Skip to content

feat: add OpenClaw-style dashboard authentication#19959

Open
asarlashmit wants to merge 2 commits into
NousResearch:mainfrom
asarlashmit:feat/openclaw-dashboard-auth
Open

feat: add OpenClaw-style dashboard authentication#19959
asarlashmit wants to merge 2 commits into
NousResearch:mainfrom
asarlashmit:feat/openclaw-dashboard-auth

Conversation

@asarlashmit

@asarlashmit asarlashmit commented May 5, 2026
edited
Loading

Copy link
Copy Markdown

Summary

This PR adds OpenClaw-style authentication to the Hermes web dashboard while preserving the current localhost-first default behavior.

Features added

  • Adds a centralized DashboardAuthManager with auth modes:
    • none for the existing local-only unauthenticated UX
    • token for bearer/header token authentication
    • password for password login with ephemeral dashboard sessions
    • trusted-proxy for reverse-proxy identity headers
    • tailscale for Tailscale identity headers
  • Adds dashboard auth CLI/config/env wiring:
    • hermes dashboard --auth {none,token,password,trusted-proxy,tailscale}
    • --auth-token
    • --auth-password
    • --auth-password-hash
    • trusted-proxy and Tailscale identity header flags
    • dashboard.auth.* defaults in config
    • HERMES_DASHBOARD_AUTH_MODE, HERMES_DASHBOARD_TOKEN, HERMES_DASHBOARD_PASSWORD, and HERMES_DASHBOARD_PASSWORD_HASH
  • Keeps dashboard auth disabled by default for local-only usage:
    • plain hermes dashboard still binds to 127.0.0.1:9119
    • auth mode defaults to none
  • Adds remote-bind safety:
    • non-loopback binds like --host 0.0.0.0 refuse to start unless robust auth is enabled
    • --insecure remains available as an explicit override
  • Protects dashboard HTTP APIs, plugin routes, and dashboard WebSocket endpoints:
    • /api/pty
    • /api/ws
    • /api/pub
    • /api/events
  • Adds frontend auth UX:
    • AuthGate for token/password login
    • sessionStorage-only credential/session persistence
    • token bootstrap via URL fragment (#token=...) instead of query string
    • strips bootstrap tokens from the browser URL after capture
    • retries/recovers cleanly on 401/logout
  • Adds Docker Compose smoke coverage for dashboard auth modes.

Code changes

  • hermes_cli/dashboard_auth.py
    • New dashboard auth subsystem with token/password/session validation, identity headers, rate limiting, session TTL, env/config precedence, and auth status payloads.
  • hermes_cli/web_server.py
    • Wires dashboard auth into protected HTTP routes and WebSocket endpoints.
    • Adds public auth endpoints for status/login/logout/me.
    • Preserves localhost default behavior and blocks public binds without robust auth unless --insecure is passed.
    • Opens token-mode browser bootstrap URLs with #token= fragments.
  • hermes_cli/main.py
    • Adds hermes dashboard auth flags and merges CLI overrides with persistent config.
  • hermes_cli/config.py
    • Adds default dashboard.auth config tree.
  • web/src/components/AuthGate.tsx, web/src/lib/dashboardAuth.ts, and related web client files
    • Adds browser-side auth state, token/password login, fragment bootstrap, sessionStorage handling, and auth headers for REST/WebSocket calls.
  • docker/dashboard-auth/*
    • Adds Docker Compose smoke environment covering none/token/password/trusted-proxy/tailscale modes.
  • Tests added/updated across dashboard auth manager, config, CLI, HTTP, WebSocket, Docker smoke, and Ollama Cloud auth regression coverage.

Security notes

  • Auth remains off by default only for the existing localhost-only dashboard behavior.
  • Public/non-loopback bind without robust auth is refused by default.
  • Token bootstrap uses URL fragments and sessionStorage rather than query strings/localStorage.
  • Password login exchanges the password for an ephemeral dashboard session token.
  • Rate limiting and lockouts cover failed credential attempts.
  • Trusted-proxy/Tailscale modes require explicit identity headers and can enforce allowlists.

@alt-glitch alt-glitch added type/feature New feature or request P3 Low — cosmetic, nice to have comp/cli CLI entry point, hermes_cli/, setup wizard area/auth Authentication, OAuth, credential pools labels May 5, 2026
@asarlashmit
feat: add OpenClaw-style dashboard authentication
ac691c1 
- Add configurable dashboard auth modes for none, token, password, trusted-proxy, and Tailscale identity headers
- Protect dashboard HTTP APIs, plugin routes, and WebSocket endpoints through a shared DashboardAuthManager
- Add CLI/config/env wiring for dashboard auth and preserve local unauthenticated default UX
- Refuse non-localhost dashboard binds without robust auth unless explicitly --insecure
- Add React AuthGate plus sessionStorage-based token/password session handling and URL-fragment bootstrap
- Add Docker Compose smoke coverage for dashboard auth modes
- Cover token precedence, session expiry/logout, rate limiting, HTTP/WebSocket auth, and Ollama Cloud auth regression tests
@asarlashmit asarlashmit force-pushed the feat/openclaw-dashboard-auth branch from df7e335 to ac691c1 Compare May 5, 2026 00:58
@dima-hermes-bot dima-hermes-bot mentioned this pull request May 6, 2026
Open
15 tasks
@Hinotoi-agent Hinotoi-agent mentioned this pull request Jun 6, 2026
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area/auth Authentication, OAuth, credential pools comp/cli CLI entry point, hermes_cli/, setup wizard P3 Low — cosmetic, nice to have type/feature New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@asarlashmit @alt-glitch