refactor(gateway): make ws and http auth surfaces explicit

2026-05-05 08:50:21 +00:00 · 2026-02-21 13:31:58 +01:00
parent 1835dec200
commit 36a0df423d
8 changed files with 119 additions and 45 deletions
--- a/src/gateway/server/ws-connection/message-handler.ts
+++ b/src/gateway/server/ws-connection/message-handler.ts
@@ -30,7 +30,11 @@ import {
  type AuthRateLimiter,
 } from "../../auth-rate-limit.js";
 import type { GatewayAuthResult, ResolvedGatewayAuth } from "../../auth.js";
-import { authorizeGatewayConnect, isLocalDirectRequest } from "../../auth.js";
+import {
+  authorizeHttpGatewayConnect,
+  authorizeWsControlUiGatewayConnect,
+  isLocalDirectRequest,
+} from "../../auth.js";
 import {
  buildCanvasScopedHostUrl,
  CANVAS_CAPABILITY_TTL_MS,
@@ -380,12 +384,11 @@ export function attachGatewayWsMessageHandler(params: {

        const resolveAuthState = async () => {
          const hasDeviceTokenCandidate = Boolean(connectParams.auth?.token && device);
-          let nextAuthResult: GatewayAuthResult = await authorizeGatewayConnect({
+          let nextAuthResult: GatewayAuthResult = await authorizeWsControlUiGatewayConnect({
            auth: resolvedAuth,
            connectAuth: connectParams.auth,
            req: upgradeReq,
            trustedProxies,
-            allowTailscaleHeaderAuth: true,
            rateLimiter: hasDeviceTokenCandidate ? undefined : rateLimiter,
            clientIp,
            rateLimitScope: AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET,
@@ -416,7 +419,7 @@ export function attachGatewayWsMessageHandler(params: {
          const nextAuthMethod =
            nextAuthResult.method ?? (resolvedAuth.mode === "password" ? "password" : "token");
          const sharedAuthResult = hasSharedAuth
-            ? await authorizeGatewayConnect({
+            ? await authorizeHttpGatewayConnect({
                auth: { ...resolvedAuth, allowTailscale: false },
                connectAuth: connectParams.auth,
                req: upgradeReq,