-
-			for userName := range spec {
-				key, err := scenario.CreatePreAuthKey(userName, true, false)
-				if err != nil {
-					t.Fatalf("failed to create pre-auth key for user %s: %s", userName, err)
-				}
-
-				err = scenario.RunTailscaleUp(userName, headscale.GetEndpoint(), key.GetKey())
-				if err != nil {
-					t.Fatalf("failed to run tailscale up for user %s: %s", userName, err)
-				}
-			}
-
-			err = scenario.WaitForTailscaleSync()
-			assertNoErrSync(t, err)
-
-			// assertClientsState(t, allClients)
-
-			allClients, err = scenario.ListTailscaleClients()
-			assertNoErrListClients(t, err)
-
-			allIps, err := scenario.ListTailscaleClientsIPs()
-			assertNoErrListClientIPs(t, err)
-
-			allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
-				return x.String()
-			})
-
-			success := pingAllHelper(t, allClients, allAddrs)
-			t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
-
-			for _, client := range allClients {
-				ips, err := client.IPs()
-				if err != nil {
-					t.Fatalf("failed to get IPs for client %s: %s", client.Hostname(), err)
-				}
-
-				// lets check if the IPs are the same
-				if len(ips) != len(clientIPs[client]) {
-					t.Fatalf("IPs changed for client %s", client.Hostname())
-				}
-
-				for _, ip := range ips {
-					found := false
-					for _, oldIP := range clientIPs[client] {
-						if ip == oldIP {
-							found = true
-
-							break
-						}
-					}
-
-					if !found {
-						t.Fatalf(
-							"IPs changed for client %s. Used to be %v now %v",
-							client.Hostname(),
-							clientIPs[client],
-							ips,
-						)
-					}
-				}
-			}
-		})
-	}
-}
-
 func TestEphemeral(t *testing.T) {
 	testEphemeralWithOptions(t, hsic.WithTestName("ephemeral"))
 }
@@ -318,21 +183,9 @@ func testEphemeralWithOptions(t *testing.T, opts ...hsic.Option) {
 
 	t.Logf("all clients logged out")
 
-	for userName := range spec {
-		nodes, err := headscale.ListNodesInUser(userName)
-		if err != nil {
-			log.Error().
-				Err(err).
-				Str("user", userName).
-				Msg("Error listing nodes in user")
-
-			return
-		}
-
-		if len(nodes) != 0 {
-			t.Fatalf("expected no nodes, got %d in user %s", len(nodes), userName)
-		}
-	}
+	nodes, err := headscale.ListNodes()
+	assertNoErr(t, err)
+	require.Len(t, nodes, 0)
 }
 
 // TestEphemeral2006DeletedTooQuickly verifies that ephemeral nodes are not
@@ -435,7 +288,7 @@ func TestEphemeral2006DeletedTooQuickly(t *testing.T) {
 	time.Sleep(3 * time.Minute)
 
 	for userName := range spec {
-		nodes, err := headscale.ListNodesInUser(userName)
+		nodes, err := headscale.ListNodes(userName)
 		if err != nil {
 			log.Error().
 				Err(err).
@@ -1050,7 +903,6 @@ func TestPingAllByIPManyUpDown(t *testing.T) {
 		hsic.WithTestName("pingallbyipmany"),
 		hsic.WithEmbeddedDERPServerOnly(),
 		hsic.WithTLS(),
-		hsic.WithHostnameAsServerURL(),
 	)
 	assertNoErrHeadscaleEnv(t, err)
 
@@ -1133,7 +985,6 @@ func Test2118DeletingOnlineNodePanics(t *testing.T) {
 		hsic.WithTestName("deletenocrash"),
 		hsic.WithEmbeddedDERPServerOnly(),
 		hsic.WithTLS(),
-		hsic.WithHostnameAsServerURL(),
 	)
 	assertNoErrHeadscaleEnv(t, err)
 

integration/hsic/config.go

@@ -16,7 +16,7 @@ func DefaultConfigEnv() map[string]string {
 		"HEADSCALE_POLICY_PATH":                       "",
 		"HEADSCALE_DATABASE_TYPE":                     "sqlite",
 		"HEADSCALE_DATABASE_SQLITE_PATH":              "/tmp/integration_test_db.sqlite3",
-		"HEADSCALE_DATABASE_DEBUG":                    "1",
+		"HEADSCALE_DATABASE_DEBUG":                    "0",
 		"HEADSCALE_DATABASE_GORM_SLOW_THRESHOLD":      "1",
 		"HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT": "30m",
 		"HEADSCALE_PREFIXES_V4":                       "100.64.0.0/10",
@@ -26,14 +26,12 @@ func DefaultConfigEnv() map[string]string {
 		"HEADSCALE_DNS_NAMESERVERS_GLOBAL":            "127.0.0.11 1.1.1.1",
 		"HEADSCALE_PRIVATE_KEY_PATH":                  "/tmp/private.key",
 		"HEADSCALE_NOISE_PRIVATE_KEY_PATH":            "/tmp/noise_private.key",
-		"HEADSCALE_LISTEN_ADDR":                       "0.0.0.0:8080",
 		"HEADSCALE_METRICS_LISTEN_ADDR":               "0.0.0.0:9090",
-		"HEADSCALE_SERVER_URL":                        "http://headscale:8080",
 		"HEADSCALE_DERP_URLS":                         "https://controlplane.tailscale.com/derpmap/default",
 		"HEADSCALE_DERP_AUTO_UPDATE_ENABLED":          "false",
 		"HEADSCALE_DERP_UPDATE_FREQUENCY":             "1m",
 
-		// a bunch of tests (ACL/Policy) rely on predicable IP alloc,
+		// a bunch of tests (ACL/Policy) rely on predictable IP alloc,
 		// so ensure the sequential alloc is used by default.
 		"HEADSCALE_PREFIXES_ALLOCATION": string(types.IPAllocationStrategySequential),
 	}

integration/hsic/hsic.go

@@ -1,17 +1,17 @@
 package hsic
 
 import (
+	"cmp"
 	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"log"
-	"net"
 	"net/http"
-	"net/url"
 	"os"
 	"path"
+	"sort"
 	"strconv"
 	"strings"
 	"time"
@@ -166,17 +166,6 @@ func WithHostname(hostname string) Option {
 	}
 }
 
-// WithHostnameAsServerURL sets the Headscale ServerURL based on
-// the Hostname.
-func WithHostnameAsServerURL() Option {
-	return func(hsic *HeadscaleInContainer) {
-		hsic.env["HEADSCALE_SERVER_URL"] = fmt.Sprintf("http://%s",
-			net.JoinHostPort(hsic.GetHostname(),
-				fmt.Sprintf("%d", hsic.port)),
-		)
-	}
-}
-
 // WithFileInContainer adds a file to the container at the given path.
 func WithFileInContainer(path string, contents []byte) Option {
 	return func(hsic *HeadscaleInContainer) {
@@ -297,16 +286,6 @@ func New(
 
 	portProto := fmt.Sprintf("%d/tcp", hsic.port)
 
-	serverURL, err := url.Parse(hsic.env["HEADSCALE_SERVER_URL"])
-	if err != nil {
-		return nil, err
-	}
-
-	if len(hsic.tlsCert) != 0 && len(hsic.tlsKey) != 0 {
-		serverURL.Scheme = "https"
-		hsic.env["HEADSCALE_SERVER_URL"] = serverURL.String()
-	}
-
 	headscaleBuildOptions := &dockertest.BuildOptions{
 		Dockerfile: IntegrationTestDockerFileName,
 		ContextDir: dockerContextPath,
@@ -352,6 +331,12 @@ func New(
 		hsic.env["HEADSCALE_TLS_CERT_PATH"] = tlsCertPath
 		hsic.env["HEADSCALE_TLS_KEY_PATH"] = tlsKeyPath
 	}
+
+	// Server URL and Listen Addr should not be overridable outside of
+	// the configuration passed to docker.
+	hsic.env["HEADSCALE_SERVER_URL"] = hsic.GetEndpoint()
+	hsic.env["HEADSCALE_LISTEN_ADDR"] = fmt.Sprintf("0.0.0.0:%d", hsic.port)
+
 	for key, value := range hsic.env {
 		env = append(env, fmt.Sprintf("%s=%s", key, value))
 	}
@@ -381,8 +366,8 @@ func New(
 		}
 	}
 
-	// dockertest isnt very good at handling containers that has already
-	// been created, this is an attempt to make sure this container isnt
+	// dockertest isn't very good at handling containers that has already
+	// been created, this is an attempt to make sure this container isn't
 	// present.
 	err = pool.RemoveContainerByName(hsic.hostname)
 	if err != nil {
@@ -649,7 +634,7 @@ func (t *HeadscaleInContainer) GetHealthEndpoint() string {
 // GetEndpoint returns the Headscale endpoint for the HeadscaleInContainer.
 func (t *HeadscaleInContainer) GetEndpoint() string {
 	hostEndpoint := fmt.Sprintf("%s:%d",
-		t.GetIP(),
+		t.GetHostname(),
 		t.port)
 
 	if t.hasTLS() {
@@ -761,12 +746,58 @@ func (t *HeadscaleInContainer) CreateAuthKey(
 	return &preAuthKey, nil
 }
 
-// ListNodesInUser list the TailscaleClients (Node, Headscale internal representation)
-// associated with a user.
-func (t *HeadscaleInContainer) ListNodesInUser(
-	user string,
+// ListNodes lists the currently registered Nodes in headscale.
+// Optionally a list of usernames can be passed to get users for
+// specific users.
+func (t *HeadscaleInContainer) ListNodes(
+	users ...string,
 ) ([]*v1.Node, error) {
-	command := []string{"headscale", "--user", user, "nodes", "list", "--output", "json"}
+	var ret []*v1.Node
+	execUnmarshal := func(command []string) error {
+		result, _, err := dockertestutil.ExecuteCommand(
+			t.container,
+			command,
+			[]string{},
+		)
+		if err != nil {
+			return fmt.Errorf("failed to execute list node command: %w", err)
+		}
+
+		var nodes []*v1.Node
+		err = json.Unmarshal([]byte(result), &nodes)
+		if err != nil {
+			return fmt.Errorf("failed to unmarshal nodes: %w", err)
+		}
+
+		ret = append(ret, nodes...)
+		return nil
+	}
+
+	if len(users) == 0 {
+		err := execUnmarshal([]string{"headscale", "nodes", "list", "--output", "json"})
+		if err != nil {
+			return nil, err
+		}
+	} else {
+		for _, user := range users {
+			command := []string{"headscale", "--user", user, "nodes", "list", "--output", "json"}
+
+			err := execUnmarshal(command)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	sort.Slice(ret, func(i, j int) bool {
+		return cmp.Compare(ret[i].GetId(), ret[j].GetId()) == -1
+	})
+	return ret, nil
+}
+
+// ListUsers returns a list of users from Headscale.
+func (t *HeadscaleInContainer) ListUsers() ([]*v1.User, error) {
+	command := []string{"headscale", "users", "list", "--output", "json"}
 
 	result, _, err := dockertestutil.ExecuteCommand(
 		t.container,
@@ -777,13 +808,13 @@ func (t *HeadscaleInContainer) ListNodesInUser(
 		return nil, fmt.Errorf("failed to execute list node command: %w", err)
 	}
 
-	var nodes []*v1.Node
-	err = json.Unmarshal([]byte(result), &nodes)
+	var users []*v1.User
+	err = json.Unmarshal([]byte(result), &users)
 	if err != nil {
 		return nil, fmt.Errorf("failed to unmarshal nodes: %w", err)
 	}
 
-	return nodes, nil
+	return users, nil
 }
 
 // WriteFile save file inside the Headscale container.

integration/scenario.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/capver"
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/juanfont/headscale/integration/dockertestutil"
 	"github.com/juanfont/headscale/integration/dsic"
@@ -33,71 +34,11 @@ const (
 
 var usePostgresForTest = envknob.Bool("HEADSCALE_INTEGRATION_POSTGRES")
 
-func enabledVersions(vs map[string]bool) []string {
-	var ret []string
-	for version, enabled := range vs {
-		if enabled {
-			ret = append(ret, version)
-		}
-	}
-
-	sort.Sort(sort.Reverse(sort.StringSlice(ret)))
-
-	return ret
-}
-
 var (
 	errNoHeadscaleAvailable = errors.New("no headscale available")
 	errNoUserAvailable      = errors.New("no user available")
 	errNoClientFound        = errors.New("client not found")
 
-	// Tailscale started adding TS2021 support in CapabilityVersion>=28 (v1.24.0), but
-	// proper support in Headscale was only added for CapabilityVersion>=39 clients (v1.30.0).
-	tailscaleVersions2021 = map[string]bool{
-		"head":     true,
-		"unstable": true,
-		"1.74":     true,  // CapVer: 106
-		"1.72":     true,  // CapVer: 104
-		"1.70":     true,  // CapVer: 102
-		"1.68":     true,  // CapVer: 97
-		"1.66":     true,  // CapVer: 95
-		"1.64":     true,  // CapVer: 90
-		"1.62":     true,  // CapVer: 88
-		"1.60":     true,  // CapVer: 87
-		"1.58":     true,  // CapVer: 85
-		"1.56":     true,  // Oldest supported version, CapVer: 82
-		"1.54":     false, // CapVer: 79
-		"1.52":     false, // CapVer: 79
-		"1.50":     false, // CapVer: 74
-		"1.48":     false, // CapVer: 68
-		"1.46":     false, // CapVer: 65
-		"1.44":     false, // CapVer: 63
-		"1.42":     false, // CapVer: 61
-		"1.40":     false, // CapVer: 61
-		"1.38":     false, // CapVer: 58
-		"1.36":     false, // CapVer: 56
-		"1.34":     false, // CapVer: 51
-		"1.32":     false, // CapVer: 46
-		"1.30":     false,
-	}
-
-	tailscaleVersions2019 = map[string]bool{
-		"1.28": false,
-		"1.26": false,
-		"1.24": false, // Tailscale SSH
-		"1.22": false,
-		"1.20": false,
-		"1.18": false,
-	}
-
-	// tailscaleVersionsUnavailable = []string{
-	// 	// These versions seem to fail when fetching from apt.
-	// "1.14.6",
-	// "1.12.4",
-	// "1.10.2",
-	// "1.8.7",
-	// }.
-
 	// AllVersions represents a list of Tailscale versions the suite
 	// uses to test compatibility with the ControlServer.
 	//
@@ -107,10 +48,7 @@ var (
 	//
 	// The rest of the version represents Tailscale versions that can be
 	// found in Tailscale's apt repository.
-	AllVersions = append(
-		enabledVersions(tailscaleVersions2021),
-		enabledVersions(tailscaleVersions2019)...,
-	)
+	AllVersions = append([]string{"head", "unstable"}, capver.TailscaleLatestMajorMinor(10, true)...)
 
 	// MustTestVersions is the minimum set of versions we should test.
 	// At the moment, this is arbitrarily chosen as:
@@ -347,6 +285,51 @@ func (s *Scenario) CreateUser(user string) error {
 
 /// Client related stuff
 
+func (s *Scenario) CreateTailscaleNode(
+	version string,
+	opts ...tsic.Option,
+) (TailscaleClient, error) {
+	headscale, err := s.Headscale()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create tailscale node (version: %s): %w", version, err)
+	}
+
+	cert := headscale.GetCert()
+	hostname := headscale.GetHostname()
+
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	opts = append(opts,
+		tsic.WithCACert(cert),
+		tsic.WithHeadscaleName(hostname),
+	)
+
+	tsClient, err := tsic.New(
+		s.pool,
+		version,
+		s.network,
+		opts...,
+	)
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to create tailscale (%s) node: %w",
+			tsClient.Hostname(),
+			err,
+		)
+	}
+
+	err = tsClient.WaitForNeedsLogin()
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to wait for tailscaled (%s) to need login: %w",
+			tsClient.Hostname(),
+			err,
+		)
+	}
+
+	return tsClient, nil
+}
+
 // CreateTailscaleNodesInUser creates and adds a new TailscaleClient to a
 // User in the Scenario.
 func (s *Scenario) CreateTailscaleNodesInUser(

integration/ssh_test.go

@@ -13,6 +13,12 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func isSSHNoAccessStdError(stderr string) bool {
+	return strings.Contains(stderr, "Permission denied (tailscale)") ||
+		// Since https://github.com/tailscale/tailscale/pull/14853
+		strings.Contains(stderr, "failed to evaluate SSH policy")
+}
+
 var retry = func(times int, sleepInterval time.Duration,
 	doWork func() (string, string, error),
 ) (string, string, error) {
@@ -31,8 +37,8 @@ var retry = func(times int, sleepInterval time.Duration,
 		}
 
 		// If we get a permission denied error, we can fail immediately
-		// since that is something we wont recover from by retrying.
-		if err != nil && strings.Contains(stderr, "Permission denied (tailscale)") {
+		// since that is something we won-t recover from by retrying.
+		if err != nil && isSSHNoAccessStdError(stderr) {
 			return result, stderr, err
 		}
 
@@ -410,11 +416,11 @@ func assertSSHHostname(t *testing.T, client TailscaleClient, peer TailscaleClien
 func assertSSHPermissionDenied(t *testing.T, client TailscaleClient, peer TailscaleClient) {
 	t.Helper()
 
-	result, stderr, _ := doSSH(t, client, peer)
+	result, stderr, err := doSSH(t, client, peer)
 
 	assert.Empty(t, result)
 
-	assertContains(t, stderr, "Permission denied (tailscale)")
+	assertSSHNoAccessStdError(t, err, stderr)
 }
 
 func assertSSHTimeout(t *testing.T, client TailscaleClient, peer TailscaleClient) {
@@ -429,3 +435,11 @@ func assertSSHTimeout(t *testing.T, client TailscaleClient, peer TailscaleClient
 		t.Fatalf("connection did not time out")
 	}
 }
+
+func assertSSHNoAccessStdError(t *testing.T, err error, stderr string) {
+	t.Helper()
+	assert.Error(t, err)
+	if !isSSHNoAccessStdError(stderr) {
+		t.Errorf("expected stderr output suggesting access denied, got: %s", stderr)
+	}
+}

integration/tsic/tsic.go

@@ -263,8 +263,8 @@ func New(
 		tailscaleOptions.WorkingDir = tsic.workdir
 	}
 
-	// dockertest isnt very good at handling containers that has already
-	// been created, this is an attempt to make sure this container isnt
+	// dockertest isn't very good at handling containers that has already
+	// been created, this is an attempt to make sure this container isn't
 	// present.
 	err = pool.RemoveContainerByName(hostname)
 	if err != nil {
@@ -466,7 +466,7 @@ func (t *TailscaleInContainer) Login(
 // This login mechanism uses web + command line flow for authentication.
 func (t *TailscaleInContainer) LoginWithURL(
 	loginServer string,
-) (*url.URL, error) {
+) (loginURL *url.URL, err error) {
 	command := []string{
 		"tailscale",
 		"up",
@@ -475,20 +475,27 @@ func (t *TailscaleInContainer) LoginWithURL(
 		"--accept-routes=false",
 	}
 
-	_, stderr, err := t.Execute(command)
+	stdout, stderr, err := t.Execute(command)
 	if errors.Is(err, errTailscaleNotLoggedIn) {
 		return nil, errTailscaleCannotUpWithoutAuthkey
 	}
 
-	urlStr := strings.ReplaceAll(stderr, "\nTo authenticate, visit:\n\n\t", "")
+	defer func() {
+		if err != nil {
+			log.Printf("join command: %q", strings.Join(command, " "))
+		}
+	}()
+
+	urlStr := strings.ReplaceAll(stdout+stderr, "\nTo authenticate, visit:\n\n\t", "")
 	urlStr = strings.TrimSpace(urlStr)
 
-	// parse URL
-	loginURL, err := url.Parse(urlStr)
-	if err != nil {
-		log.Printf("Could not parse login URL: %s", err)
-		log.Printf("Original join command result: %s", stderr)
+	if urlStr == "" {
+		return nil, fmt.Errorf("failed to get login URL: stdout: %s, stderr: %s", stdout, stderr)
+	}
 
+	// parse URL
+	loginURL, err = url.Parse(urlStr)
+	if err != nil {
 		return nil, err
 	}
 
@@ -497,12 +504,17 @@ func (t *TailscaleInContainer) LoginWithURL(
 
 // Logout runs the logout routine on the given Tailscale instance.
 func (t *TailscaleInContainer) Logout() error {
-	_, _, err := t.Execute([]string{"tailscale", "logout"})
+	stdout, stderr, err := t.Execute([]string{"tailscale", "logout"})
 	if err != nil {
 		return err
 	}
 
-	return nil
+	stdout, stderr, _ = t.Execute([]string{"tailscale", "status"})
+	if !strings.Contains(stdout+stderr, "Logged out.") {
+		return fmt.Errorf("failed to logout, stdout: %s, stderr: %s", stdout, stderr)
+	}
+
+	return t.waitForBackendState("NeedsLogin")
 }
 
 // Helper that runs `tailscale up` with no arguments.
@@ -826,28 +838,16 @@ func (t *TailscaleInContainer) FailingPeersAsString() (string, bool, error) {
 // WaitForNeedsLogin blocks until the Tailscale (tailscaled) instance has
 // started and needs to be logged into.
 func (t *TailscaleInContainer) WaitForNeedsLogin() error {
-	return t.pool.Retry(func() error {
-		status, err := t.Status()
-		if err != nil {
-			return errTailscaleStatus(t.hostname, err)
-		}
-
-		// ipnstate.Status.CurrentTailnet was added in Tailscale 1.22.0
-		// https://github.com/tailscale/tailscale/pull/3865
-		//
-		// Before that, we can check the BackendState to see if the
-		// tailscaled daemon is connected to the control system.
-		if status.BackendState == "NeedsLogin" {
-			return nil
-		}
-
-		return errTailscaledNotReadyForLogin
-	})
+	return t.waitForBackendState("NeedsLogin")
 }
 
 // WaitForRunning blocks until the Tailscale (tailscaled) instance is logged in
 // and ready to be used.
 func (t *TailscaleInContainer) WaitForRunning() error {
+	return t.waitForBackendState("Running")
+}
+
+func (t *TailscaleInContainer) waitForBackendState(state string) error {
 	return t.pool.Retry(func() error {
 		status, err := t.Status()
 		if err != nil {
@@ -859,7 +859,7 @@ func (t *TailscaleInContainer) WaitForRunning() error {
 		//
 		// Before that, we can check the BackendState to see if the
 		// tailscaled daemon is connected to the control system.
-		if status.BackendState == "Running" {
+		if status.BackendState == state {
 			return nil
 		}
 

integration/utils.go

@@ -200,18 +200,15 @@ func assertValidNetmap(t *testing.T, client TailscaleClient) {
 	assert.NotEmptyf(t, netmap.SelfNode.AllowedIPs(), "%q does not have any allowed IPs", client.Hostname())
 	assert.NotEmptyf(t, netmap.SelfNode.Addresses(), "%q does not have any addresses", client.Hostname())
 
-	if netmap.SelfNode.Online() != nil {
-		assert.Truef(t, *netmap.SelfNode.Online(), "%q is not online", client.Hostname())
-	} else {
-		t.Errorf("Online should not be nil for %s", client.Hostname())
-	}
+	assert.Truef(t, netmap.SelfNode.Online().Get(), "%q is not online", client.Hostname())
 
 	assert.Falsef(t, netmap.SelfNode.Key().IsZero(), "%q does not have a valid NodeKey", client.Hostname())
 	assert.Falsef(t, netmap.SelfNode.Machine().IsZero(), "%q does not have a valid MachineKey", client.Hostname())
 	assert.Falsef(t, netmap.SelfNode.DiscoKey().IsZero(), "%q does not have a valid DiscoKey", client.Hostname())
 
 	for _, peer := range netmap.Peers {
-		assert.NotEqualf(t, "127.3.3.40:0", peer.DERP(), "peer (%s) has no home DERP in %q's netmap, got: %s", peer.ComputedName(), client.Hostname(), peer.DERP())
+		assert.NotEqualf(t, "127.3.3.40:0", peer.LegacyDERPString(), "peer (%s) has no home DERP in %q's netmap, got: %s", peer.ComputedName(), client.Hostname(), peer.LegacyDERPString())
+		assert.NotEqualf(t, 0, peer.HomeDERP(), "peer (%s) has no home DERP in %q's netmap, got: %d", peer.ComputedName(), client.Hostname(), peer.HomeDERP())
 
 		assert.Truef(t, peer.Hostinfo().Valid(), "peer (%s) of %q does not have Hostinfo", peer.ComputedName(), client.Hostname())
 		if hi := peer.Hostinfo(); hi.Valid() {
@@ -228,7 +225,7 @@ func assertValidNetmap(t *testing.T, client TailscaleClient) {
 		assert.NotEmptyf(t, peer.AllowedIPs(), "peer (%s) of %q does not have any allowed IPs", peer.ComputedName(), client.Hostname())
 		assert.NotEmptyf(t, peer.Addresses(), "peer (%s) of %q does not have any addresses", peer.ComputedName(), client.Hostname())
 
-		assert.Truef(t, *peer.Online(), "peer (%s) of %q is not online", peer.ComputedName(), client.Hostname())
+		assert.Truef(t, peer.Online().Get(), "peer (%s) of %q is not online", peer.ComputedName(), client.Hostname())
 
 		assert.Falsef(t, peer.Key().IsZero(), "peer (%s) of %q does not have a valid NodeKey", peer.ComputedName(), client.Hostname())
 		assert.Falsef(t, peer.Machine().IsZero(), "peer (%s) of %q does not have a valid MachineKey", peer.ComputedName(), client.Hostname())
@@ -264,7 +261,7 @@ func assertValidStatus(t *testing.T, client TailscaleClient) {
 
 	assert.Truef(t, status.Self.InNetworkMap, "%q is not in network map", client.Hostname())
 
-	// This isnt really relevant for Self as it wont be in its own socket/wireguard.
+	// This isn't really relevant for Self as it won't be in its own socket/wireguard.
 	// assert.Truef(t, status.Self.InMagicSock, "%q is not tracked by magicsock", client.Hostname())
 	// assert.Truef(t, status.Self.InEngine, "%q is not in in wireguard engine", client.Hostname())
 

mkdocs.yml

@@ -11,7 +11,7 @@ repo_name: juanfont/headscale
 repo_url: https://github.com/juanfont/headscale
 
 # Copyright
-copyright: Copyright © 2024 Headscale authors
+copyright: Copyright © 2025 Headscale authors
 
 # Configuration
 theme:
@@ -106,7 +106,7 @@ extra:
     - icon: fontawesome/brands/discord
       link: https://discord.gg/c84AZQhmpx
   headscale:
-    version: 0.23.0
+    version: 0.24.0
 
 # Extensions
 markdown_extensions: