Gateway: trusted-proxy mode + allowLoopback=true rejects internal loopback callers despite valid gateway.auth.password (docs say fallback should work)

[esqandil]

Summary

In gateway.auth.mode: "trusted-proxy" with allowLoopback: true, internal loopback clients that present a valid gateway.auth.password are rejected with trusted_proxy_missing_header_* before the documented "local direct fallback" path runs. The docs explicitly promise this path works; the runtime contradicts them.

Repro on 2026.5.12 (f066dd2, Node v22.22.2, Linux 6.8.0).

Expected (per docs)

docs/gateway/configuration-reference.md line 518:

Internal same-host callers can use gateway.auth.password as a local direct fallback; gateway.auth.token remains mutually exclusive with trusted-proxy mode.

docs/gateway/trusted-proxy-auth.md line 308:

Loopback trusted-proxy identity headers still fail closed: same-host callers are not silently authenticated as proxy users. Internal OpenClaw callers that bypass the proxy may authenticate with gateway.auth.password / OPENCLAW_GATEWAY_PASSWORD instead.

Same doc, line 101:

Forwarded-header evidence overrides loopback locality for local direct fallback. If a request arrives on loopback but carries X-Forwarded-For / X-Forwarded-Host / X-Forwarded-Proto headers pointing at a non-local origin, that evidence disqualifies local-direct password fallback…

Read together: a loopback connect with no forwarded headers and a valid auth.password should succeed via local-direct fallback even when auth.mode = "trusted-proxy".

Actual

Every internal loopback connect (backend RPC, CLI, subagent spawn, plugin approval channel) is rejected. The rejection log fields:

authMode=trusted-proxy
authProvided=password
authReason=trusted_proxy_missing_header_cf-access-jwt-assertion
client=gateway-client mode=backend hasDeviceIdentity=false
peer=127.0.0.1:44422->127.0.0.1:18789
fwd=n/a origin=n/a host=127.0.0.1:18789 ua=n/a

Note specifically:

• authProvided=password — the client did send the configured password.
• fwd=n/a — there are no X-Forwarded-* headers, so the "forwarded-header evidence overrides loopback locality" carve-out does NOT apply.
• authReason=trusted_proxy_missing_header_* — the rejection comes from the trusted-proxy required-headers check.

CLI calls with hasDeviceIdentity=true (paired) fail the same way, so it isn't a device-identity issue.

Config (minimised)

{
  "gateway": {
    "mode": "local",
    "auth": {
      "mode": "trusted-proxy",
      "trustedProxy": {
        "userHeader": "cf-access-authenticated-user-email",
        "requiredHeaders": [
          "cf-access-jwt-assertion",
          "x-forwarded-host",
          "x-forwarded-proto"
        ],
        "allowUsers": ["redacted"],
        "allowLoopback": true
      },
      "password": "<32-byte hex>"
    },
    "trustedProxies": ["127.0.0.1/32", "::1/128"]
  }
}

Plus OPENCLAW_GATEWAY_PASSWORD=<same value> exported into the gateway process via systemd EnvironmentFile=. Confirmed via /proc/<gateway-pid>/environ.

No gateway.auth.token set anywhere. No OPENCLAW_GATEWAY_TOKEN. No mixed-token startup error.

Setup context

Same-host cloudflared sits in front, terminating Cloudflare Access at nemoclaw.<host>.com and forwarding to 127.0.0.1:18789 with the four CF headers. Browser flow through cloudflared works. Only internal loopback callers (no CF headers) fail.

Auth pipeline order suspicion

The runtime appears to run trusted-proxy requiredHeaders validation before local-direct password fallback for all loopback connections. The authProvided=password field shows the password check would have succeeded; the trusted-proxy header check fires first and short-circuits the reply with trusted_proxy_missing_header_*. Per the docs, the order should be reversed (or at least: no-forwarded-headers loopback + password-supplied → password fallback wins).

Impact

• sessions_spawn rejects with gateway closed (1008): unauthorized.
• openclaw doctor, openclaw config get, and any CLI that opens a backend WS fails.
• Plugin approval channel can't be reached, so any tool call that would prompt for approval (e.g. R7/R8 gates) instead errors with Plugin approval required (gateway unavailable).
• Cloudflare Tunnel browser access is unaffected (those requests carry the CF headers and pass).

Minimal repro

1. Configure gateway.auth.mode: "trusted-proxy" with allowLoopback: true and any non-trivial requiredHeaders.
2. Set gateway.auth.password (and optionally OPENCLAW_GATEWAY_PASSWORD env).
3. Start gateway.
4. From the same host, run any CLI that opens a backend WS, e.g. openclaw config get gateway.auth.mode.

Expected: succeeds via password fallback.
Actual: gateway closed (1008): unauthorized, log shows authProvided=password authReason=trusted_proxy_missing_header_*.

Workarounds attempted

• Setting OPENCLAW_GATEWAY_PASSWORD env var on the gateway process — no effect (password was already in config; this confirmed env path was wired).
• openclaw doctor — same failure.
• Multiple gateway restarts (SIGUSR1 + full systemctl restart) — same failure.
• Service reinstall via openclaw service install — same failure.

Suggested fix direction

In the WS connect auth pipeline, when auth.mode = "trusted-proxy" and the inbound request is from loopback and carries no X-Forwarded-* evidence, route the request through the local-direct password path before running requiredHeaders validation. The current order seems to always run requiredHeaders first, which negates the documented fallback.

Alternative: make the fallback order explicit/configurable so this setup can be expressed without ambiguity.

Environment

• OpenClaw 2026.5.12 (f066dd2)
• Node v22.22.2
• Linux 6.8.0-111-generic x64
• systemd user service (openclaw-gateway.service)
• Loopback bind, same-host cloudflared front-door

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main and v2026.5.12 intentionally fail closed before password fallback, while current public docs still promise same-host password fallback for internal trusted-proxy callers; resolving that conflict needs gateway/security owner judgment.

Reproducibility: yes. source-level: current main returns the trusted-proxy failure before password auth, and current tests assert valid loopback password credentials are rejected. I did not run a live gateway because this review is read-only.

Next step
This is a valid, narrow-looking regression but it is security-sensitive and conflicts with recent fail-closed policy, so it should be routed to gateway/security owners rather than an automated fix lane.

Security
Needs attention: The issue changes a gateway auth boundary, so restoring or replacing the fallback needs explicit security-owner review.

Review details

Best possible solution:

Gateway/security owners should settle the intended contract, then either restore the documented loopback password fallback with regression coverage or update docs and implement the separate local service-identity path tracked by the RFC.

Do we have a high-confidence way to reproduce the issue?

Yes, source-level: current main returns the trusted-proxy failure before password auth, and current tests assert valid loopback password credentials are rejected. I did not run a live gateway because this review is read-only.

Is this the best way to solve the issue?

Unclear. The requested fallback matches current docs and prior compatibility work, but it conflicts with a recent fail-closed security change, so the best fix needs owner policy review before code changes.

Security concerns:

• [medium] Resolve trusted-proxy fallback policy before patching — src/gateway/auth.ts:453
  Re-enabling local password fallback would allow a second auth path under trusted-proxy mode, while keeping fail-closed breaks documented internal callers; either direction must be coordinated across auth code, tests, docs, and credential planning.
  Confidence: 0.92

Acceptance criteria:

• node scripts/run-vitest.mjs src/gateway/auth.test.ts
• node scripts/run-vitest.mjs src/gateway/credentials.test.ts
• node scripts/run-vitest.mjs src/gateway/call.test.ts
• pnpm docs:list before any docs edits, then targeted docs sanity
• Crabbox/Testbox changed checks before handoff if auth/docs/schema behavior changes

What I checked:

• Current auth short-circuits before password auth: In trusted-proxy mode, authorizeGatewayConnectCore runs authorizeTrustedProxy and returns the trusted-proxy failure reason before reaching the later password branch. (src/gateway/auth.ts:453, 6a65ea8c3ac1)
• Current tests encode the reported rejection: The local-direct trusted-proxy tests now expect valid and invalid password credentials to be ignored when trusted-proxy auth fails. (src/gateway/auth.test.ts:1027, 6a65ea8c3ac1)
• Docs still promise password fallback: Trusted-proxy docs and configuration reference say internal callers that bypass the proxy may authenticate with gateway.auth.password / OPENCLAW_GATEWAY_PASSWORD, and forwarded-header evidence is the carve-out that disqualifies local-direct fallback. Public docs: docs/gateway/trusted-proxy-auth.md. (docs/gateway/trusted-proxy-auth.md:99, 6a65ea8c3ac1)
• Recent history removed the fallback: Commit 84dd9c7 removed the localDirect password fallback block from src/gateway/auth.ts and changed tests from accepting password fallback to rejecting it. (src/gateway/auth.ts:480, 84dd9c73953b)
• Prior history added the documented fallback: Commit 1a98938 added local-direct password fallback code, matching tests, and docs wording for the trusted-proxy internal-caller path. (src/gateway/auth.ts:461, 1a98938479b3)
• Related canonical design thread remains open: Search found open RFC [RFC] Separate internal service identity from user auth in OpenClaw gateway #69066 for separating internal service identity from user auth; it explicitly covers trusted-proxy loopback/internal callers and notes the docs/runtime conflict.

Likely related people:

• steipete: Auth history shows this person added the documented password fallback in 1a98938 and later removed it in 84dd9c7, so they are central to the current policy conflict. (role: recent auth policy contributor; confidence: high; commits: 1a98938479b3, 84dd9c73953b, c7ec657e0dca; files: src/gateway/auth.ts, src/gateway/auth.test.ts, docs/gateway/trusted-proxy-auth.md)
• vincentkoc: Recent commits changed explicit loopback trusted-proxy behavior and trusted-proxy docs in the same area, including allowLoopback semantics. (role: recent trusted-proxy contributor; confidence: high; commits: 7b18bd03bb6c, 64a7a34c8334, 6b3f99a11f4d; files: src/gateway/auth.ts, src/gateway/auth.test.ts, docs/gateway/trusted-proxy-auth.md)
• nickytonline: Commit 1fb52b4 introduced trusted-proxy auth mode, tests, config types, schema, and docs; this handle also commented on the related service-identity RFC direction. (role: original feature introducer and design reviewer; confidence: high; commits: 1fb52b4d7bce; files: src/gateway/auth.ts, src/gateway/auth.test.ts, src/config/types.gateway.ts)
• pgondhi987: Commit 26c7da2 recently hardened trusted-proxy source validation and tests around the same authorizeTrustedProxy path. (role: recent adjacent hardening contributor; confidence: medium; commits: 26c7da2d02ed; files: src/gateway/auth.ts, src/gateway/auth.test.ts)

Remaining risk / open question:

• Restoring the documented password fallback would undo a recent fail-closed auth hardening that was recorded as fixing [Bug]: gateway.auth.mode=trusted-proxy still accepts local password auth fallback when OPENCLAW_GATEWAY_PASSWORD (or gateway.auth.password) is set #78684.
• Leaving the implementation as-is without docs changes keeps a user-visible contract mismatch for internal same-host callers.
• A broader service-identity fix is tracked in [RFC] Separate internal service identity from user auth in OpenClaw gateway #69066, but that design is not implemented yet.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 6a65ea8c3ac1.

[joshavant]

Thanks @esqandil for the detailed report and repro notes.

This was a real docs/runtime mismatch. The gateway had previously documented a same-host local-direct gateway.auth.password fallback for trusted-proxy deployments, but a later fail-closed change in #78684 removed that runtime path. That meant clean loopback callers with the configured password were rejected at the trusted-proxy required-header check with trusted_proxy_missing_header_*, matching what you reported.

We revisited the policy and landed #82953: trusted-proxy mode now allows password fallback only for clean same-host direct requests with no proxy/forwarded-header evidence. Token fallback remains rejected, and requests carrying Forwarded, X-Forwarded-*, or X-Real-IP stay on the trusted-proxy path.

The fix included focused auth regression tests, docs updates, and AWS Crabbox E2E proof that openclaw gateway call health succeeds in the reported local-direct trusted-proxy/password setup. Closing this as fixed by #82953 / 7d99f8b.