test(gateway): verify device token is sent alongside shared credentials

openperf · openperf · commit 82cba0c4e5f4 · 2026-03-13T20:21:46.000+08:00
Update connect-auth tests to assert that the stored device token is included in the auth payload even when an explicit shared token or password is provided. Previously the tests asserted deviceToken was undefined in these cases, matching the old suppression behavior. Add `deviceIdentity` to the Node.js client test fixtures so the stored-token lookup path is exercised (addresses the missing `deviceIdentity` config gap flagged during review of #39639).
diff --git a/src/gateway/client.test.ts b/src/gateway/client.test.ts
@@ -354,11 +354,17 @@ describe("GatewayClient connect auth payload", () => {
     );
   }
 
-  it("uses explicit shared token and does not inject stored device token", () => {
+  it("sends stored device token alongside explicit shared token for fallback auth", () => {
     loadDeviceAuthTokenMock.mockReturnValue({ token: "stored-device-token" });
+    const identity: DeviceIdentity = {
+      deviceId: "dev-fallback-1",
+      privateKeyPem: "private-key", // pragma: allowlist secret
+      publicKeyPem: "public-key",
+    };
     const client = new GatewayClient({
       url: "ws://127.0.0.1:18789",
       token: "shared-token",
+      deviceIdentity: identity,
     });
 
     client.start();
@@ -368,16 +374,22 @@ describe("GatewayClient connect auth payload", () => {
 
     expect(connectFrameFrom(ws)).toMatchObject({
       token: "shared-token",
+      deviceToken: "stored-device-token",
     });
-    expect(connectFrameFrom(ws).deviceToken).toBeUndefined();
     client.stop();
   });
 
-  it("uses explicit shared password and does not inject stored device token", () => {
+  it("sends stored device token alongside explicit shared password for fallback auth", () => {
     loadDeviceAuthTokenMock.mockReturnValue({ token: "stored-device-token" });
+    const identity: DeviceIdentity = {
+      deviceId: "dev-fallback-2",
+      privateKeyPem: "private-key", // pragma: allowlist secret
+      publicKeyPem: "public-key",
+    };
     const client = new GatewayClient({
       url: "ws://127.0.0.1:18789",
       password: "shared-password", // pragma: allowlist secret
+      deviceIdentity: identity,
     });
 
     client.start();
@@ -387,9 +399,11 @@ describe("GatewayClient connect auth payload", () => {
 
     expect(connectFrameFrom(ws)).toMatchObject({
       password: "shared-password", // pragma: allowlist secret
+      deviceToken: "stored-device-token",
     });
-    expect(connectFrameFrom(ws).token).toBeUndefined();
-    expect(connectFrameFrom(ws).deviceToken).toBeUndefined();
+    // When password is the primary credential, auth.token falls back to
+    // the resolved device token for legacy compatibility.
+    expect(connectFrameFrom(ws).token).toBe("stored-device-token");
     client.stop();
   });
 
diff --git a/ui/src/ui/gateway.node.test.ts b/ui/src/ui/gateway.node.test.ts
@@ -146,7 +146,7 @@ describe("GatewayBrowserClient", () => {
     vi.unstubAllGlobals();
   });
 
-  it("prefers explicit shared auth over cached device tokens", async () => {
+  it("sends stored device token alongside explicit shared auth for fallback", async () => {
     const client = new GatewayBrowserClient({
       url: "ws://127.0.0.1:18789",
       token: "shared-auth-token",
@@ -165,13 +165,18 @@ describe("GatewayBrowserClient", () => {
     const connectFrame = JSON.parse(ws.sent.at(-1) ?? "{}") as {
       id?: string;
       method?: string;
-      params?: { auth?: { token?: string } };
+      params?: { auth?: { token?: string; deviceToken?: string } };
     };
     expect(typeof connectFrame.id).toBe("string");
     expect(connectFrame.method).toBe("connect");
+    // Shared token takes priority for auth.token; device token is sent
+    // alongside for gateway-side fallback (#39611, #39667, #44485).
     expect(connectFrame.params?.auth?.token).toBe("shared-auth-token");
+    expect(connectFrame.params?.auth?.deviceToken).toBe("stored-device-token");
     expect(signDevicePayloadMock).toHaveBeenCalledWith("private-key", expect.any(String));
     const signedPayload = signDevicePayloadMock.mock.calls[0]?.[1];
+    // The signed payload still uses the shared token (authToken), not the
+    // stored device token, because explicitGatewayToken takes precedence.
     expect(signedPayload).toContain("|shared-auth-token|nonce-1");
     expect(signedPayload).not.toContain("stored-device-token");
   });
