问题描述 / Description

升级到 OpenClaw 2026.3.12 后，无法通过 HTTP + Token 的方式访问 Control UI。浏览器显示 "device identity required" 错误，即使已配置 dangerouslyDisableDeviceAuth: true。

After upgrading to OpenClaw 2026.3.12, cannot access Control UI via HTTP + Token. Browser shows "device identity required" error even with dangerouslyDisableDeviceAuth: true configured.

降级到 2026.3.2 版本后，使用相同的配置可以正常工作。

Downgrading to 2026.3.2 with the same configuration works correctly.

环境信息 / Environment

• OpenClaw 版本 / Version: 2026.3.12 (问题版本 / broken) vs 2026.3.2 (正常版本 / working)
• 操作系统 / OS: Linux (x64)
• Node.js: 22.x
• 浏览器 / Browser: Chrome
• 访问方式 / Access method: HTTP (非 HTTPS / non-HTTPS)

配置 / Configuration

{
  "gateway": {
    "bind": "lan",
    "mode": "local",
    "controlUi": {
      "basePath": "xxx",
      "allowedOrigins": ["http://<host>:<port>"],
      "allowInsecureAuth": true,
      "dangerouslyDisableDeviceAuth": true
    },
    "auth": {
      "mode": "token",
      "token": "xxx"
    }
  }
}

复现步骤 / Steps to Reproduce

1. 安装 OpenClaw 2026.3.12 / Install OpenClaw 2026.3.12
2. 配置 gateway.controlUi.dangerouslyDisableDeviceAuth: true / Configure gateway.controlUi.dangerouslyDisableDeviceAuth: true
3. 通过 HTTP 访问 Control UI / Access Control UI via HTTP
4. 页面显示 "device identity required"，无法连接 / Page shows "device identity required", connection fails

预期行为 / Expected Behavior

与 2026.3.2 版本一致：配置 dangerouslyDisableDeviceAuth: true 后，应该能够通过 HTTP + Token 访问 Control UI，不需要设备身份验证。

Same as 2026.3.2: With dangerouslyDisableDeviceAuth: true, should be able to access Control UI via HTTP + Token without device identity verification.

实际行为 / Actual Behavior

页面显示 "device identity required"，WebSocket 连接失败。

Page shows "device identity required", WebSocket connection fails.

相关变更 / Related Changes

根据 CHANGELOG，2026.2.26 版本引入了以下变更：

Per CHANGELOG, 2026.2.26 introduced:

Gateway/Security: require secure context and paired-device checks for Control UI auth even when gateway.controlUi.allowInsecureAuth is set

建议 / Suggestions

1. 明确 dangerouslyDisableDeviceAuth 的预期行为：是否应该完全禁用设备身份检查，包括 secure context 检查？/ Clarify expected behavior of dangerouslyDisableDeviceAuth: should it completely disable device identity checks including secure context?
2. 或者提供一种方式，允许在受控环境（如内网、开发环境）中通过 HTTP 访问 Control UI / Or provide a way to allow HTTP access to Control UI in controlled environments (e.g., LAN, dev environment)
3. 更新文档，说明从 2026.2.26 版本开始，HTTP 访问 Control UI 的限制 / Update documentation about HTTP access restrictions to Control UI since 2026.2.26

临时解决方案 / Workaround

降级到 2026.3.2 版本：

Downgrade to 2026.3.2:

npm install -g [email protected]