fix(gateway): allow cron commands to use gateway.remote.token (#27286)

* fix(gateway): allow cron commands to use gateway.remote.token * fix(gateway): make local remote-token fallback effective --------- Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-03-21 16:41:56 +00:00 · 2026-02-26 22:17:30 +08:00
parent 4c75eca580
commit 77a3930b72
2 changed files with 44 additions and 3 deletions
--- a/src/gateway/credentials.test.ts
+++ b/src/gateway/credentials.test.ts
@@ -86,6 +86,42 @@ describe("resolveGatewayCredentialsFromConfig", () => {
    expectEnvGatewayCredentials(resolved);
  });

+  it("falls back to remote credentials in local mode when local auth is missing", () => {
+    const resolved = resolveGatewayCredentialsFromConfig({
+      cfg: cfg({
+        gateway: {
+          mode: "local",
+          remote: { token: "remote-token", password: "remote-password" },
+          auth: {},
+        },
+      }),
+      env: {} as NodeJS.ProcessEnv,
+      includeLegacyEnv: false,
+    });
+    expect(resolved).toEqual({
+      token: "remote-token",
+      password: "remote-password",
+    });
+  });
+
+  it("keeps local credentials ahead of remote fallback in local mode", () => {
+    const resolved = resolveGatewayCredentialsFromConfig({
+      cfg: cfg({
+        gateway: {
+          mode: "local",
+          remote: { token: "remote-token", password: "remote-password" },
+          auth: { token: "local-token", password: "local-password" },
+        },
+      }),
+      env: {} as NodeJS.ProcessEnv,
+      includeLegacyEnv: false,
+    });
+    expect(resolved).toEqual({
+      token: "local-token",
+      password: "local-password",
+    });
+  });
+
  it("uses remote-mode remote credentials before env and local config", () => {
    const resolved = resolveRemoteModeWithRemoteCredentials();
    expect(resolved).toEqual({
--- a/src/gateway/credentials.ts
+++ b/src/gateway/credentials.ts
@@ -116,7 +116,7 @@ export function resolveGatewayCredentialsFromConfig(params: {

  const mode: GatewayCredentialMode =
    params.modeOverride ?? (params.cfg.gateway?.mode === "remote" ? "remote" : "local");
-  const remote = mode === "remote" ? params.cfg.gateway?.remote : undefined;
+  const remote = params.cfg.gateway?.remote;
  const envToken = readGatewayTokenEnv(env, includeLegacyEnv);
  const envPassword = readGatewayPasswordEnv(env, includeLegacyEnv);

@@ -129,9 +129,14 @@ export function resolveGatewayCredentialsFromConfig(params: {
  const localPasswordPrecedence = params.localPasswordPrecedence ?? "env-first";

  if (mode === "local") {
+    // In local mode, prefer gateway.auth.token, but also accept gateway.remote.token
+    // as a fallback for cron commands and other local gateway clients.
+    // This allows users in remote mode to use a single token for all operations.
+    const fallbackToken = localToken ?? remoteToken;
+    const fallbackPassword = localPassword ?? remotePassword;
    const localResolved = resolveGatewayCredentialsFromValues({
-      configToken: localToken,
-      configPassword: localPassword,
+      configToken: fallbackToken,
+      configPassword: fallbackPassword,
      env,
      includeLegacyEnv,
      tokenPrecedence: localTokenPrecedence,