Skip to content

[Bug]: dangerouslyDisableDeviceAuth: true ignored in 2026.3.11 — Control UI rejects HTTP connections with "device identity required" #44485

Closed
#45088
#44486
Closed
[Bug]: dangerouslyDisableDeviceAuth: true ignored in 2026.3.11 — Control UI rejects HTTP connections with "device identity required"#44485
#45088
#44486
Labels
bugSomething isn't workingregressionBehavior that previously worked and now fails
@mhpjay422

Description

@mhpjay422
mhpjay422
opened on Mar 13, 2026

Bug type

Regression (worked before, now fails)

Summary

After upgrading from 2026.3.8 to 2026.3.11, the Control UI rejects all browser connections over HTTP with code=1008 reason=device identity required, even with gateway.controlUi.dangerouslyDisableDeviceAuth: true. The flag worked correctly in 2026.3.8. Downgrading to 3.8 restores functionality.

Steps to reproduce

  1. Run OpenClaw 2026.3.8 on a VPS behind a reverse proxy over HTTP (no HTTPS)
  2. Set gateway.controlUi.dangerouslyDisableDeviceAuth: true in openclaw.json
  3. Confirm Control UI works in browser — connects successfully
  4. Upgrade to 2026.3.11: npm i -g [email protected] --prefix /usr/local
  5. Restart gateway
  6. Open Control UI in browser — fails with "device identity required"

Gateway log shows:
cause: "device-required"
handshake: "failed"
code=1008 reason=device identity required

No pending device appears in openclaw devices list — connection is rejected before pairing handshake.

Expected behavior

With dangerouslyDisableDeviceAuth: true, the gateway should skip device identity checks and allow browser connections over HTTP, as it did in 2026.3.8.

Actual behavior

Device identity is enforced regardless of the flag. Browser connections are rejected at the WebSocket level before device pairing can register.

OpenClaw version

2026.3.11 (29dc654)

Operating system

Ubuntu 24.04 (Hostinger VPS Docker container)

Install method

docker (Hostinger managed OpenClaw VPS image)

Model

anthropic/claude-sonnet-4-5

Provider / routing chain

openclaw -> anthropic

Config file / key location

No response

Additional provider/model setup details

Gateway config:

  • mode: local
  • bind: loopback
  • trustedProxies: ["127.0.0.1/32"]
  • controlUi.dangerouslyDisableDeviceAuth: true
  • controlUi.allowInsecureAuth: false (also tried true, same result)
  • controlUi.allowedOrigins: ["http://187.77.222.15:50192", "http://localhost:8080"]

Hostinger setup: Docker container behind Hostinger's internal reverse proxy (nginx).
Proxy forwards to localhost:18789, exposed externally on port 50192.
No HTTPS configured — all connections are plain HTTP.

Logs, screenshots, and evidence

Gateway log on browser connect attempt:

19:26:52 warn gateway/ws Loopback connection with non-local Host header. 
  Treating it as remote. If you're behind a reverse proxy, set 
  gateway.trustedProxies and forward X-Forwarded-For/X-Real-IP.

19:26:52 warn gateway/ws {
  "cause": "device-required",
  "handshake": "failed",
  "host": "187.77.222.15:50192",
  "origin": "http://187.77.222.15:50192",
  "client": "openclaw-control-ui",
  "version": "2026.3.11"
} closed before connect code=1008 reason=device identity required

Also tried SSH tunnel (localhost:8080 -> localhost:50192):
- Same result: cause=device-required, code=1008
- `openclaw devices list` shows no pending devices — 
  connection rejected before pairing handshake can register

Downgrading to 2026.3.8 with same config restores normal behavior.

Impact and severity

Affected: All Control UI users on HTTP (no HTTPS) behind reverse proxies
Severity: High (blocks workflow — Control UI completely inaccessible)
Frequency: 100% repro on 2026.3.11 with HTTP + reverse proxy setup
Consequence: Cannot access Control UI webchat after upgrading. Forces downgrade to 2026.3.8 to restore access. Blocks upgrade path for HTTP deployments.

Additional information

Last known good version: 2026.3.8
First known bad version: 2026.3.11

Temporary workaround: Downgrade to 2026.3.8 by restoring from Hostinger skeleton:
rm -rf /usr/local/lib/node_modules/openclaw
cp -r /skeleton/.npm-global/lib/node_modules/openclaw /usr/local/lib/node_modules/openclaw

Note: npm version pinning appears broken — npm i -g [email protected] installs but package.json shows 2026.3.11. The skeleton copy is the only reliable rollback path on Hostinger.

Also note: trustedProxies is set to ["127.0.0.1/32"] and the gateway log still warns "Loopback connection with non-local Host header. Treating it as remote." — suggesting trustedProxies may not be working correctly with Hostinger's proxy setup, which could be contributing to the device-required rejection.

Environment details:

  • Host OS: Ubuntu 24.04.4 LTS (6.8.0-101-generic x86_64)
  • Docker container: Hostinger managed OpenClaw VPS image
  • Node: v22.22.0
  • Browser: Safari 26.1 (macOS Sequoia)
  • Network: HTTP only, no HTTPS, behind Hostinger internal nginx reverse proxy
  • External IP: VPS public IP, port 50192
  • Internal: localhost:18789

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingregressionBehavior that previously worked and now fails

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions