docs: document gateway auth helpers · openclaw/openclaw@043929e
steipete
·
2026-06-05
·
via Recent Commits to openclaw:main
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway auth config utilities materialize token/password SecretRefs only for |
| 2 | +// the auth mode that can actually consume them. |
1 | 3 | import type { GatewayAuthConfig } from "../config/types.gateway.js"; |
2 | 4 | import type { OpenClawConfig } from "../config/types.openclaw.js"; |
3 | 5 | import { hasConfiguredSecretInput, resolveSecretInputRef } from "../config/types.secrets.js"; |
@@ -168,6 +170,8 @@ async function resolveGatewayAuthSecretRef(params: {
|
168 | 170 | if (!value) { |
169 | 171 | return params.cfg; |
170 | 172 | } |
| 173 | +// Mutate a clone so startup validation can materialize secrets without |
| 174 | +// altering the caller's raw config object. |
171 | 175 | const nextConfig = structuredClone(params.cfg); |
172 | 176 | nextConfig.gateway ??= {}; |
173 | 177 | nextConfig.gateway.auth ??= {}; |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Covers gateway auth mode validation when token and password inputs are both |
| 2 | +// configured directly or via secret defaults. |
1 | 3 | import { describe, expect, it } from "vitest"; |
2 | 4 | import type { OpenClawConfig } from "../config/config.js"; |
3 | 5 | import { |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway auth mode policy rejects ambiguous token+password config before |
| 2 | +// credential resolution can choose the wrong side. |
1 | 3 | import type { OpenClawConfig } from "../config/types.openclaw.js"; |
2 | 4 | import { hasConfiguredSecretInput } from "../config/types.secrets.js"; |
3 | 5 | |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway auth token resolution applies explicit/config/SecretRef/env |
| 2 | +// precedence with caller-controlled env fallback behavior. |
1 | 3 | import type { OpenClawConfig } from "../config/types.openclaw.js"; |
2 | 4 | import { resolveSecretInputRef } from "../config/types.secrets.js"; |
3 | 5 | import { trimToUndefined } from "./credentials.js"; |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Explicit connection policy decides when CLI gateway calls can avoid reading |
| 2 | +// config because URL and auth were fully supplied by flags. |
1 | 3 | import type { OpenClawConfig } from "../config/types.openclaw.js"; |
2 | 4 | import { trimToUndefined, type ExplicitGatewayAuth } from "./credentials.js"; |
3 | 5 | |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway input allowlist helpers normalize optional hostname allowlists while |
| 2 | +// keeping "unset" distinct from "deny all". |
1 | 3 | import { normalizeTrimmedStringList } from "@openclaw/normalization-core/string-normalization"; |
2 | 4 | |
3 | 5 | /** |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Covers gateway protected-path canonicalization for repeated encoding, |
| 2 | +// malformed encodings, dot segments, and plugin route prefixes. |
1 | 3 | import { describe, expect, it } from "vitest"; |
2 | 4 | import { |
3 | 5 | PROTECTED_PLUGIN_ROUTE_PREFIXES, |
|
| Original file line number | Diff line number | Diff line change |
|---|
|
| 1 | +// Gateway path security canonicalizes repeatedly encoded paths and protects |
| 2 | +// plugin HTTP routes even under malformed encoding. |
1 | 3 | import { normalizeLowercaseStringOrEmpty } from "@openclaw/normalization-core/string-coerce"; |
2 | 4 | |
3 | 5 | type SecurityPathCanonicalization = { |
|
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。