[Bug]: `gateway.auth.mode=trusted-proxy` still accepts local password auth fallback when `OPENCLAW_GATEWAY_PASSWORD` (or `gateway.auth.password`) is set

[azvast]

Bug type

Behavior bug (incorrect output/state without crash)

Beta release blocker

No

Summary

In trusted-proxy mode, gateway auth is expected to be derived from trusted proxy identity headers. Current behavior includes an additional local-direct fallback: when trusted-proxy checks fail on loopback and a password is configured, authorizeGatewayConnect returns password auth success (method: "password"). This creates a second auth path under mode: "trusted-proxy".

Steps to reproduce

1. Configure gateway auth mode as trusted-proxy and set a password secret as well.
2. Send a loopback request (same host) that does not satisfy trusted-proxy identity checks.
3. Include connectAuth.password matching configured password.
4. Observe successful auth via password fallback.

Expected behavior

When gateway.auth.mode is trusted-proxy, authentication should require trusted-proxy conditions only (or fail closed), unless an explicit separate compatibility mode is enabled.

Actual behavior

Trusted-proxy failures can still authenticate via local-direct password fallback.

OpenClaw version

2026.5.4

Operating system

Ubuntu 24.04 / Windows 11

Install method

npm global

Model

anthropic/claude-sonnet-4.5

Provider / routing chain

anthropic

Additional provider/model setup details

No response

Logs, screenshots, and evidence

:489:src/gateway/auth.ts
  if (auth.mode === "trusted-proxy") {
    ...
    const result = authorizeTrustedProxy({ ... });
    if ("user" in result) {
      ...
      return { ok: true, method: "trusted-proxy", user: result.user };
    }
    if (localDirect && auth.password && connectAuth?.password) {
      ...
      return authorizePasswordAuth({
        authPassword: auth.password,
        connectPassword: connectAuth.password,
        ...
      });
    }
    return { ok: false, reason: result.reason };
  }


:979:src/gateway/auth.test.ts
    it("accepts local-direct password fallback when trusted-proxy auth fails", async () => {
      const limiter = createLimiterSpy();
      const res = await authorizeLocalDirect({
        password: "local-password",
        connectPassword: "local-password",
        rateLimiter: limiter,
      });

      expect(res).toEqual({ ok: true, method: "password" });
    });

Impact and severity

High/critical security footgun on shared-host deployments: trusted-proxy mode can be bypassed to password auth locally when a password is present, which weakens mode isolation and operator expectation that trusted-proxy is the sole auth method.

Additional information

assertGatewayAuthConfigured forbids token coexistence in trusted-proxy mode, but does not forbid password coexistence, which allows this fallback behavior.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main confirms the local-direct password fallback exists, but docs and changelog show it is intentional compatibility behavior, so changing it needs maintainer security/product judgment rather than cleanup closure.

Reproducibility: yes. Source inspection shows the fallback branch in src/gateway/auth.ts, and src/gateway/auth.test.ts already asserts the exact password-auth success path described by the report.

Next step
Security-sensitive auth-boundary behavior conflicts with documented compatibility, so maintainers should decide policy before any repair PR.

Security
Needs attention: The report concerns an auth-boundary behavior where trusted-proxy mode can also accept a local shared-password path.

Review details

Best possible solution:

Define the trusted-proxy auth policy explicitly, then align source, tests, docs, changelog, configuration helpers, and security audit messaging around either fail-closed mode isolation or an explicit opt-in local password fallback.

Do we have a high-confidence way to reproduce the issue?

Yes. Source inspection shows the fallback branch in src/gateway/auth.ts, and src/gateway/auth.test.ts already asserts the exact password-auth success path described by the report.

Is this the best way to solve the issue?

Unclear. Fail-closed trusted-proxy isolation is a plausible security improvement, but current docs and changelog intentionally support password fallback for internal callers, so the maintainable fix needs a policy decision before implementation.

Security concerns:

• [high] Trusted-proxy mode has a local password auth path — src/gateway/auth.ts:469
  Current main accepts gateway.auth.password for local-direct trusted-proxy failures, which is documented but security-sensitive because operators may expect trusted-proxy mode to have only proxy-derived identity auth.
  Confidence: 0.9

What I checked:

• Source fallback path: In trusted-proxy mode, authorizeGatewayConnect calls authorizePasswordAuth when the trusted-proxy check fails but the request is local-direct and a matching password is provided. (src/gateway/auth.ts:469, d3fc1985feba)
• Existing test asserts reported behavior: The gateway auth unit test explicitly expects local-direct trusted-proxy failure to authenticate with method: "password" when the configured password matches. (src/gateway/auth.test.ts:967, d3fc1985feba)
• Docs document the fallback: Trusted-proxy docs say internal callers that bypass the proxy may authenticate with gateway.auth.password / OPENCLAW_GATEWAY_PASSWORD, and the security checklist warns to keep that fallback private. Public docs: docs/gateway/trusted-proxy-auth.md. (docs/gateway/trusted-proxy-auth.md:308, d3fc1985feba)
• Configuration reference documents compatibility: The configuration reference states that internal same-host callers can use gateway.auth.password as a local direct fallback while token remains mutually exclusive with trusted-proxy mode. Public docs: docs/gateway/configuration-reference.md. (docs/gateway/configuration-reference.md:436, d3fc1985feba)
• Changelog provenance: The changelog records this fallback as a gateway/auth change that allowed local direct callers in trusted-proxy mode to use the configured gateway password while rejecting token fallback. (CHANGELOG.md:1884, d3fc1985feba)
• Security ownership: CODEOWNERS routes src/gateway/*auth*.ts and nested gateway auth files to @openclaw/openclaw-secops, so this auth-boundary change needs that review path. (.github/CODEOWNERS:16, d3fc1985feba)

Likely related people:

• Peter Steinberger: Current checkout blame for the trusted-proxy fallback branch and its unit tests points to the grafted base commit containing this behavior. (role: introduced behavior in current checkout history; confidence: medium; commits: 3e8b5b4ee70d; files: src/gateway/auth.ts, src/gateway/auth.test.ts, docs/gateway/trusted-proxy-auth.md)
• @openclaw/openclaw-secops: Gateway auth files are explicitly owned by the secops team in CODEOWNERS, and the report changes an auth boundary. (role: CODEOWNERS review owner; confidence: high; files: .github/CODEOWNERS, src/gateway/auth.ts)
• @dashed: The changelog credits this handle on the earlier gateway/auth fallback change that this issue would revisit. (role: prior related context; confidence: low; files: CHANGELOG.md)
• @vincentkoc: The changelog credits this handle on the earlier gateway/auth fallback change that this issue would revisit. (role: prior related context; confidence: low; files: CHANGELOG.md)
• @jetd1: The changelog credits this handle on the earlier gateway/auth fallback change that this issue would revisit. (role: prior related context; confidence: low; files: CHANGELOG.md)

Remaining risk / open question:

• Removing the fallback could break documented internal same-host callers that currently rely on gateway.auth.password in trusted-proxy deployments.
• Keeping the fallback preserves a second local auth path under an identity-bearing mode, which may violate operator expectations for strict trusted-proxy isolation.
• The safest fix may require a migration or explicit compatibility flag, which is a maintainer policy decision.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d3fc1985feba.

[sallyom]

Now seeing the local password fallback was intentionally added as fix for #17761
Will reconsider a fix for this. Keeping this open for now.

[steipete]

Fixed on main in 84dd9c7395: 84dd9c7395

Proof: the trusted-proxy auth branch now fails closed after trusted-proxy identity checks fail instead of falling through to local password auth. Regression coverage in src/gateway/auth.test.ts verifies valid and invalid local password credentials are ignored in explicit trusted-proxy mode. Targeted verification passed: pnpm test src/gateway/auth.test.ts.