fix: implement device auth nonce challenge-response flow#35
Open
othreecodes wants to merge 1 commit intoibelick:mainfrom
Open
fix: implement device auth nonce challenge-response flow#35othreecodes wants to merge 1 commit intoibelick:mainfrom
othreecodes wants to merge 1 commit intoibelick:mainfrom
Conversation
The gateway requires a two-step device authentication handshake: 1. After WebSocket open, the gateway sends a connect.challenge event with a nonce 2. The client must include this nonce in the device signature (using v2 payload format) Previously, gateway.ts sent the connect request immediately without waiting for the challenge event, causing "device nonce required" (code 1008) errors on gateways that enforce device auth. Changes: - Add waitForConnectChallenge() to listen for the connect.challenge event - Update buildConnectParams() to accept optional nonce parameter - Use v2 signature format (includes nonce) when nonce is present - Update all four connection points: connectGateway, createGatewayClient, gatewayRpc, and gatewayConnectCheck
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
WebClaw fails to connect to OpenClaw gateways that enforce device authentication with the nonce challenge-response protocol, returning
device nonce required(WebSocket close code 1008).Cause
gateway.tssent theconnectrequest immediately after WebSocket open without waiting for theconnect.challengeevent from the gateway. The nonce was never included in the device signature, so the gateway rejected the handshake.Fix
waitForConnectChallenge()function that listens for theconnect.challengeevent and extracts the noncebuildConnectParams()to accept an optionalnonceparameterv2payload format (which includes the nonce in the signed data)connectGateway,createGatewayClient.connect,gatewayRpc, andgatewayConnectCheckHow It Works
connect.challengeevent with a nonceconnectrequest with the signed nonceBackward compatible: falls back to
v1format if no nonce is provided.