fix(gateway): derive inter-session attestation from handshake trust

2026-03-12 16:35:33 +00:00 · 2026-03-12 16:35:33 +00:00 · 91de302a70
parent ba5fe7130d
commit 91de302a70
1 changed files with 12 additions and 10 deletions
--- a/src/gateway/server/ws-connection/message-handler.ts
+++ b/src/gateway/server/ws-connection/message-handler.ts
@ -674,14 +674,18 @@ export function attachGatewayWsMessageHandler(params: {
          authOk,
          authMethod,
        });
+        const isInternalBackendClient = shouldSkipBackendSelfPairing({
+          connectParams,
+          isLocalClient,
+          hasBrowserOriginHeader,
+          sharedAuthOk,
+          authMethod,
+        });
+        // auth.mode=none disables all authentication — device pairing is an
+        // auth mechanism and must also be skipped when the operator opted out.
        const skipPairing =
-          shouldSkipBackendSelfPairing({
-            connectParams,
-            isLocalClient,
-            hasBrowserOriginHeader,
-            sharedAuthOk,
-            authMethod,
-          }) ||
+          resolvedAuth.mode === "none" ||
+          isInternalBackendClient ||
          shouldSkipControlUiPairing(
            controlUiAuthPolicy,
            role,
@ -990,9 +994,7 @@ export function attachGatewayWsMessageHandler(params: {
          canvasHostUrl,
          canvasCapability,
          canvasCapabilityExpiresAtMs,
-          isInternalBackendClient:
-            connectParams.client.id === GATEWAY_CLIENT_IDS.GATEWAY_CLIENT &&
-            connectParams.client.mode === GATEWAY_CLIENT_MODES.BACKEND,
+          isInternalBackendClient,
        };
        setSocketMaxPayload(socket, MAX_PAYLOAD_BYTES);
        setClient(nextClient);