nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix(gateway): remove re-introduced auth.mode=none pairing bypass 

The revert of #43478 (commit 39b4185d0b) was silently undone by
3704293e6f which was based on a branch that included the original
change. This removes the auth.mode=none skipPairing condition again.

The blanket skip was too broad - it disabled pairing for ALL websocket
clients, not just Control UI behind reverse proxies.
This commit is contained in:
Andrew Demczuk 2026-03-15 00:46:24 +01:00 committed by GitHub
parent b5b589d99d
commit 92fc8065e9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 1 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/gateway/server/ws-connection/message-handler.ts
View File

@ -674,18 +674,14 @@ export function attachGatewayWsMessageHandler(params: {
authOk, authOk,
authMethod, authMethod,
}); });
// auth.mode=none disables all authentication — device pairing is an
// auth mechanism and must also be skipped when the operator opted out.
const skipPairing = const skipPairing =
resolvedAuth.mode === "none" ||
shouldSkipBackendSelfPairing({ shouldSkipBackendSelfPairing({
connectParams, connectParams,
isLocalClient, isLocalClient,
hasBrowserOriginHeader, hasBrowserOriginHeader,
sharedAuthOk, sharedAuthOk,
authMethod, authMethod,
}) || }) || shouldSkipControlUiPairing(controlUiAuthPolicy, role, trustedProxyAuthOk);
shouldSkipControlUiPairing(controlUiAuthPolicy, role, trustedProxyAuthOk);
if (device && devicePublicKey && !skipPairing) { if (device && devicePublicKey && !skipPairing) {
const formatAuditList = (items: string[] | undefined): string => { const formatAuditList = (items: string[] | undefined): string => {
if (!items || items.length === 0) { if (!items || items.length === 0) {