Gateway: refresh websocket auth after secrets reload (#60323)

* Gateway: refresh websocket auth after secrets reload * Gateway: always restore auth reload test globals * chore: add changelog for websocket auth reload --------- Co-authored-by: Devin Robison <drobison@nvidia.com>
2026-05-04 15:50:20 +00:00 · 2026-04-03 16:35:31 -04:00
parent f3a6d13965
commit 21e53aea9e
6 changed files with 133 additions and 11 deletions
--- a/src/gateway/server.impl.ts
+++ b/src/gateway/server.impl.ts
@@ -80,6 +80,7 @@ import {
 } from "../tasks/task-registry.maintenance.js";
 import { runSetupWizard } from "../wizard/setup.js";
 import { createAuthRateLimiter, type AuthRateLimiter } from "./auth-rate-limit.js";
+import { resolveGatewayAuth } from "./auth.js";
 import { startChannelHealthMonitor } from "./channel-health-monitor.js";
 import { startGatewayConfigReloader } from "./config-reload.js";
 import type { ControlUiRootState } from "./control-ui.js";
@@ -633,6 +634,13 @@ export async function startGatewayServer(
    tailscaleConfig,
    tailscaleMode,
  } = runtimeConfig;
+  const getResolvedAuth = () =>
+    resolveGatewayAuth({
+      authConfig: getRuntimeConfig().gateway?.auth,
+      authOverride: opts.auth,
+      env: process.env,
+      tailscaleMode,
+    });
  let hooksConfig = runtimeConfig.hooksConfig;
  let hookClientIpConfig = resolveHookClientIpConfig(cfgAtStart);
  const canvasHostEnabled = runtimeConfig.canvasHostEnabled;
@@ -1311,6 +1319,7 @@ export async function startGatewayServer(
      canvasHostEnabled: Boolean(canvasHost),
      canvasHostServerPort,
      resolvedAuth,
+      getResolvedAuth,
      rateLimiter: authRateLimiter,
      browserRateLimiter: browserAuthRateLimiter,
      gatewayMethods,