From d33f88df82f8aa6743001950fd9254f07c469126 Mon Sep 17 00:00:00 2001
From: Pascal Fischer <32096965+pascal-fischer@users.noreply.github.com>
Date: Fri, 5 Sep 2025 18:11:23 +0200
Subject: [PATCH] [management] only allow user devices to be expired (#4445)

---
 management/server/account.go | 4 +++-
 management/server/user.go    | 5 +++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/management/server/account.go b/management/server/account.go
index d9638b41a..ee9f294a4 100644
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -1714,7 +1714,9 @@ func (am *DefaultAccountManager) onPeersInvalidated(ctx context.Context, account
 			log.WithContext(ctx).Errorf("failed to get invalidated peer %s for account %s: %v", peerID, accountID, err)
 			continue
 		}
-		peers = append(peers, peer)
+		if peer.UserID != "" {
+			peers = append(peers, peer)
+		}
 	}
 	if len(peers) > 0 {
 		err := am.expireAndUpdatePeers(ctx, accountID, peers)
diff --git a/management/server/user.go b/management/server/user.go
index 04b2ce2d0..3c7c3f433 100644
--- a/management/server/user.go
+++ b/management/server/user.go
@@ -942,6 +942,11 @@ func (am *DefaultAccountManager) expireAndUpdatePeers(ctx context.Context, accou
 		// nolint:staticcheck
 		ctx = context.WithValue(ctx, nbContext.PeerIDKey, peer.Key)
 
+		if peer.UserID == "" {
+			// we do not want to expire peers that are added via setup key
+			continue
+		}
+
 		if peer.Status.LoginExpired {
 			continue
 		}