fix: enforce ws3 roles + node allowlist

2026-01-20 09:23:56 +00:00
parent 32a668e4d9
commit 9dbc1435a6
27 changed files with 3096 additions and 40 deletions
--- a/src/commands/onboard-non-interactive.gateway-auth.test.ts
+++ b/src/commands/onboard-non-interactive.gateway-auth.test.ts
@@ -6,6 +6,12 @@ import path from "node:path";
 import { describe, expect, it, vi } from "vitest";
 import { WebSocket } from "ws";

+import {
+  loadOrCreateDeviceIdentity,
+  publicKeyRawBase64UrlFromPem,
+  signDevicePayload,
+} from "../infra/device-identity.js";
+import { buildDeviceAuthPayload } from "../gateway/device-auth.js";
 import { PROTOCOL_VERSION } from "../gateway/protocol/index.js";
 import { rawDataToString } from "../infra/ws.js";
 import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../utils/message-channel.js";
@@ -58,6 +64,23 @@ async function onceMessage<T = unknown>(
 async function connectReq(params: { url: string; token?: string }) {
  const ws = new WebSocket(params.url);
  await new Promise<void>((resolve) => ws.once("open", resolve));
+  const identity = loadOrCreateDeviceIdentity();
+  const signedAtMs = Date.now();
+  const payload = buildDeviceAuthPayload({
+    deviceId: identity.deviceId,
+    clientId: GATEWAY_CLIENT_NAMES.TEST,
+    clientMode: GATEWAY_CLIENT_MODES.TEST,
+    role: "operator",
+    scopes: [],
+    signedAtMs,
+    token: params.token ?? null,
+  });
+  const device = {
+    id: identity.deviceId,
+    publicKey: publicKeyRawBase64UrlFromPem(identity.publicKeyPem),
+    signature: signDevicePayload(identity.privateKeyPem, payload),
+    signedAt: signedAtMs,
+  };
  ws.send(
    JSON.stringify({
      type: "req",
@@ -75,6 +98,7 @@ async function connectReq(params: { url: string; token?: string }) {
        },
        caps: [],
        auth: params.token ? { token: params.token } : undefined,
+        device,
      },
    }),
  );
--- a/src/commands/onboard-non-interactive.lan-auto-token.test.ts
+++ b/src/commands/onboard-non-interactive.lan-auto-token.test.ts
@@ -6,6 +6,12 @@ import path from "node:path";
 import { describe, expect, it, vi } from "vitest";
 import { WebSocket } from "ws";

+import {
+  loadOrCreateDeviceIdentity,
+  publicKeyRawBase64UrlFromPem,
+  signDevicePayload,
+} from "../infra/device-identity.js";
+import { buildDeviceAuthPayload } from "../gateway/device-auth.js";
 import { PROTOCOL_VERSION } from "../gateway/protocol/index.js";
 import { getFreePort as getFreeTestPort } from "../gateway/test-helpers.js";
 import { rawDataToString } from "../infra/ws.js";
@@ -64,6 +70,23 @@ async function onceMessage<T = unknown>(
 async function connectReq(params: { url: string; token?: string }) {
  const ws = new WebSocket(params.url);
  await new Promise<void>((resolve) => ws.once("open", resolve));
+  const identity = loadOrCreateDeviceIdentity();
+  const signedAtMs = Date.now();
+  const payload = buildDeviceAuthPayload({
+    deviceId: identity.deviceId,
+    clientId: GATEWAY_CLIENT_NAMES.TEST,
+    clientMode: GATEWAY_CLIENT_MODES.TEST,
+    role: "operator",
+    scopes: [],
+    signedAtMs,
+    token: params.token ?? null,
+  });
+  const device = {
+    id: identity.deviceId,
+    publicKey: publicKeyRawBase64UrlFromPem(identity.publicKeyPem),
+    signature: signDevicePayload(identity.privateKeyPem, payload),
+    signedAt: signedAtMs,
+  };
  ws.send(
    JSON.stringify({
      type: "req",
@@ -81,6 +104,7 @@ async function connectReq(params: { url: string; token?: string }) {
        },
        caps: [],
        auth: params.token ? { token: params.token } : undefined,
+        device,
      },
    }),
  );