fix: allow remote backend clients with shared-secret auth as internal

2026-03-12 18:54:14 +00:00 · 2026-03-12 18:54:14 +00:00 · 9f63b4c460
parent 42284cc2da
commit 9f63b4c460
2 changed files with 36 additions and 4 deletions
--- a/src/gateway/server/ws-connection/connect-policy.test.ts
+++ b/src/gateway/server/ws-connection/connect-policy.test.ts
@ -332,6 +332,7 @@ describe("ws connect policy", () => {
      }),
    ).toBe(true);

+    // Remote backend client with valid shared-secret auth is now trusted (gateway.mode=remote support).
    expect(
      shouldSkipBackendSelfPairing({
        connectParams: makeConnectParams(
@ -343,7 +344,7 @@ describe("ws connect policy", () => {
        sharedAuthOk: true,
        authMethod: "token",
      }),
-    ).toBe(false);
+    ).toBe(true);

    expect(
      shouldSkipBackendSelfPairing({
@ -423,6 +424,34 @@ describe("ws connect policy", () => {
      }),
    ).toBe(false);

+    // Remote backend client (gateway.mode=remote) with valid shared-secret auth is trusted.
+    expect(
+      shouldSkipBackendSelfPairing({
+        connectParams: makeConnectParams(
+          GATEWAY_CLIENT_IDS.GATEWAY_CLIENT,
+          GATEWAY_CLIENT_MODES.BACKEND,
+        ),
+        isLocalClient: false,
+        hasBrowserOriginHeader: false,
+        sharedAuthOk: true,
+        authMethod: "token",
+      }),
+    ).toBe(true);
+
+    // Remote backend client with browser origin header is still rejected.
+    expect(
+      shouldSkipBackendSelfPairing({
+        connectParams: makeConnectParams(
+          GATEWAY_CLIENT_IDS.GATEWAY_CLIENT,
+          GATEWAY_CLIENT_MODES.BACKEND,
+        ),
+        isLocalClient: false,
+        hasBrowserOriginHeader: true,
+        sharedAuthOk: true,
+        authMethod: "token",
+      }),
+    ).toBe(false);
+
    // auth.mode="none" with browser origin header is still rejected (hasBrowserOriginHeader=true).
    expect(
      shouldSkipBackendSelfPairing({
--- a/src/gateway/server/ws-connection/connect-policy.ts
+++ b/src/gateway/server/ws-connection/connect-policy.ts
@ -93,12 +93,15 @@ export function shouldSkipBackendSelfPairing(params: {
  const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
  // When auth is disabled entirely (mode="none"), there is no shared secret to verify, but a
  // local client with no browser origin and the correct gateway-client/backend identity is still
-  // a trusted internal connection. Allow attestation in that case too.
+  // a trusted internal connection.
  const authIsDisabled = params.authMethod === "none";
+  // Remote backend clients (gateway.mode=remote) connecting with a valid shared-secret credential
+  // are trusted too — isLocalClient is false for remote gateways but the shared secret provides
+  // equivalent trust. Only the auth-disabled path is restricted to local connections, because
+  // remote + no-auth would be a security hole.
  return (
-    params.isLocalClient &&
    !params.hasBrowserOriginHeader &&
-    ((params.sharedAuthOk && usesSharedSecretAuth) || authIsDisabled)
+    ((params.sharedAuthOk && usesSharedSecretAuth) || (params.isLocalClient && authIsDisabled))
  );
 }