From b9098f340112e14f9fc52e55c283ae2ec0d4d093 Mon Sep 17 00:00:00 2001 From: Peter Steinberger Date: Mon, 26 Jan 2026 17:44:13 +0000 Subject: [PATCH] fix: remove unsupported gateway auth off option --- CHANGELOG.md | 1 + docs/cli/index.md | 2 +- docs/gateway/troubleshooting.md | 2 +- src/cli/program/register.onboard.ts | 2 +- src/commands/configure.gateway-auth.test.ts | 20 ++++++------------- src/commands/configure.gateway-auth.ts | 5 +---- src/commands/configure.gateway.ts | 12 +---------- .../onboard-non-interactive.gateway.test.ts | 3 +-- .../local/gateway-config.ts | 10 +++++++--- src/commands/onboard-types.ts | 2 +- src/wizard/onboarding.gateway-config.ts | 11 ---------- src/wizard/onboarding.ts | 1 - 12 files changed, 21 insertions(+), 50 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f3955b1fb..20e14f73d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -52,6 +52,7 @@ Status: unreleased. - Web UI: improve WebChat image paste previews and allow image-only sends. (#1925) Thanks @smartprogrammer93. - Security: wrap external hook content by default with a per-hook opt-out. (#1827) Thanks @mertcicekci0. - Gateway: default auth now fail-closed (token/password required; Tailscale Serve identity remains allowed). +- Onboarding: remove unsupported gateway auth "off" choice from onboarding/configure flows and CLI flags. ## 2026.1.24-3 diff --git a/docs/cli/index.md b/docs/cli/index.md index d23ee3a5e..9a72322e2 100644 --- a/docs/cli/index.md +++ b/docs/cli/index.md @@ -314,7 +314,7 @@ Options: - `--opencode-zen-api-key ` - `--gateway-port ` - `--gateway-bind ` -- `--gateway-auth ` +- `--gateway-auth ` - `--gateway-token ` - `--gateway-password ` - `--remote-url ` diff --git a/docs/gateway/troubleshooting.md b/docs/gateway/troubleshooting.md index 24815e258..5cbffd815 100644 --- a/docs/gateway/troubleshooting.md +++ b/docs/gateway/troubleshooting.md @@ -214,7 +214,7 @@ the Gateway likely refused to bind. - Fix: run `clawdbot doctor` to update it (or `clawdbot gateway install --force` for a full rewrite). **If `Last gateway error:` mentions “refusing to bind … without auth”** -- You set `gateway.bind` to a non-loopback mode (`lan`/`tailnet`/`custom`, or `auto` when loopback is unavailable) but left auth off. +- You set `gateway.bind` to a non-loopback mode (`lan`/`tailnet`/`custom`, or `auto` when loopback is unavailable) but didn’t configure auth. - Fix: set `gateway.auth.mode` + `gateway.auth.token` (or export `CLAWDBOT_GATEWAY_TOKEN`) and restart the service. **If `clawdbot gateway status` says `bind=tailnet` but no tailnet interface was found** diff --git a/src/cli/program/register.onboard.ts b/src/cli/program/register.onboard.ts index ee9d5ccd2..a2d5d4a66 100644 --- a/src/cli/program/register.onboard.ts +++ b/src/cli/program/register.onboard.ts @@ -78,7 +78,7 @@ export function registerOnboardCommand(program: Command) { .option("--opencode-zen-api-key ", "OpenCode Zen API key") .option("--gateway-port ", "Gateway port") .option("--gateway-bind ", "Gateway bind: loopback|tailnet|lan|auto|custom") - .option("--gateway-auth ", "Gateway auth: off|token|password") + .option("--gateway-auth ", "Gateway auth: token|password") .option("--gateway-token ", "Gateway token (token auth)") .option("--gateway-password ", "Gateway password (password auth)") .option("--remote-url ", "Remote Gateway WebSocket URL") diff --git a/src/commands/configure.gateway-auth.test.ts b/src/commands/configure.gateway-auth.test.ts index 69faad450..26a3729f2 100644 --- a/src/commands/configure.gateway-auth.test.ts +++ b/src/commands/configure.gateway-auth.test.ts @@ -3,26 +3,18 @@ import { describe, expect, it } from "vitest"; import { buildGatewayAuthConfig } from "./configure.js"; describe("buildGatewayAuthConfig", () => { - it("clears token/password when auth is off", () => { - const result = buildGatewayAuthConfig({ - existing: { mode: "token", token: "abc", password: "secret" }, - mode: "off", - }); - - expect(result).toBeUndefined(); - }); - - it("preserves allowTailscale when auth is off", () => { + it("preserves allowTailscale when switching to token", () => { const result = buildGatewayAuthConfig({ existing: { - mode: "token", - token: "abc", + mode: "password", + password: "secret", allowTailscale: true, }, - mode: "off", + mode: "token", + token: "abc", }); - expect(result).toEqual({ allowTailscale: true }); + expect(result).toEqual({ mode: "token", token: "abc", allowTailscale: true }); }); it("drops password when switching to token", () => { diff --git a/src/commands/configure.gateway-auth.ts b/src/commands/configure.gateway-auth.ts index ad9406195..6d3522ab4 100644 --- a/src/commands/configure.gateway-auth.ts +++ b/src/commands/configure.gateway-auth.ts @@ -12,7 +12,7 @@ import { promptModelAllowlist, } from "./model-picker.js"; -type GatewayAuthChoice = "off" | "token" | "password"; +type GatewayAuthChoice = "token" | "password"; const ANTHROPIC_OAUTH_MODEL_KEYS = [ "anthropic/claude-opus-4-5", @@ -30,9 +30,6 @@ export function buildGatewayAuthConfig(params: { const base: GatewayAuthConfig = {}; if (typeof allowTailscale === "boolean") base.allowTailscale = allowTailscale; - if (params.mode === "off") { - return Object.keys(base).length > 0 ? base : undefined; - } if (params.mode === "token") { return { ...base, mode: "token", token: params.token }; } diff --git a/src/commands/configure.gateway.ts b/src/commands/configure.gateway.ts index ba44c3dcf..d572e54a9 100644 --- a/src/commands/configure.gateway.ts +++ b/src/commands/configure.gateway.ts @@ -7,7 +7,7 @@ import { buildGatewayAuthConfig } from "./configure.gateway-auth.js"; import { confirm, select, text } from "./configure.shared.js"; import { guardCancel, randomToken } from "./onboard-helpers.js"; -type GatewayAuthChoice = "off" | "token" | "password"; +type GatewayAuthChoice = "token" | "password"; export async function promptGatewayConfig( cfg: ClawdbotConfig, @@ -91,11 +91,6 @@ export async function promptGatewayConfig( await select({ message: "Gateway auth", options: [ - { - value: "off", - label: "Off (loopback only)", - hint: "Not recommended unless you fully trust local processes", - }, { value: "token", label: "Token", hint: "Recommended default" }, { value: "password", label: "Password" }, ], @@ -165,11 +160,6 @@ export async function promptGatewayConfig( bind = "loopback"; } - if (authMode === "off" && bind !== "loopback") { - note("Non-loopback bind requires auth. Switching to token auth.", "Note"); - authMode = "token"; - } - if (tailscaleMode === "funnel" && authMode !== "password") { note("Tailscale funnel requires password auth.", "Note"); authMode = "password"; diff --git a/src/commands/onboard-non-interactive.gateway.test.ts b/src/commands/onboard-non-interactive.gateway.test.ts index b5cf45166..a33cc531f 100644 --- a/src/commands/onboard-non-interactive.gateway.test.ts +++ b/src/commands/onboard-non-interactive.gateway.test.ts @@ -210,7 +210,7 @@ describe("onboard (non-interactive): gateway and remote auth", () => { await fs.rm(stateDir, { recursive: true, force: true }); }, 60_000); - it("auto-enables token auth when binding LAN and persists the token", async () => { + it("auto-generates token auth when binding LAN and persists the token", async () => { if (process.platform === "win32") { // Windows runner occasionally drops the temp config write in this flow; skip to keep CI green. return; @@ -242,7 +242,6 @@ describe("onboard (non-interactive): gateway and remote auth", () => { installDaemon: false, gatewayPort: port, gatewayBind: "lan", - gatewayAuth: "off", }, runtime, ); diff --git a/src/commands/onboard-non-interactive/local/gateway-config.ts b/src/commands/onboard-non-interactive/local/gateway-config.ts index fedf1ad19..70772fa9f 100644 --- a/src/commands/onboard-non-interactive/local/gateway-config.ts +++ b/src/commands/onboard-non-interactive/local/gateway-config.ts @@ -28,16 +28,20 @@ export function applyNonInteractiveGatewayConfig(params: { const port = hasGatewayPort ? (opts.gatewayPort as number) : params.defaultPort; let bind = opts.gatewayBind ?? "loopback"; - let authMode = opts.gatewayAuth ?? "token"; + const authModeRaw = opts.gatewayAuth ?? "token"; + if (authModeRaw !== "token" && authModeRaw !== "password") { + runtime.error("Invalid --gateway-auth (use token|password)."); + runtime.exit(1); + return null; + } + let authMode = authModeRaw; const tailscaleMode = opts.tailscale ?? "off"; const tailscaleResetOnExit = Boolean(opts.tailscaleResetOnExit); // Tighten config to safe combos: // - If Tailscale is on, force loopback bind (the tunnel handles external access). - // - If binding beyond loopback, disallow auth=off. // - If using Tailscale Funnel, require password auth. if (tailscaleMode !== "off" && bind !== "loopback") bind = "loopback"; - if (authMode === "off" && bind !== "loopback") authMode = "token"; if (tailscaleMode === "funnel" && authMode !== "password") authMode = "password"; let nextConfig = params.nextConfig; diff --git a/src/commands/onboard-types.ts b/src/commands/onboard-types.ts index 84c15afc4..aa1d9afe0 100644 --- a/src/commands/onboard-types.ts +++ b/src/commands/onboard-types.ts @@ -32,7 +32,7 @@ export type AuthChoice = | "copilot-proxy" | "qwen-portal" | "skip"; -export type GatewayAuthChoice = "off" | "token" | "password"; +export type GatewayAuthChoice = "token" | "password"; export type ResetScope = "config" | "config+creds+sessions" | "full"; export type GatewayBind = "loopback" | "lan" | "auto" | "custom" | "tailnet"; export type TailscaleMode = "off" | "serve" | "funnel"; diff --git a/src/wizard/onboarding.gateway-config.ts b/src/wizard/onboarding.gateway-config.ts index e8163cbad..c68836b32 100644 --- a/src/wizard/onboarding.gateway-config.ts +++ b/src/wizard/onboarding.gateway-config.ts @@ -93,11 +93,6 @@ export async function configureGatewayForOnboarding( : ((await prompter.select({ message: "Gateway auth", options: [ - { - value: "off", - label: "Off (loopback only)", - hint: "Not recommended unless you fully trust local processes", - }, { value: "token", label: "Token", @@ -165,7 +160,6 @@ export async function configureGatewayForOnboarding( // Safety + constraints: // - Tailscale wants bind=loopback so we never expose a non-loopback server + tailscale serve/funnel at once. - // - Auth off only allowed for bind=loopback. // - Funnel requires password auth. if (tailscaleMode !== "off" && bind !== "loopback") { await prompter.note("Tailscale requires bind=loopback. Adjusting bind to loopback.", "Note"); @@ -173,11 +167,6 @@ export async function configureGatewayForOnboarding( customBindHost = undefined; } - if (authMode === "off" && bind !== "loopback") { - await prompter.note("Non-loopback bind requires auth. Switching to token auth.", "Note"); - authMode = "token"; - } - if (tailscaleMode === "funnel" && authMode !== "password") { await prompter.note("Tailscale funnel requires password auth.", "Note"); authMode = "password"; diff --git a/src/wizard/onboarding.ts b/src/wizard/onboarding.ts index 1016e5680..77b7f770d 100644 --- a/src/wizard/onboarding.ts +++ b/src/wizard/onboarding.ts @@ -244,7 +244,6 @@ export async function runOnboardingWizard( return "Auto"; }; const formatAuth = (value: GatewayAuthChoice) => { - if (value === "off") return "Off (loopback only)"; if (value === "token") return "Token (default)"; return "Password"; };