Security: default gateway auth bootstrap and explicit mode none (#20686)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: be1b73182c Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras
2026-05-08 17:28:28 +00:00 · 2026-02-19 02:35:50 -05:00
parent a2e846f649
commit c5698caca3
18 changed files with 678 additions and 77 deletions
--- a/src/gateway/auth.ts
+++ b/src/gateway/auth.ts
@@ -20,9 +20,16 @@ import {
 } from "./net.js";

 export type ResolvedGatewayAuthMode = "none" | "token" | "password" | "trusted-proxy";
+export type ResolvedGatewayAuthModeSource =
+  | "override"
+  | "config"
+  | "password"
+  | "token"
+  | "default";

 export type ResolvedGatewayAuth = {
  mode: ResolvedGatewayAuthMode;
+  modeSource?: ResolvedGatewayAuthModeSource;
  token?: string;
  password?: string;
  allowTailscale: boolean;
@@ -178,24 +185,55 @@ async function resolveVerifiedTailscaleUser(params: {

 export function resolveGatewayAuth(params: {
  authConfig?: GatewayAuthConfig | null;
+  authOverride?: GatewayAuthConfig | null;
  env?: NodeJS.ProcessEnv;
  tailscaleMode?: GatewayTailscaleMode;
 }): ResolvedGatewayAuth {
-  const authConfig = params.authConfig ?? {};
+  const baseAuthConfig = params.authConfig ?? {};
+  const authOverride = params.authOverride ?? undefined;
+  const authConfig: GatewayAuthConfig = { ...baseAuthConfig };
+  if (authOverride) {
+    if (authOverride.mode !== undefined) {
+      authConfig.mode = authOverride.mode;
+    }
+    if (authOverride.token !== undefined) {
+      authConfig.token = authOverride.token;
+    }
+    if (authOverride.password !== undefined) {
+      authConfig.password = authOverride.password;
+    }
+    if (authOverride.allowTailscale !== undefined) {
+      authConfig.allowTailscale = authOverride.allowTailscale;
+    }
+    if (authOverride.rateLimit !== undefined) {
+      authConfig.rateLimit = authOverride.rateLimit;
+    }
+    if (authOverride.trustedProxy !== undefined) {
+      authConfig.trustedProxy = authOverride.trustedProxy;
+    }
+  }
  const env = params.env ?? process.env;
  const token = authConfig.token ?? env.OPENCLAW_GATEWAY_TOKEN ?? undefined;
  const password = authConfig.password ?? env.OPENCLAW_GATEWAY_PASSWORD ?? undefined;
  const trustedProxy = authConfig.trustedProxy;

  let mode: ResolvedGatewayAuth["mode"];
-  if (authConfig.mode) {
+  let modeSource: ResolvedGatewayAuth["modeSource"];
+  if (authOverride?.mode !== undefined) {
+    mode = authOverride.mode;
+    modeSource = "override";
+  } else if (authConfig.mode) {
    mode = authConfig.mode;
+    modeSource = "config";
  } else if (password) {
    mode = "password";
+    modeSource = "password";
  } else if (token) {
    mode = "token";
+    modeSource = "token";
  } else {
-    mode = "none";
+    mode = "token";
+    modeSource = "default";
  }

  const allowTailscale =
@@ -204,6 +242,7 @@ export function resolveGatewayAuth(params: {

  return {
    mode,
+    modeSource,
    token,
    password,
    allowTailscale,
@@ -317,6 +356,10 @@ export async function authorizeGatewayConnect(params: {
    return { ok: false, reason: result.reason };
  }

+  if (auth.mode === "none") {
+    return { ok: true, method: "none" };
+  }
+
  const limiter = params.rateLimiter;
  const ip =
    params.clientIp ?? resolveRequestClientIp(req, trustedProxies) ?? req?.socket?.remoteAddress;