github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-18 06:47:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(gateway)!: remove legacy v1 device-auth handshake

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 09:26:49 +01:00
parent ed38b50fa5
commit 8887f41d7d
17 changed files with 404 additions and 210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/concepts/architecture.md
View File

@@ -97,8 +97,8 @@ sequenceDiagram
for subsequent connects.
- **Local** connects (loopback or the gateway hosts own tailnet address) can be
autoapproved to keep samehost UX smooth.
- **Nonlocal** connects must sign the `connect.challenge` nonce and require
explicit approval.
- All connects must sign the `connect.challenge` nonce.
- **Nonlocal** connects still require explicit approval.
- Gateway auth (`gateway.auth.*`) still applies to **all** connections, local or
remote.

2
docs/gateway/protocol.md
View File

@@ -206,7 +206,7 @@ The Gateway treats these as **claims** and enforces server-side allowlists.
- All WS clients must include `device` identity during `connect` (operator + node).
Control UI can omit it **only** when `gateway.controlUi.dangerouslyDisableDeviceAuth`
is enabled for break-glass use.
- Non-local connections must sign the server-provided `connect.challenge` nonce.
- All connections must sign the server-provided `connect.challenge` nonce.
## TLS + pinning