Skip to content

Dashboard unusable: dangerouslyDisableDeviceAuth strips all scopes (missing operator.read) #17153

@petresandu-cloud

Description

@petresandu-cloud

Bug

When gateway.controlUi.dangerouslyDisableDeviceAuth: true is set, the dashboard connects successfully but cannot perform any operations because all scopes are stripped to [], resulting in "missing scope: operator.read" errors.

Root cause

In the gateway WebSocket handshake (gateway-cli-*.js), when dangerouslyDisableDeviceAuth is true, device is set to null. This triggers the if (!device) branch which unconditionally clears scopes:

if (!device) {
    if (scopes.length > 0) {
        scopes = [];
        connectParams.scopes = scopes;
    }

This should respect allowControlUiBypass:

if (scopes.length > 0 && !allowControlUiBypass) {

Related issue: device_token_mismatch on local connections

The reason dangerouslyDisableDeviceAuth was needed in the first place: fresh local browser connections to the dashboard fail with device_token_mismatch. The gateway validates the gateway auth token as a device-specific token and rejects it before reaching the auto-pair flow.

Flow:

  1. Dashboard connects with gateway auth token + fresh device identity (Ed25519 keypair)
  2. authorizeGatewayConnect validates the gateway token ✅
  3. But then the code at if (!authOk && connectParams.auth?.token && device) calls verifyDeviceToken using the gateway token as if it were a device token
  4. This fails → device_token_mismatch
  5. Connection rejected before reaching the requirePairing flow that would auto-approve local clients

Environment

  • OpenClaw 2026.2.14 (c1feda1)
  • macOS (arm64), Node v24.6.0
  • Loopback-only gateway (127.0.0.1:18789)
  • Fresh install, fresh browsers (Safari + Chrome both affected)

Workaround

  1. Set gateway.controlUi.dangerouslyDisableDeviceAuth: true
  2. Patch scope stripping: change if (scopes.length > 0) to if (scopes.length > 0 && !allowControlUiBypass) in the !device branch

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions