fix(gateway): remove re-introduced auth.mode=none pairing bypass

The revert of #43478 (commit 39b4185d0b) was silently undone by 3704293e6f which was based on a branch that included the original change. This removes the auth.mode=none skipPairing condition again. The blanket skip was too broad - it disabled pairing for ALL websocket clients, not just Control UI behind reverse proxies.
2026-03-15 00:46:24 +01:00 · 2026-03-15 00:46:24 +01:00 · 92fc8065e9
parent b5b589d99d
commit 92fc8065e9
1 changed files with 1 additions and 5 deletions
--- a/src/gateway/server/ws-connection/message-handler.ts
+++ b/src/gateway/server/ws-connection/message-handler.ts
@ -674,18 +674,14 @@ export function attachGatewayWsMessageHandler(params: {
          authOk,
          authMethod,
        });
-        // auth.mode=none disables all authentication — device pairing is an
-        // auth mechanism and must also be skipped when the operator opted out.
        const skipPairing =
-          resolvedAuth.mode === "none" ||
          shouldSkipBackendSelfPairing({
            connectParams,
            isLocalClient,
            hasBrowserOriginHeader,
            sharedAuthOk,
            authMethod,
-          }) ||
-          shouldSkipControlUiPairing(controlUiAuthPolicy, role, trustedProxyAuthOk);
+          }) || shouldSkipControlUiPairing(controlUiAuthPolicy, role, trustedProxyAuthOk);
        if (device && devicePublicKey && !skipPairing) {
          const formatAuditList = (items: string[] | undefined): string => {
            if (!items || items.length === 0) {