fix(gateway): default-deny missing connect scopes

2026-05-07 16:51:25 +00:00 · 2026-02-09 21:32:51 -06:00
parent 27453f5a31
commit cfd112952e
5 changed files with 184 additions and 24 deletions
--- a/src/gateway/server/ws-connection/message-handler.ts
+++ b/src/gateway/server/ws-connection/message-handler.ts
@@ -356,13 +356,8 @@ export function attachGatewayWsMessageHandler(params: {
          close(1008, "invalid role");
          return;
        }
-        const requestedScopes = Array.isArray(connectParams.scopes) ? connectParams.scopes : [];
-        const scopes =
-          requestedScopes.length > 0
-            ? requestedScopes
-            : role === "operator"
-              ? ["operator.admin"]
-              : [];
+        // Default-deny: scopes must be explicit. Empty/missing scopes means no permissions.
+        const scopes = Array.isArray(connectParams.scopes) ? connectParams.scopes : [];
        connectParams.role = role;
        connectParams.scopes = scopes;

@@ -586,7 +581,7 @@ export function attachGatewayWsMessageHandler(params: {
            clientId: connectParams.client.id,
            clientMode: connectParams.client.mode,
            role,
-            scopes: requestedScopes,
+            scopes,
            signedAtMs: signedAt,
            token: connectParams.auth?.token ?? null,
            nonce: providedNonce || undefined,
@@ -600,7 +595,7 @@ export function attachGatewayWsMessageHandler(params: {
              clientId: connectParams.client.id,
              clientMode: connectParams.client.mode,
              role,
-              scopes: requestedScopes,
+              scopes,
              signedAtMs: signedAt,
              token: connectParams.auth?.token ?? null,
              version: "v1",