[Bug]: Control UI WebSocket handshake fails with "device identity required" after upgrading to v2026.3.7

[hao65103940]

Bug type

Regression (worked before, now fails)

Summary

Bug Report

Description

After upgrading to v2026.3.7, the Control UI WebSocket connection fails with device identity required on every page refresh, even when dangerouslyDisableDeviceAuth: true is configured.

The first login works, but any subsequent refresh triggers the error and requires re-authentication.

Steps to Reproduce

1. Upgrade OpenClaw to v2026.3.7
2. Configure gateway.auth.mode: "token" with a valid token
3. Configure controlUi.dangerouslyDisableDeviceAuth: true
4. Open Control UI and authenticate successfully with the token
5. Refresh the page

Expected Behavior

Page refresh should maintain the authenticated session without requiring re-authentication, consistent with behavior in v2026.3.2.

Actual Behavior

WebSocket handshake fails immediately on refresh with:

cause: "device-required"
handshake: "failed"
reason: "device identity required"
code: 1008

Gateway Config

"gateway": {
  "port": 18788,
  "mode": "local",
  "bind": "lan",
  "controlUi": {
    "dangerouslyAllowHostHeaderOriginFallback": true,
    "allowInsecureAuth": true,
    "dangerouslyDisableDeviceAuth": true
  },
  "auth": {
    "mode": "token",
    "token": "[REDACTED]"
  }
}

Logs

warn gateway/ws {"cause":"device-required","handshake":"failed","durationMs":32,
"lastFrameType":"req","lastFrameMethod":"connect","client":"openclaw-control-ui",
"mode":"webchat","version":"2026.3.7"} closed before connect code=1008 
reason=device identity required

Environment

• OpenClaw version: 2026.3.7
• Node.js: v24.13.0
• OS: Ubuntu (Linux)
• Browser: Chrome 145
• Install method: npm global (npm install -g openclaw)

Workaround

Downgrading to v2026.3.2 resolves the issue:

npm install -g openclaw@2026.3.2
openclaw gateway install --force
openclaw gateway restart

Additional Notes

This appears to be a regression introduced in v2026.3.7. The dangerouslyDisableDeviceAuth: true flag no longer suppresses the device identity check during WebSocket handshake. Possibly related to the auth hardening changes in this release:

• Gateway/browser auth reconnect hardening (fix(gateway): prevent browser rate-limit self-DoS on missing credentials #38725)
• Gateway/auth follow-up hardening (gateway: harden shared auth resolution across systemd, discord, and node host #39241)
• Gateway/service token drift repair (Fix gateway daemon token drift after token rotation #28428)

Steps to reproduce

1. Upgrade OpenClaw to v2026.3.7
2. Configure gateway.auth.mode: "token" with a valid token
3. Configure controlUi.dangerouslyDisableDeviceAuth: true
4. Open Control UI and authenticate successfully with the token
5. Refresh the page

Expected behavior

Page refresh should maintain the authenticated session without requiring re-authentication, consistent with behavior in v2026.3.2.

Actual behavior

WebSocket handshake fails immediately on refresh with:

cause: "device-required"
handshake: "failed"
reason: "device identity required"
code: 1008

Gateway Config

"gateway": {
  "port": 18788,
  "mode": "local",
  "bind": "lan",
  "controlUi": {
    "dangerouslyAllowHostHeaderOriginFallback": true,
    "allowInsecureAuth": true,
    "dangerouslyDisableDeviceAuth": true
  },
  "auth": {
    "mode": "token",
    "token": "[REDACTED]"
  }
}

OpenClaw version

2026.3.7

Operating system

OS: Ubuntu (Linux)

Install method

Install method: npm global (npm install -g openclaw)

Logs, screenshots, and evidence

### Logs

warn gateway/ws {"cause":"device-required","handshake":"failed","durationMs":32,
"lastFrameType":"req","lastFrameMethod":"connect","client":"openclaw-control-ui",
"mode":"webchat","version":"2026.3.7"} closed before connect code=1008 
reason=device identity required

Impact and severity

No response

Additional information

No response

[newcodebook]

This looks closer to a Control UI identity persistence / access-path problem than a token-only auth problem.

The practical fix order I would use is:

1. Stop testing the dashboard over remote plain HTTP if that is how you open it now. Open it either:
   • locally (http://127.0.0.1:18789), or
   • through a real HTTPS path.
2. If refreshes still re-trigger auth/pairing, approve the device request once on the gateway host and then reconnect:

openclaw devices list
openclaw devices approve <requestId>

Why this helps: dangerouslyDisableDeviceAuth: true is not the most reliable recovery path for browser refresh loops. In practice, device identity required usually means the browser is not presenting a durable device identity after reconnect, often because the access path is insecure or the device approval was never persisted cleanly.

If you want a fast diagnostic split, try this once:

• same browser + same profile + local URL → if refresh works there, the problem is the remote access path rather than your gateway token.

Related reading:

• Control UI: disconnected (1008): device identity required (HTTP / insecure context)
• OpenClaw Control UI Auth & Pairing: Fix 'unauthorized', 1008, and Remote Dashboard Access

[velvet-shark]

Claiming this and working on a fix.

Initial diagnosis: the refresh regression is likely from the recent Control UI token-storage change. I’m patching it so refresh keeps auth for the current tab session without restoring long-lived localStorage persistence.

[velvet-shark]

Opened PR #40892 with the fix: same-tab refreshes now keep the Control UI token in session-scoped browser storage without restoring localStorage token persistence.

PR: #40892

[jjj5666]

升级后 WebSocket 连不上通常是 gateway 配置或 plist 不同步。可以试试 npx clawaid，自动诊断 gateway/config/plist 问题并修复。