#10093: fix: import gateway token from URL param into localStorage
app: web-ui
stale
Cluster:
UI Enhancements and Security Fixes
## Summary
- When opening the Control UI with `?token=<value>` in the URL, the token was stripped from the URL but never persisted to localStorage, causing an authentication error on every visit.
- Now the token is saved to localStorage on first visit (when no token is already stored), so the gateway connection succeeds immediately.
- Existing stored tokens are not overwritten, preserving the original security intent.
## Test plan
- [ ] Open `http://localhost:18789/?token=<gateway-token>` with empty localStorage — token should be saved and gateway should connect.
- [ ] Open the same URL when a token is already stored — existing token should not be overwritten.
- [ ] Updated browser test: "imports token from URL when no token is stored".
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- greptile_comment -->
<h2>Greptile Overview</h2>
<h3>Greptile Summary</h3>
This PR updates the Control UI settings bootstrap so that when the page is opened with a token URL parameter, the token is persisted into UI settings (and therefore localStorage) on first visit, while still stripping it from the URL.
Concretely, `applySettingsFromUrl` now trims and imports the token only when `host.settings.token` is empty, preserving the existing intent of not overwriting already-stored tokens. Browser tests were updated to assert the new behavior and to keep coverage for the “do not override stored token” case.
<h3>Confidence Score: 5/5</h3>
- This PR is safe to merge with minimal risk.
- The change is small and localized (URL settings import), preserves the existing non-overwrite behavior for stored tokens, and is covered by an updated browser test plus an explicit regression test for the non-overwrite case. No other code paths are affected beyond initial URL parsing and settings persistence.
- No files require special attention
<!-- greptile_other_comments_section -->
<sub>(2/5) Greptile learns from your feedback when you react with thumbs up/down!</sub>
<!-- /greptile_comment -->
Most Similar PRs
#10800: fix(ui): apply token from URL param to settings
by callebtc · 2026-02-07
85.1%
#18273: fix: extract token from URL query string for Control UI websocket auth
by MisterGuy420 · 2026-02-16
83.8%
#15722: fix: prefer explicit token over stored device token for remote gate...
by 0xPotatoofdoom · 2026-02-13
81.3%
#6352: fix(ux): update gateway token error message UI location
by Glucksberg · 2026-02-01
79.4%
#17279: fix: restore device token priority over config token
by MisterGuy420 · 2026-02-15
79.0%
#19885: test(gateway,browser): isolate tests from ambient OPENCLAW_GATEWAY_...
by NewdlDewdl · 2026-02-18
78.4%
#17765: fix: add link to settings when chat shows auth error
by MisterGuy420 · 2026-02-16
77.2%
#19937: fix(gateway): validate token/password auth modes and isolate gatewa...
by NewdlDewdl · 2026-02-18
76.1%
#13960: fix(ui): preserve structured config validation error details
by constansino · 2026-02-11
75.9%
#17379: fix: restore device token priority in device-auth mode
by Limitless2023 · 2026-02-15
75.7%