feat: skip device-identity for operators when private-ingress no-auth is on#3
Open
shivammittal274 wants to merge 1 commit intobrowserosfrom
Open
feat: skip device-identity for operators when private-ingress no-auth is on#3shivammittal274 wants to merge 1 commit intobrowserosfrom
shivammittal274 wants to merge 1 commit intobrowserosfrom
Conversation
…end operators Follow-up to #1. PR #1 added gateway.auth.mode=none + the OPENCLAW_GATEWAY_PRIVATE_INGRESS_NO_AUTH env opt-in so HTTP clients can talk to the gateway without a token. WebSocket clients still hit the device-identity gate during connect handshake — `evaluateMissingDeviceIdentity` only allows device-less operators when `sharedAuthOk=true`, which auth.mode=none never makes true. Result: the BrowserOS backend can hit /v1/* over HTTP but its WS observer connection is rejected with DEVICE_IDENTITY_REQUIRED, which defeats the unified-transport goal of #1 (PoC verified empirically against 2026.4.28-browseros.2-arm64). This patch extends the same env-gated bypass to the device-identity decision. When the gateway is running with auth.mode=none, an operator-role WS connect without a paired device is allowed. The runtime startup gate in server-runtime-config.ts already required the env var for any non-loopback bind to boot with auth.mode=none, so reaching this branch means the embedding runtime explicitly opted into "I own the network boundary, skip auth entirely". Pairing-as-hygiene adds no security in that configuration: any client reaching the bind already needs no credentials. Scope to operator role only — node-role registrations must still satisfy device identity, matching the controlUiAuthPolicy.allowBypass shape directly above this branch. Threading: `authMode` is a new optional parameter on `evaluateMissingDeviceIdentity`. The single call site in `message-handler.ts` passes `resolvedAuth.mode` through; existing callers without the parameter fall through to the previous behavior unchanged. Test plan - bun test src/gateway/server/ws-connection/connect-policy.test.ts (8/8 pass — new test "auth.mode=none skips device identity for operator role only" covers: operator allow, missing-authMode regression, non-"none" authMode regression, node-role still rejected)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #1. With auth.mode=none and OPENCLAW_GATEWAY_PRIVATE_INGRESS_NO_AUTH=1, HTTP works without a token but WS connect still fails with DEVICE_IDENTITY_REQUIRED because evaluateMissingDeviceIdentity only allows device-less operators when sharedAuthOk=true, which auth.mode=none never makes true. This patch extends the same env-gated bypass to the device-identity decision: when gateway is running with auth.mode=none, an operator-role WS connect without a paired device is allowed. Scope is operator-only — node-role registrations must still satisfy device identity. authMode is added as a new optional parameter on evaluateMissingDeviceIdentity; existing callers fall through unchanged. Tests: 8/8 pass in connect-policy.test.ts including the new test covering operator+none allow, missing-authMode regression, operator+token unchanged, and node+none still rejected. Empirically verified the PoC failure against 2026.4.28-browseros.2-arm64.