From a43be09dcafbe19f839e4761c09fe523c479b16e Mon Sep 17 00:00:00 2001 From: Garming Date: Wed, 22 Apr 2026 22:38:27 +0800 Subject: [PATCH] fix(doctor): skip token generation for trusted-proxy and none auth modes (#59055) runGatewayAuthHealth() only excluded 'password' and 'token' (with existing token) from its needsToken check. When gateway.auth.mode was set to 'trusted-proxy' or 'none', doctor --fix would incorrectly: 1. Flag the config as 'missing a token' 2. Prompt to generate a gateway token 3. Overwrite auth.mode to 'token' in openclaw.json This silently broke trusted-proxy deployments (common in SaaS/reverse-proxy setups) by replacing the delegated auth mode with token auth. The fix aligns runGatewayAuthHealth() with the existing hasExplicitGatewayInstallAuthMode() in auth-install-policy.ts, which already correctly returns false for 'password', 'none', and 'trusted-proxy'. Co-authored-by: wujiaming88 --- src/flows/doctor-health-contributions.ts | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/flows/doctor-health-contributions.ts b/src/flows/doctor-health-contributions.ts index f741bd2e9da..34e5ab56246 100644 --- a/src/flows/doctor-health-contributions.ts +++ b/src/flows/doctor-health-contributions.ts @@ -123,7 +123,15 @@ async function runGatewayAuthHealth(ctx: DoctorHealthFlowContext): Promise authConfig: ctx.cfg.gateway?.auth, tailscaleMode: ctx.cfg.gateway?.tailscale?.mode ?? "off", }); - const needsToken = auth.mode !== "password" && (auth.mode !== "token" || !auth.token); + // Modes that don't need a token: password, none, trusted-proxy. + // This aligns with hasExplicitGatewayInstallAuthMode() in auth-install-policy.ts. + // Previously, only "password" and "token" (with a token present) were excluded, + // causing doctor --fix to overwrite trusted-proxy/none configs with token mode. + const needsToken = + auth.mode !== "password" && + auth.mode !== "none" && + auth.mode !== "trusted-proxy" && + (auth.mode !== "token" || !auth.token); if (!needsToken) { return; }