## Vulnerability Overview This commit fixes a security vulnerability in device session management within the OpenClaw gateway. When device pairing is removed or a device token is revoked, the system failed to promptly disconnect related active client connections, potentially allowing devices with revoked permissions to maintain their connection status, resulting in unauthorized access risks. ## Impact Scope - **Affected Component**: OpenClaw Gateway server (`src/gateway/`) - **Involved Functions**: - Device pairing removal (`device.pair.remove`) - Device token revocation (`device.token.revoke`) - **Risk Scenario**: Revoked devices/tokens could maintain WebSocket connections and continue accessing system resources ## Fix Solution ### Core Fix Points 1. **Forced disconnection after device pairing removal** (`devices.ts:176-179`) ```typescript queueMicrotask(() => { context.disconnectClientsForDevice?.([removed.deviceId]); }); ``` 2. **Forced disconnection after device token revocation** (`devices.ts:300-302`) ```typescript queueMicrotask(() => { context.disconnectClientsForDevice?.([normalizedDeviceId, { role: entry.role }]); }); ``` 3. **New disconnection method with role filtering** (`server.impl.ts:1199-1211`) ```typescript disconnectClientsForDevice: (deviceId: string, opts?: { role?: string }) => { for (const gatewayClient of clients) { if (gatewayClient.connect.device.id !== deviceId) { continue; } if (opts?.role && gatewayClient.connect.role !== opts.role) { continue; } try { gatewayClient.socket.close(4001, "device removed"); } catch { /* ignore */ } } } ``` 4. **Type definition update** (`types.ts:60`) ```typescript disconnectClientsForDevice?: (deviceId: string, opts?: { role?: string }) => void; ``` ### Fix Strategy - Uses `queueMicrotask` to ensure the response is returned to the client first, then asynchronously executes the disconnection operation - Supports dual filtering by device ID and role, enabling precise session management - Uses specific status code `4001` when closing connections to indicate "device removed"