fix(node): avoid stale TLS pins when retargeting

2026-05-29 19:59:32 +00:00 · 2026-05-24 02:17:45 +01:00
parent 97c63e63b1
commit 679b6776d5
2 changed files with 36 additions and 5 deletions
--- a/src/cli/node-cli/register.test.ts
+++ b/src/cli/node-cli/register.test.ts
@@ -103,4 +103,34 @@ describe("registerNodeCli", () => {
      expect.objectContaining({ gatewayHost: "10.0.0.2", gatewayPort: 19001 }),
    );
  });
+
+  it("inherits saved TLS settings only when using the saved gateway endpoint", async () => {
+    daemonMocks.loadNodeHostConfig.mockResolvedValue({
+      version: 1,
+      nodeId: "node-existing",
+      gateway: {
+        host: "10.0.0.2",
+        port: 19001,
+        tls: true,
+        tlsFingerprint: "old-fingerprint",
+      },
+    });
+
+    await createProgram().parseAsync(["node", "run"], { from: "user" });
+    expect(daemonMocks.runNodeHost).toHaveBeenLastCalledWith(
+      expect.objectContaining({
+        gatewayTls: true,
+        gatewayTlsFingerprint: "old-fingerprint",
+      }),
+    );
+
+    await createProgram().parseAsync(["node", "run", "--host", "10.0.0.3"], { from: "user" });
+    expect(daemonMocks.runNodeHost).toHaveBeenLastCalledWith(
+      expect.objectContaining({
+        gatewayHost: "10.0.0.3",
+        gatewayTls: undefined,
+        gatewayTlsFingerprint: undefined,
+      }),
+    );
+  });
 });
--- a/src/cli/node-cli/register.ts
+++ b/src/cli/node-cli/register.ts
@@ -64,15 +64,16 @@ export function registerNodeCli(program: Command) {
        defaultRuntime.exit(1);
        return;
      }
+      const retargetedGateway = opts.host !== undefined || opts.port !== undefined;
+      const tlsFingerprint =
+        opts.tlsFingerprint ?? (retargetedGateway ? undefined : existing?.gateway?.tlsFingerprint);
+      const inheritedTls = retargetedGateway ? undefined : existing?.gateway?.tls;
      await runNodeHost({
        gatewayHost: host,
        gatewayPort: port,
        gatewayTls:
-          typeof opts.tls === "boolean"
-            ? opts.tls
-            : Boolean(opts.tlsFingerprint ?? existing?.gateway?.tlsFingerprint) ||
-              existing?.gateway?.tls,
-        gatewayTlsFingerprint: opts.tlsFingerprint ?? existing?.gateway?.tlsFingerprint,
+          typeof opts.tls === "boolean" ? opts.tls : Boolean(tlsFingerprint) || inheritedTls,
+        gatewayTlsFingerprint: tlsFingerprint,
        nodeId: opts.nodeId,
        displayName: opts.displayName,
      });