From 267ff35e570f9178ae28d58c57cae44db4ed150f Mon Sep 17 00:00:00 2001
From: Nick Taylor <nick@nickyt.co>
Date: Fri, 13 Feb 2026 18:09:00 +0000
Subject: [PATCH] fix(browser): prevent auto-token generation from overwriting
 trusted-proxy auth

The browser control service was auto-generating a gateway.auth.token when
no token/password was detected, even when gateway.auth.mode was set to
'trusted-proxy'. This overwrote the trusted-proxy configuration and
switched the gateway back to token mode.

Fix: Skip auto-token generation when auth mode is 'trusted-proxy',
similar to how it already skips for 'password' mode.

This prevents the browser service from mangling the trusted-proxy config
during startup.
---
 src/browser/control-auth.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/browser/control-auth.ts b/src/browser/control-auth.ts
index 8c828bcaad1..636d771ed34 100644
--- a/src/browser/control-auth.ts
+++ b/src/browser/control-auth.ts
@@ -58,6 +58,11 @@ export async function ensureBrowserControlAuth(params: {
     return { auth };
   }
 
+  // Respect explicit trusted-proxy mode (no token/password needed).
+  if (params.cfg.gateway?.auth?.mode === "trusted-proxy") {
+    return { auth };
+  }
+
   // Re-read latest config to avoid racing with concurrent config writers.
   const latestCfg = loadConfig();
   const latestAuth = resolveBrowserControlAuth(latestCfg, env);
@@ -67,6 +72,9 @@ export async function ensureBrowserControlAuth(params: {
   if (latestCfg.gateway?.auth?.mode === "password") {
     return { auth: latestAuth };
   }
+  if (latestCfg.gateway?.auth?.mode === "trusted-proxy") {
+    return { auth: latestAuth };
+  }
 
   const generatedToken = crypto.randomBytes(24).toString("hex");
   const nextCfg: OpenClawConfig = {