Skip to content

NEMOCLAW_DISABLE_DEVICE_AUTH Build Arg Undocumented — Disables Authentication - IssueFinder - SN 19 #1443

Open
Open
NEMOCLAW_DISABLE_DEVICE_AUTH Build Arg Undocumented — Disables Authentication - IssueFinder - SN 19#1443
Labels
documentationImprovements or additions to documentationstatus: triageFor new items that haven't been reviewed yet.
@dinuduke

Description

@dinuduke
dinuduke
opened on Apr 3, 2026

Description

The Dockerfile (line 56-58) defines a build arg NEMOCLAW_DISABLE_DEVICE_AUTH that when set to "1" disables device-pairing authentication. This is a security-sensitive configuration documented only in Dockerfile comments, not in any user-facing documentation. A user could unknowingly set this in production, creating an unauthenticated sandbox.

Impact

Users may disable authentication unintentionally due to undocumented build args.

Steps to Reproduce

  1. Search documentation for "NEMOCLAW_DISABLE_DEVICE_AUTH"
  2. Find zero results in user-facing docs

Expected Behavior

Documentation in sandbox hardening or security best practices page explaining this flag.

Actual Behavior

Only a Dockerfile comment mentions it.

Affected Page

Dockerfile (lines 56-58), docs/deployment/sandbox-hardening.md

Issue Type

Missing documentation

Suggested Fix

Recommended Fix

File to create: docs/deployment/authentication.md

# Authentication Configuration

## `dangerouslyDisableDeviceAuth`

**Location**: Set in `Dockerfile` line 110 when generating `openclaw.json`
**Default**: `True` (device auth disabled in Docker sandbox)

### What It Does

When `True`, the OpenClaw gateway skips the OAuth 2.0 Device Authorization
Grant flow. Users are NOT prompted to authenticate via browser-based
device code approval before accessing the gateway API.

### Why It's Disabled in Docker

The NemoClaw Docker sandbox has no browser. Device auth would deadlock:
the gateway prompts for browser-based approval, but no browser exists
inside the container to complete the flow.

### When to Enable (set to `False`)

Enable device auth when:
- The gateway is network-accessible (not just localhost)
- Multiple users or external clients connect to the same instance
- You need per-user audit trails

```python
# In Dockerfile or openclaw.json generation:
'dangerouslyDisableDeviceAuth': False  # Require device auth

Security Implications

Setting Risk Use Case
True (disabled) Anyone with network access to the gateway can use it without auth Single-user local/Docker
False (enabled) Requires browser-based approval; gateway generates per-device tokens Multi-user, external access

Related Settings

  • allowInsecureAuth: True — allows HTTP (non-TLS) auth flows. Set False in production.
  • auth.token — the gateway bearer token generated at build time (secrets.token_hex(32))
  • trustedProxies — IPs allowed to set X-Forwarded-For headers

**Also add** inline comment in `Dockerfile` at line 110:
```dockerfile
            # Device auth is disabled because the sandbox has no browser.
            # For external-facing deployments, set to False and see
            # docs/deployment/authentication.md for security implications.
            'dangerouslyDisableDeviceAuth': True, \

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentationstatus: triageFor new items that haven't been reviewed yet.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions