From 83689fc83837ac80837705cfd4b81aae0214afeb Mon Sep 17 00:00:00 2001 From: Marco Di Dionisio Date: Mon, 23 Feb 2026 19:20:26 +0100 Subject: [PATCH] fix: include trusted-proxy in sharedAuthOk check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In trusted-proxy mode, sharedAuthResult is null because hasSharedAuth only triggers for token/password in connectParams.auth. But the primary auth (authResult) already validated the trusted-proxy — the connection came from a CIDR in trustedProxies with a valid userHeader. This IS shared auth semantically (the proxy vouches for identity), so operator connections should be able to skip device identity. Without this fix, trusted-proxy operator connections are rejected with "device identity required" because roleCanSkipDeviceIdentity() sees sharedAuthOk=false. (cherry picked from commit e87048a6a650d391e1eb5704546eb49fac5f0091) --- src/gateway/server/ws-connection/auth-context.ts | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/gateway/server/ws-connection/auth-context.ts b/src/gateway/server/ws-connection/auth-context.ts index d5e98dfd533..cb797772288 100644 --- a/src/gateway/server/ws-connection/auth-context.ts +++ b/src/gateway/server/ws-connection/auth-context.ts @@ -133,9 +133,13 @@ export async function resolveConnectAuthState(params: { // primary auth flow (or deferred for device-token candidates). rateLimitScope: AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET, })); + // Trusted-proxy auth is semantically shared: the proxy vouches for identity, + // no per-device credential needed. Include it so operator connections + // can skip device identity via roleCanSkipDeviceIdentity(). const sharedAuthOk = - sharedAuthResult?.ok === true && - (sharedAuthResult.method === "token" || sharedAuthResult.method === "password"); + (sharedAuthResult?.ok === true && + (sharedAuthResult.method === "token" || sharedAuthResult.method === "password")) || + (authResult.ok && authResult.method === "trusted-proxy"); return { authResult,