johan
/
mission-control
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(gateway-auth): enhance authentication configuration and credential retrieval (#292) 

- Added support for specifying authentication mode ('token' or 'password') in the gateway configuration.
- Updated `getDetectedGatewayToken` function to return the appropriate credential based on the selected mode.
- Improved security scan checks for gateway authentication, ensuring both token and password modes are validated correctly.
This commit is contained in:
Jonatan 2026-03-12 02:29:28 -03:00 committed by GitHub
parent 83e98d75e1
commit d2bbacbee3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 23 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/lib/gateway-runtime.ts
View File

@ -5,7 +5,9 @@ import { logger } from '@/lib/logger'
interface OpenClawGatewayConfig { interface OpenClawGatewayConfig {
gateway?: { gateway?: {
auth?: { auth?: {
mode?: 'token' | 'password'
token?: string token?: string
password?: string
} }
port?: number port?: number
controlUi?: { controlUi?: {
@ -65,13 +67,26 @@ export function registerMcAsDashboard(mcUrl: string): { registered: boolean; alr
} }
} }
/**
* Returns the gateway auth credential (token or password) for Bearer/WS auth.
* Env overrides: OPENCLAW_GATEWAY_TOKEN, GATEWAY_TOKEN, OPENCLAW_GATEWAY_PASSWORD, GATEWAY_PASSWORD.
* From config: uses gateway.auth.token when mode is "token", gateway.auth.password when mode is "password".
*/
export function getDetectedGatewayToken(): string { export function getDetectedGatewayToken(): string {
const envToken = (process.env.OPENCLAW_GATEWAY_TOKEN || process.env.GATEWAY_TOKEN || '').trim() const envToken = (process.env.OPENCLAW_GATEWAY_TOKEN || process.env.GATEWAY_TOKEN || '').trim()
if (envToken) return envToken if (envToken) return envToken
const envPassword = (process.env.OPENCLAW_GATEWAY_PASSWORD || process.env.GATEWAY_PASSWORD || '').trim()
if (envPassword) return envPassword
const parsed = readOpenClawConfig() const parsed = readOpenClawConfig()
const cfgToken = String(parsed?.gateway?.auth?.token || '').trim() const auth = parsed?.gateway?.auth
return cfgToken const mode = auth?.mode === 'password' ? 'password' : 'token'
const credential =
mode === 'password'
? String(auth?.password ?? '').trim()
: String(auth?.token ?? '').trim()
return credential
} }
export function getDetectedGatewayPort(): number | null { export function getDetectedGatewayPort(): number | null {

9
src/lib/security-scan.ts
View File

@ -306,12 +306,15 @@ function scanOpenClaw(): Category {
} catch { /* skip */ } } catch { /* skip */ }
const gwAuth = ocConfig?.gateway?.auth const gwAuth = ocConfig?.gateway?.auth
const tokenOk = gwAuth?.mode === 'token' && (gwAuth?.token ?? '').trim().length > 0
const passwordOk = gwAuth?.mode === 'password' && (gwAuth?.password ?? '').trim().length > 0
const authOk = tokenOk || passwordOk
checks.push({ checks.push({
id: 'gateway_auth', id: 'gateway_auth',
name: 'Gateway authentication', name: 'Gateway authentication',
status: gwAuth?.mode === 'token' && gwAuth?.token ? 'pass' : 'fail', status: authOk ? 'pass' : 'fail',
detail: gwAuth?.mode === 'token' ? 'Token auth enabled' : `Auth mode: ${gwAuth?.mode || 'none'}`, detail: tokenOk ? 'Token auth enabled' : passwordOk ? 'Password auth enabled' : `Auth mode: ${gwAuth?.mode || 'none'} (credential required)`,
fix: gwAuth?.mode !== 'token' ? 'Set gateway.auth.mode to "token" with a strong random token' : '', fix: !authOk ? 'Set gateway.auth.mode to "token" with gateway.auth.token, or "password" with gateway.auth.password' : '',
severity: 'critical', severity: 'critical',
}) })