From 079af0d0b02ca2c722f90b6c4e38e27ba16227b4 Mon Sep 17 00:00:00 2001 From: David Hurley Date: Tue, 20 Jan 2026 11:46:47 -0500 Subject: [PATCH] fix: allow token auth to bypass device identity requirement The device identity check was rejecting connections before token authentication could be attempted. This broke the control-ui (web UI) which uses token-based authentication via URL parameter. Changes: - Skip device identity requirement when a token is provided - Guard device token verification to only run when device is present Fixes control-ui showing "device identity required" error when connecting with a valid token. Co-Authored-By: Claude Opus 4.5 --- src/gateway/server/ws-connection/message-handler.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/gateway/server/ws-connection/message-handler.ts b/src/gateway/server/ws-connection/message-handler.ts index a8491c32e..e4a8dbd58 100644 --- a/src/gateway/server/ws-connection/message-handler.ts +++ b/src/gateway/server/ws-connection/message-handler.ts @@ -254,7 +254,9 @@ export function attachGatewayWsMessageHandler(params: { const device = connectParams.device; let devicePublicKey: string | null = null; - if (!device) { + // Allow token-authenticated connections (e.g., control-ui) to skip device identity + const hasTokenAuth = !!connectParams.auth?.token; + if (!device && !hasTokenAuth) { setHandshakeState("failed"); setCloseCause("device-required", { client: connectParams.client.id, @@ -427,7 +429,7 @@ export function attachGatewayWsMessageHandler(params: { }); let authOk = authResult.ok; let authMethod = authResult.method ?? "none"; - if (!authOk && connectParams.auth?.token) { + if (!authOk && connectParams.auth?.token && device) { const tokenCheck = await verifyDeviceToken({ deviceId: device.id, token: connectParams.auth.token,