dangerouslyDisableDeviceAuth does not fully bypass device identity check when sharedAuthOk is false

[gabachom]

Description

When gateway.controlUi.dangerouslyDisableDeviceAuth is set to true, the gateway correctly sets the device to null via resolveControlUiAuthPolicy, but the connection is still rejected with device identity required (code 1008) because roleCanSkipDeviceIdentity() requires both role === "operator" AND sharedAuthOk === true.

In reverse proxy setups where Nginx injects the Authorization: Bearer header at the HTTP level, the token is not present in the WebSocket connect frame's connectAuth, so sharedAuthOk evaluates to false. This causes evaluateMissingDeviceIdentity() to fall through to reject-device-required.

Expected behavior

When dangerouslyDisableDeviceAuth: true, Control UI connections should be allowed without requiring a valid shared auth token in the WebSocket connect frame. The controlUiAuthPolicy.allowBypass flag is already true in this case, but evaluateMissingDeviceIdentity() does not check it before falling through to the device-required rejection.

Suggested fix

Add a check in evaluateMissingDeviceIdentity():

if (params.isControlUi && params.controlUiAuthPolicy.allowBypass) return { kind: "allow" };

And also handle the check in the connection handler:

    rejectUnauthorized(authResult);
    return;
}

Environment

• OpenClaw v2026.3.8
• Node.js v24.13.1
• Nginx reverse proxy with Authorization: Bearer header injection

[newcodebook]

Given your setup (reverse proxy injecting Authorization: Bearer …), the practical problem is: the Control UI’s WebSocket connect frame often does not carry that injected header as connectAuth, so sharedAuthOk stays false and the gateway falls back to device identity required (1008).

Workaround (actionable, no code changes)

1. Don’t rely on proxy-injected auth for the Control UI. Bootstrap the UI token the way the dashboard expects:
   • run openclaw dashboard on the gateway host
   • open the URL it prints (it includes ?token=...), so the UI can store the token and send it on WS reconnects
2. Prefer a secure access path (HTTPS or SSH tunnel). If WebCrypto can establish device identity, you won’t need dangerouslyDisableDeviceAuth at all.

If you still want dangerouslyDisableDeviceAuth: true to fully bypass device identity even without shared auth, then yes — your suggested allowBypass short-circuit makes sense, but that needs an upstream code fix.

Recommended reading:

• Control UI: disconnected (1008): device identity required (HTTP / insecure context)
• OpenClaw Control UI Auth & Pairing: Fix 'unauthorized', 1008, and Remote Dashboard Access

[steipete]

Closing this as implemented after Codex review.

Current main already implements the requested bypass: evaluateMissingDeviceIdentity() allows Control UI operator sessions when controlUiAuthPolicy.allowBypass is true, without requiring sharedAuthOk, and the handler already routes unauthorized cases through rejectUnauthorized(). The same logic and regression coverage are present in release tag v2026.4.22.

What I checked:

• Bypass implemented in connect policy: evaluateMissingDeviceIdentity() returns { kind: "allow" } for Control UI operator sessions when controlUiAuthPolicy.allowBypass is true, before the roleCanSkipDeviceIdentity(...sharedAuthOk) check. (src/gateway/server/ws-connection/connect-policy.ts:121, 41c5ffc5d5f4)
• Unauthorized branch already handled: The WebSocket connect handler already special-cases reject-unauthorized and calls rejectUnauthorized(authResult) before any device-required close. (src/gateway/server/ws-connection/message-handler.ts:666, 41c5ffc5d5f4)
• Regression test covers reported case: Unit coverage asserts that dangerouslyDisableDeviceAuth: true allows an operator Control UI connection with sharedAuthOk: false, while still rejecting node-role sessions. (src/gateway/server/ws-connection/connect-policy.test.ts:174, 41c5ffc5d5f4)
• Integration test covers device-less Control UI success: Gateway Control UI suite verifies that with gatewayControlUi = { dangerouslyDisableDeviceAuth: true }, a Control UI operator connect without a device still succeeds and keeps operator scopes. (src/gateway/server.auth.control-ui.suite.ts:427, 41c5ffc5d5f4)
• Shipped release contains same fix: The v2026.4.22 tag has the same allowBypass short-circuit in connect-policy.ts, the same unauthorized handler branch in message-handler.ts, and the same regression test expectations. (src/gateway/server/ws-connection/connect-policy.ts:121, a94763ee224e)

So I’m closing this as already implemented rather than keeping a duplicate issue open.

Review notes: reviewed against 41c5ffc5d5f4; fix evidence: release v2026.4.22.