Skip to content

fix(gateway): preserve device token for fallback auth during SPA navigation#39639

Closed
openperf wants to merge 3 commits intoopenclaw:mainfrom
openperf:fix/39611-control-ui-device-identity-regression
Closed

fix(gateway): preserve device token for fallback auth during SPA navigation#39639
openperf wants to merge 3 commits intoopenclaw:mainfrom
openperf:fix/39611-control-ui-device-identity-regression

Conversation

@openperf
Copy link
Copy Markdown
Contributor

@openperf openperf commented Mar 8, 2026
edited
Loading

Summary

  • Problem: In both src/gateway/client.ts (Node.js) and ui/src/ui/gateway.ts (browser), the resolvedDeviceToken logic incorrectly suppresses the stored device token when an explicit shared token or password is provided. Furthermore, the browser client's auth payload was missing the deviceToken field entirely. This causes the Control UI to fail with a "device identity required" error upon WebSocket reconnects, because the gateway server cannot fall back to the device token when the shared token is absent or invalid.
  • Why it matters: This regression completely breaks multi-page workflows in the Control UI for version 2026.3.7. Users are forced to regenerate the token URL and reload for every single page navigation, making the dashboard practically unusable.
  • What changed:
    1. Modified resolvedDeviceToken in both the Node.js client and the browser client to always resolve the device token independently of shared credentials (explicitDeviceToken ?? storedToken ?? undefined).
    2. Updated the browser client's auth payload to include the deviceToken field alongside the shared token, enabling gateway-side fallback.
    3. Added explicit deviceIdentity to two test cases in client.test.ts for clarity, and updated gateway.node.test.ts to verify the new fallback behavior.
  • What did NOT change: The primary authentication logic remains unchanged. The authToken still prefers the explicit shared token over the device token. The close handler logic for clearing stale device tokens remains unaffected.

Change Type (select all)

  • Bug fix

Scope (select all touched areas)

  • Gateway / orchestration
  • App: web-ui

Linked Issue/PR

AI-Assisted Contribution

  • AI Usage: This PR was developed with AI assistance.
  • Human Review: I have personally reviewed, designed, and fully understand all the code changes.
  • Testing: Fully tested locally with my OpenClaw instance.
  • Prompt Context: Asked AI to analyze the "device identity required" regression in Control UI, trace the token resolution logic in both the Node.js client and the browser client, and fix the regression where explicit shared tokens incorrectly suppressed stored device tokens.

@openclaw-barnacle openclaw-barnacle bot added gateway Gateway runtime size: XS labels Mar 8, 2026
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps bot commented Mar 8, 2026

Greptile Summary

This PR fixes a real SPA-navigation regression by simplifying resolvedDeviceToken in src/gateway/client.ts to always resolve the stored device token independently of whether explicit shared credentials are present. The production-code change is correct and well-scoped.

However, the two updated test cases in client.test.ts contain a critical bug that renders them non-functional:

  • Both "sends stored device token alongside explicit shared token for fallback auth" (line 386) and "sends stored device token alongside explicit shared password for fallback auth" (line 405) set up loadDeviceAuthTokenMock but construct GatewayClient without a deviceIdentity option.
  • In client.ts, loadDeviceAuthToken is only called when this.opts.deviceIdentity is truthy. Without it, storedToken is always null and resolvedDeviceToken is always undefined, regardless of the mock.
  • As a result, both tests' assertions on deviceToken and token values will always fail — the intended new behavior is effectively untested.

The fix is to add a DeviceIdentity object to the GatewayClient constructor in each of those two tests (following the createClientWithIdentity helper pattern already present in the file).

Confidence Score: 2/5

  • The production fix is correct, but the two test cases that are supposed to validate it are broken and will fail, leaving the new behavior untested.
  • The client.ts change is small, focused, and logically sound. The score is lowered because the corresponding test updates have a clear defect: both new test cases omit deviceIdentity from the client config, which prevents loadDeviceAuthToken from ever being called. This means the tests do not actually exercise the fix and will fail as written.
  • src/gateway/client.test.ts — both updated test cases need a DeviceIdentity added to the GatewayClient constructor.

Last reviewed commit: c33bac5

greptile-apps[bot]
greptile-apps bot reviewed Mar 8, 2026
View reviewed changes
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 8, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: c33bac57dc

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

@openclaw-barnacle openclaw-barnacle bot added app: web-ui App: web-ui size: S and removed size: XS labels Mar 8, 2026
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Mar 8, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 397a03a5f7

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

This was referenced Mar 8, 2026
Closed
Open
@kirisame-wang kirisame-wang mentioned this pull request Mar 12, 2026
Merged
20 tasks
@velvet-shark
Copy link
Copy Markdown
Member

velvet-shark commented Mar 12, 2026

Thanks for the work here.

I reviewed this against what landed in #40892, now merged to main in f2f561fab1bf3808baed61ebdd55ec3bfe3c8b65.

That merged fix resolves the same Control UI auth-loss regression by restoring current-tab token continuity through sessionStorage, which covers the same-tab navigation/reload path without changing the gateway/device-token fallback behavior. With that fix in main, this alternative approach is no longer needed for the reported regression.

Closing as superseded by #40892. If there is still a separate device-token fallback bug on current main, please open a new issue or PR scoped to that behavior alone.

openperf added a commit to openperf/moltbot that referenced this pull request Mar 13, 2026
@openperf
test(gateway): verify device token is sent alongside shared credentials
82cba0c 
Update connect-auth tests to assert that the stored device token is
included in the auth payload even when an explicit shared token or
password is provided.  Previously the tests asserted deviceToken was
undefined in these cases, matching the old suppression behavior.

Add `deviceIdentity` to the Node.js client test fixtures so the
stored-token lookup path is exercised (addresses the missing
`deviceIdentity` config gap flagged during review of openclaw#39639).
@openperf openperf mentioned this pull request Mar 13, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

app: web-ui App: web-ui gateway Gateway runtime size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Control UI "device identity required" error after page navigation in 2026.3.7

2 participants

@openperf @velvet-shark