fix: harden gateway auth defaults

2026-01-11 01:50:46 +01:00
parent 49e7004664
commit d33285a9cd
9 changed files with 187 additions and 30 deletions
--- a/src/wizard/onboarding.ts
+++ b/src/wizard/onboarding.ts
@@ -174,7 +174,7 @@ export async function runOnboardingWizard(
        ? bindRaw
        : "loopback";

-    let authMode: GatewayAuthChoice = "off";
+    let authMode: GatewayAuthChoice = "token";
    if (
      baseConfig.gateway?.auth?.mode === "token" ||
      baseConfig.gateway?.auth?.mode === "password"
@@ -215,7 +215,7 @@ export async function runOnboardingWizard(
    };
    const formatAuth = (value: GatewayAuthChoice) => {
      if (value === "off") return "Off (loopback only)";
-      if (value === "token") return "Token";
+      if (value === "token") return "Token (default)";
      return "Password";
    };
    const formatTailscale = (value: "off" | "serve" | "funnel") => {
@@ -237,7 +237,7 @@ export async function runOnboardingWizard(
      : [
          `Gateway port: ${DEFAULT_GATEWAY_PORT}`,
          "Gateway bind: Loopback (127.0.0.1)",
-          "Gateway auth: Off (loopback only)",
+          "Gateway auth: Token (default)",
          "Tailscale exposure: Off",
          "Direct to chat providers.",
        ];
@@ -248,7 +248,8 @@ export async function runOnboardingWizard(
  const localUrl = `ws://127.0.0.1:${localPort}`;
  const localProbe = await probeGatewayReachable({
    url: localUrl,
-    token: process.env.CLAWDBOT_GATEWAY_TOKEN,
+    token:
+      baseConfig.gateway?.auth?.token ?? process.env.CLAWDBOT_GATEWAY_TOKEN,
    password:
      baseConfig.gateway?.auth?.password ??
      process.env.CLAWDBOT_GATEWAY_PASSWORD,
@@ -402,15 +403,16 @@ export async function runOnboardingWizard(
            {
              value: "off",
              label: "Off (loopback only)",
-              hint: "Recommended for single-machine setups",
+              hint: "Not recommended unless you fully trust local processes",
            },
            {
              value: "token",
              label: "Token",
-              hint: "Use for multi-machine access or non-loopback binds",
+              hint: "Recommended default (local + remote)",
            },
            { value: "password", label: "Password" },
          ],
+          initialValue: "token",
        })) as GatewayAuthChoice)
  ) as GatewayAuthChoice;

@@ -477,8 +479,8 @@ export async function runOnboardingWizard(

  let gatewayToken: string | undefined;
  if (authMode === "token") {
-    if (flow === "quickstart" && quickstartGateway.token) {
-      gatewayToken = quickstartGateway.token;
+    if (flow === "quickstart") {
+      gatewayToken = quickstartGateway.token ?? randomToken();
    } else {
      const tokenInput = await prompter.text({
        message: "Gateway token (blank to generate)",
@@ -815,5 +817,10 @@ export async function runOnboardingWizard(
    "Workspace backup",
  );

+  await prompter.note(
+    "Running agents on your computer is risky — harden your setup: https://docs.clawd.bot/security",
+    "Security",
+  );
+
  await prompter.outro("Onboarding complete.");
 }