CVE-2026-28472

This commit explicitly changed the handshake so that merely having `connectParams.auth?.token` allows a connection to skip the required device identity check (`if (!device && !hasTokenAuth)`), before that token has been validated. The later change to only attempt device-token verification when `device` exists means token presence alone becomes enough to reach authorization logic without proving device identity, matching the CVE description. The fix commit corrects this by authorizing first and only permitting the no-device path when shared authentication is actually valid (`sharedAuthOk`), not just present.

• •BIC added `const hasTokenAuth = !!connectParams.auth?.token;` and changed the guard from `if (!device)` to `if (!device && !hasTokenAuth)`.
• •Commit message states intent: `fix: allow token auth to bypass device identity requirement`, confirming it introduced the bypass behavior.
• •BIC also changed `if (!authOk && connectParams.auth?.token)` to `if (!authOk && connectParams.auth?.token && device)`, so when no device is present the code no longer performs device-token verification at all.
• •Fix commit moves `authorizeGatewayConnect(...)` before the no-device check and changes skip logic to require `sharedAuthOk` (validated token/password), preventing bypass on unvalidated token presence.

The BIC introduced the exact vulnerability described in CVE-2026-28472. Before this commit, all connections without a device identity were rejected (`if (!device)`). The BIC changed this to `if (!device && !hasTokenAuth)` where `hasTokenAuth = !!connectParams.auth?.token` — merely checking for token *presence* rather than token *validity*. This allowed connections to skip device identity checks by simply including any token value in the auth payload, even an invalid one, because the actual token validation (`authorizeGatewayConnect`) happened much later in the code flow. The fix corrects this by moving authorization before the device check and requiring actual validated authentication (`sharedAuthOk`) rather than mere token presence.

• •BIC added `const hasTokenAuth = !!connectParams.auth?.token` which only checks token presence, not validity
• •BIC changed `if (!device)` to `if (!device && !hasTokenAuth)`, allowing device identity bypass with unvalidated tokens
• •BIC also added `&& device` guard to `verifyDeviceToken`, preventing token verification when device is absent — compounding the issue
• •Fix replaces `hasTokenAuth` (presence check) with `sharedAuthOk` (validated auth result) and moves `authorizeGatewayConnect` before the device check
• •Before the BIC, all connections without device identity were rejected; the BIC introduced the bypass path

The vulnerability (CVE-2026-28472) occurs because the gateway connection logic skips device identity checks if an authentication token is merely present, without verifying its validity first. This allows an attacker to bypass device identity requirements by providing a dummy token, provided they can authenticate via another method (like Tailscale). The suspected commit `079af0d0b02ca2c722f90b6c4e38e27ba16227b4` introduced this exact flaw. It added the `hasTokenAuth = !!connectParams.auth?.token;` check and modified the device identity validation to be skipped if `hasTokenAuth` is true (`if (!device && !hasTokenAuth)`). Because this check only verifies the presence of a token and occurs before the actual authentication validation (`authorizeGatewayConnect`), it directly introduced the vulnerability. The fix commit resolves this by moving the authentication validation before the device check and ensuring only a successfully validated shared-secret token can bypass the device identity requirement.

• •The vulnerability description states that device identity checks could be skipped when auth.token was present but not yet validated.
• •Commit 079af0d0b02ca2c722f90b6c4e38e27ba16227b4 introduced the `hasTokenAuth = !!connectParams.auth?.token;` check.
• •The commit modified the device identity check to `if (!device && !hasTokenAuth)`, skipping the check if any token is present.
• •The actual token validation (`authorizeGatewayConnect`) occurs after this check, meaning an invalid token could bypass the device identity requirement if another auth method (like Tailscale) succeeds.
• •The fix commit (fe81b1d7125a014b8280da461f34efbf5f761575) resolves this by moving `authorizeGatewayConnect` before the device check and requiring a validated shared-secret token (`sharedAuthOk`) to skip device identity.