Skip to content

fix(gateway): allow loopback node-role sessions without device identity#848

Open
BingqingLyu wants to merge 2 commits intomainfrom
fork-pr-48285-fix-loopback-node-device-identity
Open

fix(gateway): allow loopback node-role sessions without device identity#848
BingqingLyu wants to merge 2 commits intomainfrom
fork-pr-48285-fix-loopback-node-device-identity

Conversation

@BingqingLyu
Copy link
Copy Markdown
Owner

@BingqingLyu BingqingLyu commented Apr 27, 2026
edited
Loading

Summary

  • Problem: Since v2026.3.12, internal services (cron, sessions_spawn, ACP tools) connecting from 127.0.0.1 with node role are rejected with "device identity required" — regardless of gateway.auth.mode.
  • Root cause: evaluateMissingDeviceIdentity has no loopback exemption for node role. The function's Control UI paths (trustedProxyAuthOk, allowBypass, allowInsecureAuth) all gate on isControlUi, which is false for internal services. roleCanSkipDeviceIdentity only passes for operator, so node always falls through to reject-device-required.
  • Fix: Allow authenticated loopback node-role sessions without device identity. Device identity prevents MitM on network connections; loopback has no network attack surface.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

User-visible / Behavior Changes

  • Internal services (cron jobs, sessions_spawn, ACP tool calls) connecting from loopback now work on v2026.3.12+ without device identity, restoring pre-v2026.3.12 behavior.

Security Impact (required)

  • New permissions/capabilities? (Yes/No): No
  • Secrets/tokens handling changed? (Yes/No): No
  • New/changed network calls? (Yes/No): No
  • Command/tool execution surface changed? (Yes/No): No
  • Data access scope changed? (Yes/No): No

Repro + Verification

Environment

  • OS: Linux (Hetzner VPS), also tested on macOS
  • Runtime: Node 22, npm global install
  • Integration: Telegram channel, cron scheduler
  • Config: gateway.auth.mode: "none" (also tested with token and trusted-proxy)

Steps

  1. Install OpenClaw v2026.3.13, configure cron.enabled: true
  2. Create a cron job via chat: "remind me in 1 minute to check this"
  3. Observe gateway log: [ws] closed before connect ... remote=127.0.0.1 code=1008 reason=pairing required

Expected

  • Cron fires, reminder delivered.

Actual

  • Cron service cannot connect to gateway — all internal WS connections from loopback rejected.

Evidence

Test matrix (production VPS, v2026.3.13)

auth.mode External auth Cron ACP sessions_spawn
trusted-proxy CF Access header ❌ device-required
token Gateway token ❌ device-required
none No auth ❌ device-required

After fix

[manage-api] cron job fired successfully — reminder delivered via Telegram
  • Failing test/log before + passing after
  • Trace/log snippets
  • Screenshot/recording
  • Perf numbers

Human Verification (required)

  • Verified: loopback node connections (cron, sessions_spawn) succeed after patch
  • Verified: remote node connections still rejected (device-required)
  • Verified: loopback node with bad auth still rejected (reject-unauthorized)
  • Verified: all existing connect-policy tests pass + 4 new tests
  • Not verified: E2E with auth.mode=token + internal cron (tested with none only)

Review Conversations

  • N/A (new PR)

Compatibility / Migration

  • Backward compatible? (Yes/No): Yes
  • Config/env changes? (Yes/No): No
  • Migration needed? (Yes/No): No

Failure Recovery (if this breaks)

  • Revert this PR to restore previous behavior.
  • The change is a single if guard in evaluateMissingDeviceIdentity — no config or state changes.

Risks and Mitigations

  • Risk: Loopback node connections bypass device identity gate.
    • Mitigation: Only node role + loopback + authOk — auth is still enforced. Device identity prevents network MitM, which is irrelevant on loopback. Remote node connections unchanged.
  • Risk: authOk is always true for auth.mode=none, so any loopback node connection is allowed.
    • Mitigation: auth.mode=none already allows any connection without credentials — device identity added no security value in this configuration.

Why this is separate from openclaw#45590

PR openclaw#45590 fixes the dangerouslyDisableDeviceAuth bypass for operator Control UI sessions. That fix does not help internal services because they connect with role: "node" and isControlUi: false — none of the Control UI code paths apply. This PR addresses the distinct regression for node-role loopback connections.

uli-will-code and others added 2 commits March 21, 2026 08:30
@uli-will-code @claude
fix(gateway): allow loopback node-role sessions without device identity
b26e669 
Internal services (cron, sessions_spawn, ACP tools) connect from
127.0.0.1 with node role and cannot present device identity. Since
v2026.3.12 the evaluateMissingDeviceIdentity gate rejects these
connections with "device identity required", breaking all internal
service capabilities for headless/server deployments.

Device identity prevents MitM on network connections; loopback has no
network attack surface. This change allows authenticated loopback
node-role sessions through without device identity while preserving
all existing constraints:

- Remote node connections still require device identity
- Loopback node connections with failed auth are still rejected
- dangerouslyDisableDeviceAuth scope unchanged (operator Control UI only)
- Operator role checks unchanged

Closes openclaw#45504

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@uli-will-code @claude
fix(gateway): skip backend self-pairing for auth.mode=none on loopback
6607254 
The cron rejection is actually in shouldSkipBackendSelfPairing, not
evaluateMissingDeviceIdentity.  When auth.mode=none, authMethod is
"none" which matches neither token/password nor device-token, so the
backend self-pairing skip never triggers.  The cron client provides
device identity, passes the device-identity gate, but then fails at
the pairing step with "pairing required".

Add usesNoAuth to the skip condition: when the gateway is explicitly
configured with no auth, its own backend services on loopback should
not require pairing.  The isGatewayBackendClient + isLocalClient +
!hasBrowserOriginHeader guards are sufficient.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: 2026.3.12: openclaw devices list / devices approve fail against local loopback gateway, while web UI remains functional

2 participants

@BingqingLyu @uli-will-code