From 702cf6545b38836b5707b64e75216987a84c7687 Mon Sep 17 00:00:00 2001 From: Nick Taylor Date: Fri, 13 Feb 2026 16:52:34 +0000 Subject: [PATCH] fix(gateway): allow lan binding with trusted-proxy auth mode Critical bug: Gateway startup validation rejected lan binding when using trusted-proxy auth mode because it only checked for token/password. The validation on line 99 threw 'refusing to bind gateway to lan without auth' even when authMode was 'trusted-proxy', because hasSharedSecret is false for trusted-proxy mode (it doesn't use tokens/passwords). Fix: Allow lan binding when authMode is 'trusted-proxy' by adding && authMode !== 'trusted-proxy' to the condition. This allows the gateway to start with bind=lan when configured for trusted-proxy authentication (e.g., behind Pomerium). Without this fix, users get crash-loop with 'refusing to bind' error even though trusted-proxy mode is correctly configured. --- src/gateway/server-runtime-config.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/gateway/server-runtime-config.ts b/src/gateway/server-runtime-config.ts index af1c45aee95..1ed880241ff 100644 --- a/src/gateway/server-runtime-config.ts +++ b/src/gateway/server-runtime-config.ts @@ -96,7 +96,7 @@ export async function resolveGatewayRuntimeConfig(params: { if (tailscaleMode !== "off" && !isLoopbackHost(bindHost)) { throw new Error("tailscale serve/funnel requires gateway bind=loopback (127.0.0.1)"); } - if (!isLoopbackHost(bindHost) && !hasSharedSecret) { + if (!isLoopbackHost(bindHost) && !hasSharedSecret && authMode !== "trusted-proxy") { throw new Error( `refusing to bind gateway to ${bindHost}:${params.port} without auth (set gateway.auth.token/password, or set OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD)`, );