Description

When gateway.controlUi.dangerouslyDisableDeviceAuth is set to true, the gateway correctly sets the device to null via resolveControlUiAuthPolicy, but the connection is still rejected with device identity required (code 1008) because roleCanSkipDeviceIdentity() requires both role === "operator" AND sharedAuthOk === true.

In reverse proxy setups where Nginx injects the Authorization: Bearer header at the HTTP level, the token is not present in the WebSocket connect frame's connectAuth, so sharedAuthOk evaluates to false. This causes evaluateMissingDeviceIdentity() to fall through to reject-device-required.

Expected behavior

When dangerouslyDisableDeviceAuth: true, Control UI connections should be allowed without requiring a valid shared auth token in the WebSocket connect frame. The controlUiAuthPolicy.allowBypass flag is already true in this case, but evaluateMissingDeviceIdentity() does not check it before falling through to the device-required rejection.

Suggested fix

Add a check in evaluateMissingDeviceIdentity():

if (params.isControlUi && params.controlUiAuthPolicy.allowBypass) return { kind: "allow" };

And also handle the check in the connection handler:

    rejectUnauthorized(authResult);
    return;
}

Environment

• OpenClaw v2026.3.8
• Node.js v24.13.1
• Nginx reverse proxy with Authorization: Bearer header injection