github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 00:01:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: Control UI Insecure Auth Bypass Allows Token-Only Auth Over HTTP (#20684)

Browse Source 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: ad9be4b4d6
Co-authored-by: coygeek <65363919+coygeek@users.noreply.github.com>
Co-authored-by: mbelinky <132747814+mbelinky@users.noreply.github.com>
Reviewed-by: @mbelinky
This commit is contained in:
Coy Geek
2026-02-20 09:34:34 -08:00
committed by GitHub
parent fe3215092c
commit 40a292619e
4 changed files with 32 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/security/audit.ts
View File

@@ -351,7 +351,7 @@ function collectGatewayConfigFindings(
severity: "critical",
title: "Control UI allows insecure HTTP auth",
detail:
"gateway.controlUi.allowInsecureAuth=true allows token-only auth over HTTP and skips device identity.",
"gateway.controlUi.allowInsecureAuth=true is a legacy insecure-auth toggle; Control UI still enforces secure context and device identity unless dangerouslyDisableDeviceAuth is enabled.",
remediation: "Disable it or switch to HTTPS (Tailscale Serve) or localhost.",
});
}