Gateway: preserve trusted-proxy browser scopes

vincentkoc · vincentkoc · commit 8661c271e922 · 2026-03-12T21:00:43.000-04:00
diff --git a/src/gateway/server.auth.browser-hardening.test.ts b/src/gateway/server.auth.browser-hardening.test.ts
@@ -15,6 +15,7 @@ import {
   connectOk,
   installGatewayTestHooks,
   readConnectChallengeNonce,
+  rpcReq,
   testState,
   trackConnectChallengeNonce,
   withGatewayServer,
@@ -150,6 +151,47 @@ describe("gateway auth browser hardening", () => {
     });
   });
 
+  test("preserves scopes for trusted-proxy non-control-ui browser sessions", async () => {
+    const { writeConfigFile } = await import("../config/config.js");
+    await writeConfigFile({
+      gateway: {
+        auth: {
+          mode: "trusted-proxy",
+          trustedProxy: {
+            userHeader: "x-forwarded-user",
+            requiredHeaders: ["x-forwarded-proto"],
+          },
+        },
+        trustedProxies: ["127.0.0.1"],
+        controlUi: {
+          allowedOrigins: [ALLOWED_BROWSER_ORIGIN],
+        },
+      },
+    });
+
+    await withGatewayServer(async ({ port }) => {
+      const ws = await openWs(port, {
+        origin: ALLOWED_BROWSER_ORIGIN,
+        "x-forwarded-for": "203.0.113.50",
+        "x-forwarded-proto": "https",
+        "x-forwarded-user": "operator@example.com",
+      });
+      try {
+        const payload = await connectOk(ws, {
+          client: TEST_OPERATOR_CLIENT,
+          device: null,
+          scopes: ["operator.read"],
+        });
+        expect(payload.type).toBe("hello-ok");
+
+        const status = await rpcReq(ws, "status");
+        expect(status.ok).toBe(true);
+      } finally {
+        ws.close();
+      }
+    });
+  });
+
   test.each([
     {
       name: "rejects disallowed origins",
diff --git a/src/gateway/server/ws-connection/message-handler.ts b/src/gateway/server/ws-connection/message-handler.ts
@@ -526,7 +526,7 @@ export function attachGatewayWsMessageHandler(params: {
             hasSharedAuth,
             isLocalClient,
           });
-          if (!device && (!isControlUi || decision.kind !== "allow")) {
+          if (!device && decision.kind !== "allow") {
             clearUnboundScopes();
           }
           if (decision.kind === "allow") {

Original file line number	Diff line number	Diff line change
`@@ -526,7 +526,7 @@ export function attachGatewayWsMessageHandler(params: {`
`526`	`526`	`hasSharedAuth,`
`527`	`527`	`isLocalClient,`
`528`	`528`	`});`
`529`		`- if (!device && (!isControlUi \|\| decision.kind !== "allow")) {`
	`529`	`+ if (!device && decision.kind !== "allow") {`
`530`	`530`	`clearUnboundScopes();`
`531`	`531`	`}`
`532`	`532`	`if (decision.kind === "allow") {`