[Security] Authentication Configuration

[im23pds]

1. Insecure Authentication Configuration

File: scripts/nemoclaw-start.sh:36-40

Issue: The Gateway configuration contains insecure authentication options.

gateway['controlUi'] = {
'allowInsecureAuth': True,
'dangerouslyDisableDeviceAuth': True,
'allowedOrigins': origins,
}

Impact:

May lead to unauthorized access during production deployment.

dangerouslyDisableDeviceAuth may bypass device verification.

Combined with allowedOrigins, it may be exploited for authentication bypass.

Recommendation: Disable these options in production environments and use strict authentication mechanisms.

[jyaunches]

Update: New PR supersedes #123

PR #123 correctly identified all three issues here but targets code paths that have since moved. Specifically, commit 0f8eedd ("make openclaw.json immutable at runtime, move config to build time") relocated the controlUi gateway configuration from scripts/nemoclaw-start.sh into the Dockerfile — PR #123 would patch dead code for 2 of its 3 fixes.

New PR: #1217 applies the same security hardening where the code actually lives now:

• dangerouslyDisableDeviceAuth → defaults to false in the Dockerfile (opt-in via NEMOCLAW_DISABLE_DEVICE_AUTH=1 build arg)
• allowInsecureAuth → derived from CHAT_UI_URL scheme in the Dockerfile (false for https://)
• Auto-pair whitelisting → restricts approval to known clientId/clientMode in nemoclaw-start.sh

Includes 13 new tests covering all three fixes.

Recommendation: Close #123 in favor of #1217.