From c5f3d5c28d628ef675210d172915751016f2b504 Mon Sep 17 00:00:00 2001 From: Kristoffer Dalby Date: Thu, 11 Jun 2026 09:43:29 +0000 Subject: [PATCH] auth: clamp logout expiry to now Tailscale sends the sentinel time.Unix(123, 0) on logout; storing it verbatim propagates a 1970 KeyExpiry to every peer's netmap. Same semantics (expired as of now), saner logs and debug dumps. --- hscontrol/auth.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/hscontrol/auth.go b/hscontrol/auth.go index 699872a8..a6f39666 100644 --- a/hscontrol/auth.go +++ b/hscontrol/auth.go @@ -225,7 +225,16 @@ func (h *Headscale) handleLogout( // Update the internal state with the nodes new expiry, meaning it is // logged out. + // + // Clamp the client-supplied value to now: Tailscale sends the + // sentinel time.Unix(123, 0) on logout (controlclient/direct.go), + // and storing it verbatim propagates a 1970 KeyExpiry to every + // peer's netmap. Semantically identical (expired as of now), but + // sane in logs, debug dumps, and peer netmaps. expiry := req.Expiry + if now := time.Now(); expiry.Before(now) { + expiry = now + } updatedNode, c, err := h.state.SetNodeExpiry(node.ID(), &expiry) if err != nil {