fix(ui): keep shared auth on insecure control-ui connects (#45088)

Merged via squash. Prepared head SHA: 99eb3fd928 Co-authored-by: velvet-shark <126378+velvet-shark@users.noreply.github.com> Co-authored-by: velvet-shark <126378+velvet-shark@users.noreply.github.com> Reviewed-by: @velvet-shark
2026-04-19 00:17:27 +00:00 · 2026-03-13 14:25:31 +01:00
parent 3cf06f7939
commit 0a3b9a9a09
3 changed files with 80 additions and 3 deletions
--- a/ui/src/ui/gateway.node.test.ts
+++ b/ui/src/ui/gateway.node.test.ts
@@ -113,6 +113,12 @@ function getLatestWebSocket(): MockWebSocket {
  return ws;
 }

+function stubInsecureCrypto() {
+  vi.stubGlobal("crypto", {
+    randomUUID: () => "req-insecure",
+  });
+}
+
 describe("GatewayBrowserClient", () => {
  beforeEach(() => {
    const storage = createStorageMock();
@@ -176,6 +182,72 @@ describe("GatewayBrowserClient", () => {
    expect(signedPayload).not.toContain("stored-device-token");
  });

+  it("sends explicit shared token on insecure first connect without cached device fallback", async () => {
+    stubInsecureCrypto();
+    const client = new GatewayBrowserClient({
+      url: "ws://gateway.example:18789",
+      token: "shared-auth-token",
+    });
+
+    client.start();
+    const ws = getLatestWebSocket();
+    ws.emitOpen();
+    ws.emitMessage({
+      type: "event",
+      event: "connect.challenge",
+      payload: { nonce: "nonce-1" },
+    });
+    await vi.waitFor(() => expect(ws.sent.length).toBeGreaterThan(0));
+
+    const connectFrame = JSON.parse(ws.sent.at(-1) ?? "{}") as {
+      id?: string;
+      method?: string;
+      params?: { auth?: { token?: string; password?: string; deviceToken?: string } };
+    };
+    expect(connectFrame.id).toBe("req-insecure");
+    expect(connectFrame.method).toBe("connect");
+    expect(connectFrame.params?.auth).toEqual({
+      token: "shared-auth-token",
+      password: undefined,
+      deviceToken: undefined,
+    });
+    expect(loadOrCreateDeviceIdentityMock).not.toHaveBeenCalled();
+    expect(signDevicePayloadMock).not.toHaveBeenCalled();
+  });
+
+  it("sends explicit shared password on insecure first connect without cached device fallback", async () => {
+    stubInsecureCrypto();
+    const client = new GatewayBrowserClient({
+      url: "ws://gateway.example:18789",
+      password: "shared-password", // pragma: allowlist secret
+    });
+
+    client.start();
+    const ws = getLatestWebSocket();
+    ws.emitOpen();
+    ws.emitMessage({
+      type: "event",
+      event: "connect.challenge",
+      payload: { nonce: "nonce-1" },
+    });
+    await vi.waitFor(() => expect(ws.sent.length).toBeGreaterThan(0));
+
+    const connectFrame = JSON.parse(ws.sent.at(-1) ?? "{}") as {
+      id?: string;
+      method?: string;
+      params?: { auth?: { token?: string; password?: string; deviceToken?: string } };
+    };
+    expect(connectFrame.id).toBe("req-insecure");
+    expect(connectFrame.method).toBe("connect");
+    expect(connectFrame.params?.auth).toEqual({
+      token: undefined,
+      password: "shared-password", // pragma: allowlist secret
+      deviceToken: undefined,
+    });
+    expect(loadOrCreateDeviceIdentityMock).not.toHaveBeenCalled();
+    expect(signDevicePayloadMock).not.toHaveBeenCalled();
+  });
+
  it("uses cached device tokens only when no explicit shared auth is provided", async () => {
    const client = new GatewayBrowserClient({
      url: "ws://127.0.0.1:18789",
--- a/ui/src/ui/gateway.ts
+++ b/ui/src/ui/gateway.ts
@@ -244,8 +244,14 @@ export class GatewayBrowserClient {

    const scopes = ["operator.admin", "operator.approvals", "operator.pairing"];
    const role = "operator";
+    const explicitGatewayToken = this.opts.token?.trim() || undefined;
+    const explicitPassword = this.opts.password?.trim() || undefined;
    let deviceIdentity: Awaited<ReturnType<typeof loadOrCreateDeviceIdentity>> | null = null;
-    let selectedAuth: SelectedConnectAuth = { canFallbackToShared: false };
+    let selectedAuth: SelectedConnectAuth = {
+      authToken: explicitGatewayToken,
+      authPassword: explicitPassword,
+      canFallbackToShared: false,
+    };

    if (isSecureContext) {
      deviceIdentity = await loadOrCreateDeviceIdentity();
@@ -257,7 +263,6 @@ export class GatewayBrowserClient {
        this.pendingDeviceTokenRetry = false;
      }
    }
-    const explicitGatewayToken = this.opts.token?.trim() || undefined;
    const authToken = selectedAuth.authToken;
    const deviceToken = selectedAuth.authDeviceToken ?? selectedAuth.resolvedDeviceToken;
    const auth =