[Bug]: trusted-proxy validator rejects `auth.token` even though #54536 requires it for local-direct fallback

[GanemoCorp]

Summary

PR #54536 (merged Mar 29, shipped from v2026.4.1 onwards) added a local-direct fallback in authorizeGatewayConnect so that requests arriving on loopback without proxy identity headers authenticate via auth.token instead of being rejected. This is the intended fix for the long-standing issue that internal callers (cron tool, agent backend exec) could not authenticate in trusted-proxy mode (#17761, #45217, #50580).

However, the startup validator in the same file (src/gateway/auth.ts, validateAuthConfig) still throws when both are configured:

if (auth.mode === "trusted-proxy") {
    ...
    if (auth.token) {
        throw new Error(
            "gateway auth mode is trusted-proxy, but a shared token is also configured; remove gateway.auth.token / OPENCLAW_GATEWAY_TOKEN because trusted-proxy and token auth are mutually exclusive",
        );
    }
}

The net effect: the local-direct fallback added by #54536 is unreachable. Any config that would exercise it is rejected at boot.

Reproduction

1. Deploy OpenClaw v2026.4.10 (or current main) behind nginx with gateway.auth.mode = "trusted-proxy" and a user-header cookie wall.
2. From inside the running agent, ask it to schedule a cron (or use any tool that uses the internal loopback gateway).
3. The agent adds OPENCLAW_GATEWAY_TOKEN / gateway.auth.token to enable cron auth (as documented as the workaround).
4. Container restart → gateway boot → validator throws "... mutually exclusive" → crash loop → 502 at the reverse proxy.

Observed 2026-04-16 on our production-style deployment (trusted-proxy + nginx cookie wall for browser, agent tried to use cron tool → gateway crash loop → users locked out with Bad Gateway). We recovered by stripping the token out of both openclaw.json (gateway.auth.token) and container.env (OPENCLAW_GATEWAY_TOKEN), which forced the user back to square one (no cron tool).

Proposed fix

Remove (or relax) the throw in validateAuthConfig. auth.token is now a valid + required setting when mode === "trusted-proxy" if operators want the cron/exec tools to work; the runtime correctly routes:

• requests with proxy identity header → authorizeTrustedProxy
• loopback-origin requests without proxy header → authorizeTokenAuth (introduced in fix(gateway/auth): local trusted-proxy fallback to require token auth #54536)

The check contradicts the fix. A lighter error message / doc reference in the log would be sufficient, but the hard abort should go.

Environment

• OpenClaw v2026.4.10 (Docker, ARM64, Amazon Linux 2023)
• Reverse proxy: nginx with X-Forwarded-User header (trusted-proxy mode)
• gateway.auth.trustedProxy.userHeader = "X-Forwarded-User"
• Reported via: https://github.com/openclaw/openclaw/blob/main/src/gateway/auth.ts (lines around the validator + the isLocalDirectRequest block near authorizeGatewayConnect)

Related: #17761, #45217, #50580, #54536

[GanemoCorp]

Follow-up: security intent vs. runtime — asking for design guidance before proposing a fix

After my initial report I went back and read docs/gateway/trusted-proxy-auth.md more carefully. The mutual-exclusion is documented as a deliberate security hardening, not an accidental leftover:

"OpenClaw rejects ambiguous configurations where both a gateway.auth.token (or OPENCLAW_GATEWAY_TOKEN) and trusted-proxy mode are active at the same time. Mixed token configs can cause loopback requests to silently authenticate on the wrong auth path."

"Loopback trusted-proxy auth also fails closed: same-host callers must supply the configured identity headers through a trusted proxy instead of being silently authenticated."

And in the Security Audit checklist: "No mixed token config: Do not set both gateway.auth.token and gateway.auth.mode: \"trusted-proxy\"".

That makes the picture more nuanced than my initial post suggested. There's a real tension between:

1. Documented stance + validator in validateAuthConfig: mixed = insecure, fail closed at startup.
2. Runtime behavior added by fix(gateway/auth): local trusted-proxy fallback to require token auth #54536: when mode = "trusted-proxy", loopback-origin requests without proxy identity headers fall back to authorizeTokenAuth({ authToken: auth.token, … }) — which requires auth.token to be set.

So the fallback code path can only execute if a user bypasses the validator (e.g., via test scaffolding). In real deployments, the validator aborts before the fallback is reachable.

Questions for maintainers before I propose anything

1. Is fix(gateway/auth): local trusted-proxy fallback to require token auth #54536 intentionally dormant for now (code ready for a future opt-in), or is the validator the part that's out of date?
2. If the intent is to allow the fallback, would you prefer an explicit opt-in like:
   • auth.trustedProxy.localDirectToken: "…" (separate field, validator permits), or
   • A flag like auth.trustedProxy.allowLocalDirectFallback: true paired with auth.token, or
   • Something else entirely (e.g., loopback requests should authenticate only via Unix-socket + filesystem ACL, not a shared token)?
3. For the concrete UX gap (internal agent cron/exec tools failing on trusted-proxy deployments — [Bug]: Gateway auth dispatcher blocks all internal services when mode=trusted-proxy (no shared-secret fallback) #17761, trusted-proxy auth mode blocks internal exec tool (agent backend cannot authenticate) #45217, [Bug]: trusted-proxy gateway auth works for Control UI but cron/tool calls fail with 1008 unauthorized #50580), what is the intended path forward from the maintainers' perspective?

Happy to submit a PR once the intended direction is clear. Wanted to avoid shipping something that silently weakens the fails closed guarantee you've committed to in the docs.

[teyou]

it seems your PR was merged. looking forward to test it on next release

[clawsweeper]

Closing this as duplicate or superseded after Codex automated review.

Current main does not implement the local-direct token fallback described in this issue; it intentionally rejects mixed trusted-proxy plus token configs and fails closed for loopback trusted-proxy requests. The remaining user problem is already tracked by open issue #17761, with the broader service-identity design in open RFC #69066.

Best possible solution:

Close #67524 as superseded by #17761 and #69066. Do not relax the validator in isolation; keep the current fail-closed trusted-proxy contract unless maintainers land a coordinated service-identity or shared-secret fallback design with code, tests, startup validation, and public docs updated together.

What I checked:

• Startup validator rejects mixed trusted-proxy token config: assertGatewayAuthConfigured throws when auth.mode === "trusted-proxy" and a shared token is resolved. (src/gateway/auth.ts:240, 9e4a0e7f3cac)
• Trusted-proxy runtime fails closed before token/password auth: authorizeTrustedProxy rejects loopback sources with trusted_proxy_loopback_source, and the trusted-proxy dispatcher returns that failure without falling through to token/password auth. (src/gateway/auth.ts:278, 9e4a0e7f3cac)
• Regression tests codify current fail-closed behavior: Tests assert mixed trusted-proxy token configs throw, and local-direct trusted-proxy requests are rejected even with a valid token. (src/gateway/auth.test.ts:832, 9e4a0e7f3cac)
• Docs document the fail-closed contract: Trusted-proxy docs state that mixed token configs are rejected and loopback trusted-proxy auth fails closed; the checklist says not to set both gateway.auth.token and trusted-proxy mode. Public docs: docs/gateway/trusted-proxy-auth.md. (docs/gateway/trusted-proxy-auth.md:260, 9e4a0e7f3cac)
• PR Gateway: reject mixed trusted-proxy token config #58371 superseded the fix(gateway/auth): local trusted-proxy fallback to require token auth #54536 fallback shape: GitHub API shows merged PR Gateway: reject mixed trusted-proxy token config #58371, Gateway: reject mixed trusted-proxy token config, removed the local-direct token fallback and added startup rejection coverage. Merge commit: 6c679e5. (6c679e5f049a)
• Canonical remaining trackers are open: GitHub issue context/API show [Bug]: Gateway auth dispatcher blocks all internal services when mode=trusted-proxy (no shared-secret fallback) #17761 is still open for the internal-services trusted-proxy auth gap, and [RFC] Separate internal service identity from user auth in OpenClaw gateway #69066 is open as the broader RFC for separating internal service identity from user auth. [RFC] Separate internal service identity from user auth in OpenClaw gateway #69066 explicitly lists [Bug]: trusted-proxy validator rejects auth.token even though #54536 requires it for local-direct fallback #67524 among the coupled trusted-proxy regressions.

So I’m closing this here and keeping the remaining discussion on the canonical linked item.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against 9e4a0e7f3cac.