Harden desktop gateway exposure by pmbstyle · Pull Request #96 · pmbstyle/Octopal

pmbstyle · 2026-05-16T23:42:00Z

The desktop installer previously wrote a config that binds the gateway to 0.0.0.0 and can start it automatically, enabling unauthenticated access on reachable networks. This change prevents accidental LAN exposure from the one-click desktop flow.
WebSocket endpoints accepted remote clients when no Tailscale allowlist was present and dashboard token handling treated an empty token as “no auth”, enabling unauthenticated control; this must be gated.
Make safer defaults across the codebase so non-Desktop installs are not encouraged to listen on all interfaces.

Desktop installer: changed generation logic in desktop/src/renderer/src/lib/install.ts to bind generated gateway configs to 127.0.0.1 and to automatically generate a dashboard token when the webapp is enabled but no token was provided, preserving the existing sentinel for previously stored secrets. (dashboardToken fallback + host: "127.0.0.1").
Gateway defaults: switched serialized model and settings defaults from 0.0.0.0 to 127.0.0.1 in src/octopal/infrastructure/config/models.py and src/octopal/infrastructure/config/settings.py to reduce insecure defaults.
WebSocket hardening: updated src/octopal/gateway/ws.py to add _is_local_ws_client, _provided_ws_token, and _reject_ws helpers; reject non-local clients when no Tailscale allowlist is available; require the configured dashboard token for WS connections when set and close unauthorized sockets with a policy violation.
Tests: extended tests/test_gateway_ws_resolution.py with coverage for the local-host helper and an explicit case asserting WebSocket token requirement when dashboard_token is configured.

Ran code formatting with uv run black and lint checks with uv run ruff on modified files; both checks passed.
Verified Python syntax/compilation with uv run python -m py_compile for changed Python modules; compilation succeeded.
Verified desktop TypeScript with npm run typecheck and npm run build in desktop/; both succeeded.
Attempted to run uv run python -m pytest tests/test_gateway_ws_resolution.py tests/test_dashboard_v2_api.py, but test collection could not complete in this environment because pytest/dev dependencies were not available in the local venv (network/download error for dev packages); unit test file updates were added and should pass in CI where test dependencies are installed.

harden desktop gateway exposure

2b4912b

pmbstyle added the codex label May 16, 2026 — with ChatGPT Codex Connector

pmbstyle self-assigned this May 16, 2026

pmbstyle merged commit 63cebcc into main May 16, 2026
4 checks passed

pmbstyle deleted the codex/investigate-gateway-access-via-tailscale branch May 16, 2026 23:44

Provide feedback