fix: require gateway auth by default

2026-05-08 10:11:24 +00:00 · 2026-01-26 12:56:33 +00:00
parent fd9be79be1
commit c4a80f4edb
16 changed files with 103 additions and 49 deletions
--- a/src/gateway/test-helpers.server.ts
+++ b/src/gateway/test-helpers.server.ts
@@ -111,7 +111,7 @@ async function resetGatewayTestState(options: { uniqueConfigRoot: boolean }) {
  sessionStoreSaveDelayMs.value = 0;
  testTailnetIPv4.value = undefined;
  testState.gatewayBind = undefined;
-  testState.gatewayAuth = undefined;
+  testState.gatewayAuth = { mode: "token", token: "test-gateway-token-1234567890" };
  testState.gatewayControlUi = undefined;
  testState.hooksConfig = undefined;
  testState.canvasHostPort = undefined;
@@ -260,10 +260,15 @@ export async function startGatewayServer(port: number, opts?: GatewayServerOptio
 export async function startServerWithClient(token?: string, opts?: GatewayServerOptions) {
  let port = await getFreePort();
  const prev = process.env.CLAWDBOT_GATEWAY_TOKEN;
-  if (token === undefined) {
+  const fallbackToken =
+    token ??
+    (typeof (testState.gatewayAuth as { token?: unknown } | undefined)?.token === "string"
+      ? (testState.gatewayAuth as { token?: string }).token
+      : undefined);
+  if (fallbackToken === undefined) {
    delete process.env.CLAWDBOT_GATEWAY_TOKEN;
  } else {
-    process.env.CLAWDBOT_GATEWAY_TOKEN = token;
+    process.env.CLAWDBOT_GATEWAY_TOKEN = fallbackToken;
  }

  let server: Awaited<ReturnType<typeof startGatewayServer>> | null = null;
@@ -299,6 +304,7 @@ export async function connectReq(
  opts?: {
    token?: string;
    password?: string;
+    skipDefaultAuth?: boolean;
    minProtocol?: number;
    maxProtocol?: number;
    client?: {
@@ -334,6 +340,20 @@ export async function connectReq(
    mode: GATEWAY_CLIENT_MODES.TEST,
  };
  const role = opts?.role ?? "operator";
+  const defaultToken =
+    opts?.skipDefaultAuth === true
+      ? undefined
+      : typeof (testState.gatewayAuth as { token?: unknown } | undefined)?.token === "string"
+        ? ((testState.gatewayAuth as { token?: string }).token ?? undefined)
+        : process.env.CLAWDBOT_GATEWAY_TOKEN;
+  const defaultPassword =
+    opts?.skipDefaultAuth === true
+      ? undefined
+      : typeof (testState.gatewayAuth as { password?: unknown } | undefined)?.password === "string"
+        ? ((testState.gatewayAuth as { password?: string }).password ?? undefined)
+        : process.env.CLAWDBOT_GATEWAY_PASSWORD;
+  const token = opts?.token ?? defaultToken;
+  const password = opts?.password ?? defaultPassword;
  const requestedScopes = Array.isArray(opts?.scopes) ? opts?.scopes : [];
  const device = (() => {
    if (opts?.device === null) return undefined;
@@ -347,7 +367,7 @@ export async function connectReq(
      role,
      scopes: requestedScopes,
      signedAtMs,
-      token: opts?.token ?? null,
+      token: token ?? null,
    });
    return {
      id: identity.deviceId,
@@ -372,10 +392,10 @@ export async function connectReq(
        role,
        scopes: opts?.scopes,
        auth:
-          opts?.token || opts?.password
+          token || password
            ? {
-                token: opts?.token,
-                password: opts?.password,
+                token,
+                password,
              }
            : undefined,
        device,