fix: preserve operator scopes for shared auth connections

Kevin Shenghui · steipete · commit 9c142993b89d · 2026-02-26T13:40:58.000Z
When connecting via shared gateway token (no device identity), the operator scopes were being cleared, causing API operations to fail with 'missing scope' errors. This fix preserves scopes when sharedAuthOk is true, allowing headless/API operator clients to retain their requested scopes. Fixes #27494 (cherry picked from commit c71c894)
diff --git a/src/gateway/server/ws-connection/message-handler.ts b/src/gateway/server/ws-connection/message-handler.ts
@@ -486,7 +486,7 @@ export function attachGatewayWsMessageHandler(params: {
           close(1008, truncateCloseReason(authMessage));
         };
         const clearUnboundScopes = () => {
-          if (scopes.length > 0 && !controlUiAuthPolicy.allowBypass) {
+          if (scopes.length > 0 && !controlUiAuthPolicy.allowBypass && !sharedAuthOk) {
             scopes = [];
             connectParams.scopes = scopes;
           }

Original file line number	Diff line number	Diff line change
`@@ -486,7 +486,7 @@ export function attachGatewayWsMessageHandler(params: {`
`486`	`486`	`close(1008, truncateCloseReason(authMessage));`
`487`	`487`	`};`
`488`	`488`	`const clearUnboundScopes = () => {`
`489`		`- if (scopes.length > 0 && !controlUiAuthPolicy.allowBypass) {`
	`489`	`+ if (scopes.length > 0 && !controlUiAuthPolicy.allowBypass && !sharedAuthOk) {`
`490`	`490`	`scopes = [];`
`491`	`491`	`connectParams.scopes = scopes;`
`492`	`492`	`}`