fix(gateway): reject no-auth tailscale exposure

steipete · web-flow · commit dc5954b0f8cb · 2026-05-27T14:11:17.000+01:00
Fixes #50630. Replaces stale PR #50631. Behavior: reject gateway auth mode none when Tailscale Serve or Funnel exposes the gateway, across config validation, install-token preflight, and runtime startup. Proof: - node scripts/run-vitest.mjs src/config/config.gateway-tailscale-bind.test.ts src/gateway/server-runtime-config.test.ts src/commands/doctor-gateway-auth-token.test.ts - .agents/skills/autoreview/scripts/autoreview --mode local - node scripts/crabbox-wrapper.mjs run --shell -- "pnpm check:changed" (run_5a999c1e11c0, exit 0) - GitHub PR checks clean on 0b306e8; prior checkout/diff failures were GitHub infrastructure and cleared after rebase.
diff --git a/src/commands/doctor-gateway-auth-token.test.ts b/src/commands/doctor-gateway-auth-token.test.ts
@@ -6,6 +6,7 @@ import {
   resolveGatewayAuthTokenForService,
   shouldRequireGatewayTokenForInstall,
 } from "./doctor-gateway-auth-token.js";
+import { resolveGatewayInstallToken } from "./gateway-install-token.js";
 
 const envVar = (...parts: string[]) => parts.join("_");
 
@@ -270,4 +271,21 @@ describe("shouldRequireGatewayTokenForInstall", () => {
     );
     expect(required).toBe(true);
   });
+
+  it("blocks install token resolution for tailscale serve with explicit no-auth", async () => {
+    const resolved = await resolveGatewayInstallToken({
+      config: {
+        gateway: {
+          auth: { mode: "none" },
+          tailscale: { mode: "serve" },
+        },
+      } as OpenClawConfig,
+      env: {} as NodeJS.ProcessEnv,
+    });
+
+    expect(resolved.token).toBeUndefined();
+    expect(resolved.unavailableReason).toBe(
+      "gateway.auth.mode=none cannot be used with gateway.tailscale.mode=serve; configure token, password, or trusted-proxy auth before exposing the gateway through Tailscale",
+    );
+  });
 });
diff --git a/src/commands/gateway-install-token.ts b/src/commands/gateway-install-token.ts
@@ -7,6 +7,10 @@ import { shouldRequireGatewayTokenForInstall } from "../gateway/auth-install-pol
 import { hasAmbiguousGatewayAuthModeConfig } from "../gateway/auth-mode-policy.js";
 import { resolveGatewayAuthToken } from "../gateway/auth-token-resolution.js";
 import { resolveGatewayAuth } from "../gateway/auth.js";
+import {
+  formatUnsafeGatewayTailscaleNoAuthMessage,
+  isUnsafeGatewayTailscaleNoAuth,
+} from "../shared/gateway-tailscale-auth-policy.js";
 import { normalizeOptionalString } from "../shared/string-coerce.js";
 import {
   readConfigFileSnapshotForWrite,
@@ -133,6 +137,15 @@ export async function resolveGatewayInstallToken(
     env: options.env,
     tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
   });
+  const tailscaleMode = cfg.gateway?.tailscale?.mode ?? "off";
+  if (isUnsafeGatewayTailscaleNoAuth({ authMode: resolvedAuth.mode, tailscaleMode })) {
+    return {
+      token: undefined,
+      tokenRefConfigured: false,
+      unavailableReason: formatUnsafeGatewayTailscaleNoAuthMessage(tailscaleMode),
+      warnings,
+    };
+  }
   const needsToken =
     shouldRequireGatewayTokenForInstall(cfg, options.env) && !resolvedAuth.allowTailscale;
   if (!needsToken) {
diff --git a/src/config/config.gateway-tailscale-bind.test.ts b/src/config/config.gateway-tailscale-bind.test.ts
@@ -20,6 +20,55 @@ describe("gateway tailscale bind validation", () => {
     expect(funnelRes.ok).toBe(true);
   });
 
+  it("rejects explicit no-auth when tailscale serve or funnel exposes the gateway", () => {
+    const serveRes = validateConfigObject({
+      gateway: {
+        bind: "loopback",
+        auth: { mode: "none" },
+        tailscale: { mode: "serve" },
+      },
+    });
+    expect(serveRes.ok).toBe(false);
+    if (!serveRes.ok) {
+      expect(serveRes.issues).toEqual([
+        {
+          path: "gateway.auth.mode",
+          message:
+            "gateway.auth.mode=none cannot be used with gateway.tailscale.mode=serve; configure token, password, or trusted-proxy auth before exposing the gateway through Tailscale",
+        },
+      ]);
+    }
+
+    const funnelRes = validateConfigObject({
+      gateway: {
+        bind: "loopback",
+        auth: { mode: "none" },
+        tailscale: { mode: "funnel" },
+      },
+    });
+    expect(funnelRes.ok).toBe(false);
+    if (!funnelRes.ok) {
+      expect(funnelRes.issues).toEqual([
+        {
+          path: "gateway.auth.mode",
+          message:
+            "gateway.tailscale.mode=funnel requires gateway.auth.mode=password; auth.mode=none cannot be used when exposing the gateway through Tailscale Funnel",
+        },
+      ]);
+    }
+  });
+
+  it("allows explicit no-auth for loopback-only gateway config", () => {
+    const res = validateConfigObject({
+      gateway: {
+        bind: "loopback",
+        auth: { mode: "none" },
+        tailscale: { mode: "off" },
+      },
+    });
+    expect(res.ok).toBe(true);
+  });
+
   it("accepts custom loopback bind host with tailscale serve/funnel", () => {
     const res = validateConfigObject({
       gateway: {
diff --git a/src/config/validation.ts b/src/config/validation.ts
@@ -31,6 +31,10 @@ import {
   isPathWithinRoot,
   isWindowsAbsolutePath,
 } from "../shared/avatar-policy.js";
+import {
+  formatUnsafeGatewayTailscaleNoAuthMessage,
+  isUnsafeGatewayTailscaleNoAuth,
+} from "../shared/gateway-tailscale-auth-policy.js";
 import { isCanonicalDottedDecimalIPv4, isLoopbackIpAddress } from "../shared/net/ip.js";
 import { normalizeLowercaseStringOrEmpty } from "../shared/string-coerce.js";
 import { isRecord, resolveUserPath } from "../utils.js";
@@ -854,6 +858,19 @@ function validateGatewayTailscaleBind(config: OpenClawConfig): ConfigValidationI
   ];
 }
 
+function validateGatewayTailscaleAuth(config: OpenClawConfig): ConfigValidationIssue[] {
+  const tailscaleMode = config.gateway?.tailscale?.mode ?? "off";
+  if (!isUnsafeGatewayTailscaleNoAuth({ authMode: config.gateway?.auth?.mode, tailscaleMode })) {
+    return [];
+  }
+  return [
+    {
+      path: "gateway.auth.mode",
+      message: formatUnsafeGatewayTailscaleNoAuthMessage(tailscaleMode),
+    },
+  ];
+}
+
 /**
  * Validates config without applying runtime defaults.
  * Use this when you need the raw validated config (e.g., for writing back to file).
@@ -914,6 +931,10 @@ export function validateConfigObjectRaw(
   if (gatewayTailscaleBindIssues.length > 0) {
     return { ok: false, issues: gatewayTailscaleBindIssues };
   }
+  const gatewayTailscaleAuthIssues = validateGatewayTailscaleAuth(validatedConfig);
+  if (gatewayTailscaleAuthIssues.length > 0) {
+    return { ok: false, issues: gatewayTailscaleAuthIssues };
+  }
   return {
     ok: true,
     config: validatedConfig,
diff --git a/src/gateway/server-runtime-config.test.ts b/src/gateway/server-runtime-config.test.ts
@@ -298,6 +298,20 @@ describe("resolveGatewayRuntimeConfig", () => {
       ).rejects.toThrow(/refusing to bind gateway/);
     });
 
+    it("rejects tailscale serve with explicit no-auth", async () => {
+      await expect(
+        resolveGatewayRuntimeConfig({
+          cfg: {
+            gateway: {
+              auth: { mode: "none" },
+              tailscale: { mode: "serve" },
+            },
+          },
+          port: 18789,
+        }),
+      ).rejects.toThrow("gateway.auth.mode=none cannot be used with gateway.tailscale.mode=serve");
+    });
+
     it("respects explicit loopback config even inside a container", async () => {
       const fs = require("node:fs");
       vi.spyOn(fs, "accessSync").mockImplementation(() => undefined); // /.dockerenv exists
@@ -314,7 +328,7 @@ describe("resolveGatewayRuntimeConfig", () => {
       const result = await resolveGatewayRuntimeConfig({
         cfg: {
           gateway: {
-            auth: { mode: "none" },
+            auth: TOKEN_AUTH,
             tailscale: { mode: "serve" },
           },
         },
diff --git a/src/gateway/server-runtime-config.ts b/src/gateway/server-runtime-config.ts
@@ -4,6 +4,10 @@ import type {
   GatewayTailscaleConfig,
 } from "../config/types.gateway.js";
 import type { OpenClawConfig } from "../config/types.openclaw.js";
+import {
+  formatUnsafeGatewayTailscaleNoAuthMessage,
+  isUnsafeGatewayTailscaleNoAuth,
+} from "../shared/gateway-tailscale-auth-policy.js";
 import {
   assertGatewayAuthConfigured,
   type ResolvedGatewayAuth,
@@ -134,6 +138,9 @@ export async function resolveGatewayRuntimeConfig(params: {
       "tailscale funnel requires gateway auth mode=password (set gateway.auth.password or OPENCLAW_GATEWAY_PASSWORD)",
     );
   }
+  if (isUnsafeGatewayTailscaleNoAuth({ authMode, tailscaleMode })) {
+    throw new Error(formatUnsafeGatewayTailscaleNoAuthMessage(tailscaleMode));
+  }
   if (tailscaleMode !== "off" && !isLoopbackHost(bindHost)) {
     throw new Error("tailscale serve/funnel requires gateway bind=loopback (127.0.0.1)");
   }
diff --git a/src/shared/gateway-tailscale-auth-policy.ts b/src/shared/gateway-tailscale-auth-policy.ts
@@ -0,0 +1,20 @@
+import type { GatewayAuthMode, GatewayTailscaleMode } from "../config/types.gateway.js";
+
+export function isUnsafeGatewayTailscaleNoAuth(params: {
+  authMode?: GatewayAuthMode;
+  tailscaleMode?: GatewayTailscaleMode;
+}): boolean {
+  return (
+    params.authMode === "none" &&
+    (params.tailscaleMode === "serve" || params.tailscaleMode === "funnel")
+  );
+}
+
+export function formatUnsafeGatewayTailscaleNoAuthMessage(
+  tailscaleMode: GatewayTailscaleMode,
+): string {
+  if (tailscaleMode === "funnel") {
+    return "gateway.tailscale.mode=funnel requires gateway.auth.mode=password; auth.mode=none cannot be used when exposing the gateway through Tailscale Funnel";
+  }
+  return `gateway.auth.mode=none cannot be used with gateway.tailscale.mode=${tailscaleMode}; configure token, password, or trusted-proxy auth before exposing the gateway through Tailscale`;
+}
