fix (security/gateway): preserve control-ui scopes in bypass mode

2026-04-18 13:07:28 +00:00 · 2026-02-15 19:12:06 -08:00
parent a203430aa3
commit eed02a2b57
2 changed files with 4 additions and 1 deletions
--- a/src/gateway/server.auth.e2e.test.ts
+++ b/src/gateway/server.auth.e2e.test.ts
@@ -687,6 +687,7 @@ describe("gateway server auth/connect", () => {
        };
        const res = await connectReq(ws, {
          token: "secret",
+          scopes: ["operator.read"],
          device,
          client: {
            id: GATEWAY_CLIENT_NAMES.CONTROL_UI,
@@ -697,6 +698,8 @@ describe("gateway server auth/connect", () => {
        });
        expect(res.ok).toBe(true);
        expect((res.payload as { auth?: unknown } | undefined)?.auth).toBeUndefined();
+        const health = await rpcReq(ws, "health");
+        expect(health.ok).toBe(true);
        ws.close();
      });
    } finally {
--- a/src/gateway/server/ws-connection/message-handler.ts
+++ b/src/gateway/server/ws-connection/message-handler.ts
@@ -427,7 +427,7 @@ export function attachGatewayWsMessageHandler(params: {
          close(1008, truncateCloseReason(authMessage));
        };
        if (!device) {
-          if (scopes.length > 0) {
+          if (scopes.length > 0 && !allowControlUiBypass) {
            scopes = [];
            connectParams.scopes = scopes;
          }