[management] only allow user devices to be expired (#4445)

pascal-fischer · web-flow · commit d33f88df82f8 · 2025-09-05T18:11:23.000+02:00
diff --git a/management/server/account.go b/management/server/account.go
@@ -1714,7 +1714,9 @@ func (am *DefaultAccountManager) onPeersInvalidated(ctx context.Context, account
 			log.WithContext(ctx).Errorf("failed to get invalidated peer %s for account %s: %v", peerID, accountID, err)
 			continue
 		}
-		peers = append(peers, peer)
+		if peer.UserID != "" {
+			peers = append(peers, peer)
+		}
 	}
 	if len(peers) > 0 {
 		err := am.expireAndUpdatePeers(ctx, accountID, peers)
diff --git a/management/server/user.go b/management/server/user.go
@@ -942,6 +942,11 @@ func (am *DefaultAccountManager) expireAndUpdatePeers(ctx context.Context, accou
 		// nolint:staticcheck
 		ctx = context.WithValue(ctx, nbContext.PeerIDKey, peer.Key)
 
+		if peer.UserID == "" {
+			// we do not want to expire peers that are added via setup key
+			continue
+		}
+
 		if peer.Status.LoginExpired {
 			continue
 		}

Original file line number	Diff line number	Diff line change
`@@ -1714,7 +1714,9 @@ func (am *DefaultAccountManager) onPeersInvalidated(ctx context.Context, account`
`1714`	`1714`	`log.WithContext(ctx).Errorf("failed to get invalidated peer %s for account %s: %v", peerID, accountID, err)`
`1715`	`1715`	`continue`
`1716`	`1716`	`}`
`1717`		`- peers = append(peers, peer)`
	`1717`	`+ if peer.UserID != "" {`
	`1718`	`+ peers = append(peers, peer)`
	`1719`	`+ }`
`1718`	`1720`	`}`
`1719`	`1721`	`if len(peers) > 0 {`
`1720`	`1722`	`err := am.expireAndUpdatePeers(ctx, accountID, peers)`