diff --git a/src/gateway/server/ws-connection/connect-policy.test.ts b/src/gateway/server/ws-connection/connect-policy.test.ts index 23dc38fbbea..9fd46737fe1 100644 --- a/src/gateway/server/ws-connection/connect-policy.test.ts +++ b/src/gateway/server/ws-connection/connect-policy.test.ts @@ -700,4 +700,39 @@ describe("ws connect policy", () => { }), ).toBe(false); }); + + test("attests authenticated remote backend clients for inter_session", () => { + const backendConnect: ConnectParams = { + client: { + id: GATEWAY_CLIENT_IDS.GATEWAY_CLIENT, + mode: GATEWAY_CLIENT_MODES.BACKEND, + version: "1.0.0", + platform: "node", + }, + minProtocol: 1, + maxProtocol: 1, + }; + + for (const authMethod of ["token", "password", "device-token", "tailscale"] as const) { + expect( + resolveInternalBackendClientAttestation({ + connectParams: backendConnect, + hasBrowserOriginHeader: false, + initialIsInternalBackendClient: false, + authMethod, + deviceTokenIssued: false, + }), + ).toBe(true); + } + + expect( + resolveInternalBackendClientAttestation({ + connectParams: backendConnect, + hasBrowserOriginHeader: true, + initialIsInternalBackendClient: false, + authMethod: "token", + deviceTokenIssued: false, + }), + ).toBe(false); + }); }); diff --git a/src/gateway/server/ws-connection/connect-policy.ts b/src/gateway/server/ws-connection/connect-policy.ts index 9b5951fe843..3c313c35b22 100644 --- a/src/gateway/server/ws-connection/connect-policy.ts +++ b/src/gateway/server/ws-connection/connect-policy.ts @@ -130,6 +130,14 @@ export function resolveInternalBackendClientAttestation(params: { if (!isGatewayBackendClient || params.hasBrowserOriginHeader) { return false; } + if ( + params.authMethod === "token" || + params.authMethod === "password" || + params.authMethod === "device-token" || + params.authMethod === "tailscale" + ) { + return true; + } return params.authMethod === "bootstrap-token" && params.deviceTokenIssued; }