fix(gateway): skip backend self-pairing for auth.mode=none on loopback

uli-will-code · claude · uli-will-code · commit 66072549fda8 · 2026-03-21T08:30:43.000-04:00
The cron rejection is actually in shouldSkipBackendSelfPairing, not
evaluateMissingDeviceIdentity.  When auth.mode=none, authMethod is
"none" which matches neither token/password nor device-token, so the
backend self-pairing skip never triggers.  The cron client provides
device identity, passes the device-identity gate, but then fails at
the pairing step with "pairing required".

Add usesNoAuth to the skip condition: when the gateway is explicitly
configured with no auth, its own backend services on loopback should
not require pairing.  The isGatewayBackendClient + isLocalClient +
!hasBrowserOriginHeader guards are sufficient.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/gateway/server/ws-connection/handshake-auth-helpers.test.ts b/src/gateway/server/ws-connection/handshake-auth-helpers.test.ts
@@ -124,5 +124,28 @@ describe("handshake auth helpers", () => {
         authMethod: "token",
       }),
     ).toBe(false);
+
+    // auth.mode=none: no shared secret or device token exists, but the gateway
+    // backend client on loopback should still skip pairing.
+    expect(
+      shouldSkipBackendSelfPairing({
+        connectParams,
+        isLocalClient: true,
+        hasBrowserOriginHeader: false,
+        sharedAuthOk: false,
+        authMethod: "none",
+      }),
+    ).toBe(true);
+
+    // auth.mode=none but remote: must not skip.
+    expect(
+      shouldSkipBackendSelfPairing({
+        connectParams,
+        isLocalClient: false,
+        hasBrowserOriginHeader: false,
+        sharedAuthOk: false,
+        authMethod: "none",
+      }),
+    ).toBe(false);
   });
 });
diff --git a/src/gateway/server/ws-connection/handshake-auth-helpers.ts b/src/gateway/server/ws-connection/handshake-auth-helpers.ts
@@ -75,13 +75,19 @@ export function shouldSkipBackendSelfPairing(params: {
   }
   const usesSharedSecretAuth = params.authMethod === "token" || params.authMethod === "password";
   const usesDeviceTokenAuth = params.authMethod === "device-token";
+  // auth.mode=none: the gateway is explicitly configured with no auth, so there
+  // is no shared secret or device token to prove.  Requiring pairing in this
+  // configuration adds friction without security value — any client can already
+  // connect without credentials.  The isGatewayBackendClient + isLocalClient
+  // guards are sufficient.
+  const usesNoAuth = params.authMethod === "none";
   // `authMethod === "device-token"` only reaches this helper after the caller
   // has already accepted auth (`authOk === true`), so a separate
   // `deviceTokenAuthOk` flag would be redundant here.
   return (
     params.isLocalClient &&
     !params.hasBrowserOriginHeader &&
-    ((params.sharedAuthOk && usesSharedSecretAuth) || usesDeviceTokenAuth)
+    ((params.sharedAuthOk && usesSharedSecretAuth) || usesDeviceTokenAuth || usesNoAuth)
   );
 }
 
