PR #44486: fix(gateway): honor dangerouslyDisableDeviceAuth regardless of sharedAuthOk

• Repository: openclaw/openclaw
• Author: JasonOA888
• State: open | merged: False
• Link: https://github.com/openclaw/openclaw/pull/44486

Description (problem / solution / changelog)

Fixes #44485

Problem

After upgrading from 2026.3.8 to 2026.3.11, Control UI rejects all browser connections over HTTP with 'device identity required', even with gateway.controlUi.dangerouslyDisableDeviceAuth: true.

Root Cause

Commit 8d1481cb4 changed shouldSkipControlUiPairing() to require BOTH:

1. dangerouslyDisableDeviceAuth: true
2. sharedAuthOk: true

But on HTTP-only deployments, sharedAuthOk is often false (no token/password). This defeats the purpose of the flag.

Solution

When dangerouslyDisableDeviceAuth: true, skip pairing entirely regardless of sharedAuthOk.

Testing

• Unit test updated
• HTTP-only deployments can use Control UI again

Impact

Restores Control UI access for HTTP deployments behind reverse proxies.

Changed files

• src/agents/pi-embedded-helpers/errors.ts (modified, +8/-0)
• src/gateway/server/ws-connection/connect-policy.test.ts (modified, +4/-2)
• src/gateway/server/ws-connection/connect-policy.ts (modified, +14/-2)

---

PR #45070: fix(gateway): always resolve device token for fallback auth during SPA navigation

• Repository: openclaw/openclaw
• Author: openperf
• State: closed | merged: False
• Link: https://github.com/openclaw/openclaw/pull/45070

Description (problem / solution / changelog)

Summary

The gateway connect-auth logic suppresses the stored device token whenever an explicit shared token or password is present. This means the auth.deviceToken field in the WebSocket connect frame is empty when the user connects via a dashboard token URL.

After SPA navigation or a page refresh strips the shared token from the URL hash, the next reconnect attempt has neither a shared token nor a device token, causing the gateway to reject with device identity required (close code 1008).

This PR fixes the root cause by resolving the stored device token independently of shared credentials, so auth.deviceToken is always populated when a device identity exists. The gateway server already supports deviceToken fallback when the shared token is absent or invalid (see the server auth matrix test "uses explicit auth.deviceToken fallback when shared token is wrong").

What changed

Production code (2 files)

Test code (2 files)

Root cause analysis

The issue was first reported in #39611 and traced to three interacting bugs by @NetZlash:

1. Bug 1 — resolvedDeviceToken guard in selectConnectAuth() discards the stored device token when any shared credential is present
2. Bug 2 — The browser client's auth object omits deviceToken when only a device token (no shared token/password) is available
3. Bug 3 — SPA navigation drops the URL hash token on same-tab reload

PR #40892 addressed Bug 3 via sessionStorage persistence, but Bugs 1 and 2 remain unfixed on main. This is confirmed by:

• Users still reporting "device identity required" on v2026.3.12 (#39611 comments from @YIwanT, @ricardopera)
• #39667 (device signature invalid) remaining open
• #44485 (dangerouslyDisableDeviceAuth ignored in v2026.3.11) opened today
• #44967 (LAN token-only access rejected on v2026.3.12) opened today

This PR fixes Bugs 1 and 2 at the gateway layer, complementing the UI-layer fix in #40892.

How to test

1. Start gateway with token auth: openclaw dashboard --no-open
2. Open the token URL in browser — Control UI connects
3. Navigate to Sessions → click a session → should stay connected (previously disconnected with 1008)
4. Refresh the page → should reconnect using the device token fallback
5. Open a new tab with the base URL (no token hash) → should still connect if device was previously paired

Related issues

• Fixes #39667
• Refs #39611, #44485, #44967
• Supersedes #39639 (my earlier PR, closed as superseded by #40892 — this PR is scoped to the remaining gateway-layer bugs)

Changed files

• src/gateway/client.test.ts (modified, +19/-5)
• src/gateway/client.ts (modified, +9/-2)
• ui/src/ui/gateway.node.test.ts (modified, +7/-2)
• ui/src/ui/gateway.ts (modified, +8/-4)

---

PR #45088: fix(ui): keep shared auth on insecure control-ui connects

• Repository: openclaw/openclaw
• Author: velvet-shark
• State: closed | merged: True
• Link: https://github.com/openclaw/openclaw/pull/45088

Description (problem / solution / changelog)

Summary

• Problem: plain-HTTP Control UI sessions behind LAN and reverse-proxy setups were dropping explicit shared token/password auth before the first WebSocket connect frame, so the gateway rejected them with device identity required.
• Why it matters: this broke the intended allowInsecureAuth + dangerouslyDisableDeviceAuth token flow for self-hosted HTTP deployments even though same-tab refresh/navigation had already been fixed separately.
• What changed: initialize Control UI connect auth from the explicit shared token/password before the secure-context device-auth branch, and add regression tests for insecure token/password connects.
• What did NOT change (scope boundary): cached device-token fallback is still limited to the existing trusted retry path, and this PR does not change the #40892 sessionStorage same-tab behavior or add any cross-tab token sharing.

Change Type (select all)

• Bug fix
• Feature
• Refactor
• Docs
• Security hardening
• Chore/infra

Scope (select all touched areas)

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes #44485
• Closes #44967
• Related #39611
• Related #40892
• Related #45070

User-visible / Behavior Changes

• Control UI now preserves explicit shared token auth on insecure http:// first-connect flows instead of dropping auth before the first WebSocket handshake.
• Control UI now preserves explicit shared password auth on the same insecure first-connect path.
• Cached device tokens are still not sent on the insecure first connect.

Security Impact (required)

• New permissions/capabilities? (No)
• Secrets/tokens handling changed? (Yes)
• New/changed network calls? (No)
• Command/tool execution surface changed? (No)
• Data access scope changed? (No)
• If any Yes, explain risk + mitigation:

This restores the explicit token/password that the operator already supplied to the existing first-connect frame on insecure Control UI sessions. It does not broaden cached device-token fallback, does not add storage, and keeps the trusted retry boundary unchanged.

Repro + Verification

Environment

• OS: macOS 15.7.4 (arm64)
• Runtime/container: Control UI Vitest projects + local runtime repro script
• Model/provider: N/A
• Integration/channel (if any): Control UI
• Relevant config (redacted): gateway.auth.mode: "token", gateway.controlUi.allowInsecureAuth: true, gateway.controlUi.dangerouslyDisableDeviceAuth: true

Steps

1. Open the Control UI over plain HTTP with an explicit shared token or password configured.
2. Let the browser receive the WebSocket connect.challenge event.
3. Inspect the first connect request payload.

Expected

• The first connect frame includes the explicit shared token or password.
• No cached device token is sent on that insecure first connect.

Actual

• Before this fix, insecure contexts built the first connect frame from an empty auth selection state, so params.auth was omitted entirely.

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers (if relevant)

Human Verification (required)

What you personally verified (not just CI), and how:

• Verified scenarios:
  • insecure http:// connect with explicit shared token now sends auth.token
  • insecure http:// connect with explicit shared password now sends auth.password
  • existing trusted one-shot device-token retry tests still pass unchanged
  • existing same-tab navigation/refresh browser tests from #40892 still pass
• Edge cases checked:
  • insecure first-connect still omits cached deviceToken
  • secure-context explicit shared auth still signs with the shared token rather than the cached device token
• What you did not verify:
  • a manual live repro against a remote VPS/reverse-proxy deployment

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

If a bot review conversation is addressed by this PR, resolve that conversation yourself. Do not leave bot review conversation cleanup for maintainers.

Compatibility / Migration

• Backward compatible? (Yes)
• Config/env changes? (No)
• Migration needed? (No)
• If yes, exact upgrade steps:

Failure Recovery (if this breaks)

• How to disable/revert this change quickly: revert commit 60abd798cffa99a9f03ac9936c47e8dc3f87deca
• Files/config to restore: ui/src/ui/gateway.ts and ui/src/ui/gateway.node.test.ts
• Known bad symptoms reviewers should watch for: insecure HTTP Control UI connects still fail with device identity required, or cached device tokens start appearing on the first insecure connect

Risks and Mitigations

• Risk: restoring explicit shared auth on insecure contexts could accidentally reintroduce cached device-token fallback on the same path.
  • Mitigation: the new tests assert token/password presence while also asserting deviceToken stays absent.

Changed files

• CHANGELOG.md (modified, +1/-1)
• ui/src/ui/gateway.node.test.ts (modified, +72/-0)
• ui/src/ui/gateway.ts (modified, +7/-2)