fix: trust device-token auth for internal backend attestation

2026-03-12 19:11:05 +00:00 · 2026-03-12 19:11:05 +00:00 · a390cd1a0a
parent 9f63b4c460
commit a390cd1a0a
2 changed files with 20 additions and 1 deletions
--- a/src/gateway/server/ws-connection/connect-policy.test.ts
+++ b/src/gateway/server/ws-connection/connect-policy.test.ts
@ -424,6 +424,20 @@ describe("ws connect policy", () => {
      }),
    ).toBe(false);

+    // Backend client authenticating via device-token (derived from initial shared-secret pairing) is trusted.
+    expect(
+      shouldSkipBackendSelfPairing({
+        connectParams: makeConnectParams(
+          GATEWAY_CLIENT_IDS.GATEWAY_CLIENT,
+          GATEWAY_CLIENT_MODES.BACKEND,
+        ),
+        isLocalClient: true,
+        hasBrowserOriginHeader: false,
+        sharedAuthOk: true,
+        authMethod: "device-token",
+      }),
+    ).toBe(true);
+
    // Remote backend client (gateway.mode=remote) with valid shared-secret auth is trusted.
    expect(
      shouldSkipBackendSelfPairing({
--- a/src/gateway/server/ws-connection/connect-policy.ts
+++ b/src/gateway/server/ws-connection/connect-policy.ts
@ -90,7 +90,12 @@ export function shouldSkipBackendSelfPairing(params: {
  if (!isGatewayBackendClient) {
    return false;
  }
-  const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
+  // device-token is a derived credential issued after initial shared-secret pairing, so it
+  // carries equivalent trust for the internal backend path.
+  const usesSharedSecretAuth =
+    params.authMethod === "token" ||
+    params.authMethod === "password" ||
+    params.authMethod === "device-token";
  // When auth is disabled entirely (mode="none"), there is no shared secret to verify, but a
  // local client with no browser origin and the correct gateway-client/backend identity is still
  // a trusted internal connection.