Control UI device token mismatch loop after scope upgrade causes rate-limit lockout

[ricksayhi]

Bug Description

After a device scope upgrade / device approval, the Control UI enters an authentication failure loop:

1. Browser holds stale local device credentials
2. Gateway switches to new device token/permission state after approval
3. Browser reconnects with mismatched token → device_token_mismatch
4. Frontend does not clear old device state; instead it generates a new instanceId and retries
5. Each retry produces another mismatch → another new instanceId
6. Rapid accumulation of failed attempts triggers rate_limited: too many failed authentication attempts (retry later)
7. User is locked out of Control UI; only fix is temporarily setting gateway.auth.mode=none

Steps to Reproduce

1. Use OpenClaw with Control UI (webchat) normally
2. Perform a scope upgrade / device approval via the gateway
3. Attempt to continue using the Control UI in the same browser session
4. Observe: redirected to login page showing WebSocket URL + gateway token
5. Observe in gateway logs: repeated device_token_mismatch with incrementing instanceId values
6. Eventually hits rate limit and is fully locked out

Gateway Log Evidence

Multiple distinct instanceId values appear in rapid succession:

• 14753151-3dac-4f0e-98a3-2be1b3327abb
• 17f4c557-1cd9-40e6-b3d7-54783f219f20
• 52abe396-df05-4daf-84e5-7f84f2f7d2bf
• c69afb9e-0981-4c17-9405-27d6a2d066ca
• …

Each with authReason: device_token_mismatch, followed by authReason: rate_limited.

Root Cause Analysis

Three compounding issues:

1. No stale token cleanup on mismatch: When device_token_mismatch is detected, the frontend does not invalidate/clear the old browser device credentials. It retries with a newly generated identity instead.

2. Stale local credentials preferred over URL token: The frontend appears to prioritize its own stored device token over the fresh token embedded in the dashboard URL, perpetuating the mismatch.

3. Misleading error messaging: The error "rotate/reissue device token" implies the user should obtain a new token, when in fact the problem is stale credentials that should be discarded, not rotated.

Expected Behavior

After a scope upgrade / device approval:

• Gateway should detect token drift and signal the frontend to clear old device state
• Frontend should automatically re-authenticate with fresh credentials
• Or: the Control UI should clearly indicate "device identity expired, reconnecting…" rather than showing a login shell

Suggested Fixes

1. On device_token_mismatch, the gateway should send a signal instructing the frontend to clear stored device identity before retrying
2. When generating a fresh dashboard URL with embedded token, the frontend should prioritize that over any stored device token
3. Error messages during mismatch should direct users toward reconnecting / clearing state, not "rotate/reissue"
4. Consider a more graceful recovery path: when a mismatch is detected post-approval, auto-invalidate the old device token server-side rather than waiting for client retry loop

Environment

• OpenClaw version: 2026.4.23
• Platform: macOS (Darwin 26.3, arm64)
• Node: v22.22.2
• Gateway: local mode, loopback bind
• Auth mode: token
• Control UI: webchat via Chrome on MacIntel

[clawsweeper]

Codex automated review: keeping this open.

Keep this issue open. Current main still leaves the browser Control UI stale stored-device-token path able to reconnect after AUTH_DEVICE_TOKEN_MISMATCH without clearing the cached token, while server/docs text still points users toward rotate/reissue guidance instead of stale browser identity recovery. The issue is recent, concrete, non-maintainer-authored, and has no protected labels or merged implementation candidate in the provided context.

Best possible solution:

Keep the issue open and fix the browser Control UI auth recovery path. The likely maintainer fix belongs in ui/src/ui/gateway.ts: clear stale cached browser device auth when AUTH_DEVICE_TOKEN_MISMATCH occurs for the stored-token primary path, stop automatic reconnects when no safe one-shot retry remains, preserve explicit shared token/password precedence, update the rotate/reissue wording to stale-identity reconnect guidance, and add focused GatewayBrowserClient regression tests for stale device-token cleanup and non-looping recovery after scope approval.

What I checked:

• Current main inspected: The checkout is clean and at 348728c, matching the supplied current main SHA for this review. (348728c28c1e)
• Browser reconnect gating omits device-token mismatch: isNonRecoverableAuthError blocks missing token, bad password, rate limiting, pairing required, and device identity required, but does not include AUTH_DEVICE_TOKEN_MISMATCH. The close handler schedules reconnect whenever the pending connect error is not classified as non-recoverable. (ui/src/ui/gateway.ts:78, 348728c28c1e)
• Stale browser token cleanup is too narrow: handleConnectFailure clears openclaw.device.auth.v1 only when canFallbackToShared is true and the detail code is AUTH_DEVICE_TOKEN_MISMATCH. selectConnectAuth sets canFallbackToShared only when both a stored token and explicit gateway token exist, while the stored-token primary path uses the stale stored token as auth.token when no explicit token/password is present. (ui/src/ui/gateway.ts:503, 348728c28c1e)
• Browser tests do not cover the failing mismatch recovery: GatewayBrowserClient tests cover explicit shared auth precedence, stored-device-token primary auth, one-shot retry after AUTH_TOKEN_MISMATCH, and stopping on AUTH_TOKEN_MISSING. Targeted search found no browser GatewayBrowserClient test that clears stored browser auth or suppresses reconnects on AUTH_DEVICE_TOKEN_MISMATCH. (ui/src/ui/gateway.node.test.ts:294, 348728c28c1e)
• Server/docs wording still says rotate/reissue: The gateway auth message for device_token_mismatch still returns "rotate/reissue device token", and troubleshooting docs recommend rotating or re-approving instead of clearing stale browser device identity and reconnecting with fresh shared auth. (src/gateway/server/ws-connection/auth-messages.ts:56, 348728c28c1e)
• Analogous backend client cleanup exists: The non-browser GatewayClient clears persisted device auth state on a 1008 device token mismatch close only when device-token auth was active, and has tests for that behavior. That supports the requested product direction but does not fix the Control UI browser path reported here. (src/gateway/client.ts:321, 348728c28c1e)

Remaining risk / open question:

• This was a read-only static review, so I did not run a live browser/gateway reproduction or tests. The source and current tests are enough to show the reported recovery path is still not implemented.

Codex Review notes: model gpt-5.5, reasoning high; reviewed against 348728c28c1e.

[steipete]

Fixed on main in 885806d (fix(gateway): stop stale device token reconnect loops). The Control UI and Node gateway client now clear reused stale device tokens and stop reconnecting on AUTH_DEVICE_TOKEN_MISMATCH, with reconnect-gating coverage.