fix(gateway): attest authenticated remote backends

2026-03-15 12:47:22 +00:00 · 2026-03-15 12:47:22 +00:00 · 4101ea9676
parent 279c33fb7e
commit 4101ea9676
2 changed files with 43 additions and 0 deletions
--- a/src/gateway/server/ws-connection/connect-policy.test.ts
+++ b/src/gateway/server/ws-connection/connect-policy.test.ts
@ -700,4 +700,39 @@ describe("ws connect policy", () => {
      }),
    ).toBe(false);
  });
+
+  test("attests authenticated remote backend clients for inter_session", () => {
+    const backendConnect: ConnectParams = {
+      client: {
+        id: GATEWAY_CLIENT_IDS.GATEWAY_CLIENT,
+        mode: GATEWAY_CLIENT_MODES.BACKEND,
+        version: "1.0.0",
+        platform: "node",
+      },
+      minProtocol: 1,
+      maxProtocol: 1,
+    };
+
+    for (const authMethod of ["token", "password", "device-token", "tailscale"] as const) {
+      expect(
+        resolveInternalBackendClientAttestation({
+          connectParams: backendConnect,
+          hasBrowserOriginHeader: false,
+          initialIsInternalBackendClient: false,
+          authMethod,
+          deviceTokenIssued: false,
+        }),
+      ).toBe(true);
+    }
+
+    expect(
+      resolveInternalBackendClientAttestation({
+        connectParams: backendConnect,
+        hasBrowserOriginHeader: true,
+        initialIsInternalBackendClient: false,
+        authMethod: "token",
+        deviceTokenIssued: false,
+      }),
+    ).toBe(false);
+  });
 });
--- a/src/gateway/server/ws-connection/connect-policy.ts
+++ b/src/gateway/server/ws-connection/connect-policy.ts
@ -130,6 +130,14 @@ export function resolveInternalBackendClientAttestation(params: {
  if (!isGatewayBackendClient || params.hasBrowserOriginHeader) {
    return false;
  }
+  if (
+    params.authMethod === "token" ||
+    params.authMethod === "password" ||
+    params.authMethod === "device-token" ||
+    params.authMethod === "tailscale"
+  ) {
+    return true;
+  }
  return params.authMethod === "bootstrap-token" && params.deviceTokenIssued;
 }