a86e939072
* fix(session-cookie): migrate to __Host- prefix for secure contexts - Update session-cookie.ts to use __Host-mc-session for HTTPS requests - Add LEGACY_MC_SESSION_COOKIE_NAME for backward compatibility with HTTP - Add parseMcSessionCookieHeader() to parse both cookie names - Add isRequestSecure() helper to detect HTTPS requests - Update cookie options to enforce Secure, HttpOnly, SameSite=Strict - Update all call sites (login, logout, google, me, proxy, auth) - Update e2e tests to support both cookie names - Update documentation (README.md, SKILL.md, openapi.json) This addresses the high-priority TODO about migrating to the __Host- prefix for enhanced security. The __Host- prefix enforces Secure + Path=/ and prevents subdomain attacks. Legacy mc-session is still supported for HTTP contexts. * fix(tests): keep login-flow cookie name aligned with response - remove unreachable nullish expression in session cookie secure flag - use returned cookie pair in login-flow spec instead of forcing __Host- prefix --------- Co-authored-by: Nyk <0xnykcd@googlemail.com> |
||
|---|---|---|
| .. | ||
| fixtures/openclaw | ||
| README.md | ||
| actor-identity-hardening.spec.ts | ||
| agent-api-keys.spec.ts | ||
| agent-attribution.spec.ts | ||
| agent-comms.spec.ts | ||
| agent-costs.spec.ts | ||
| agent-diagnostics.spec.ts | ||
| agent-evals.spec.ts | ||
| agent-optimize.spec.ts | ||
| agent-self-register.spec.ts | ||
| agents-crud.spec.ts | ||
| alerts-crud.spec.ts | ||
| api-index.spec.ts | ||
| auth-guards.spec.ts | ||
| channels-api.spec.ts | ||
| chat-session-prefs.spec.ts | ||
| cron-operations.spec.ts | ||
| csrf-validation.spec.ts | ||
| delete-body.spec.ts | ||
| device-identity.spec.ts | ||
| device-management.spec.ts | ||
| diagnostics-api.spec.ts | ||
| direct-cli.spec.ts | ||
| docs-knowledge.spec.ts | ||
| exec-approval-allowlist.spec.ts | ||
| gateway-config.spec.ts | ||
| gateway-connect.spec.ts | ||
| github-sync.spec.ts | ||
| helpers.ts | ||
| injection-guard-endpoints.spec.ts | ||
| legacy-cookie-removed.spec.ts | ||
| limit-caps.spec.ts | ||
| local-agent-sync.spec.ts | ||
| login-flow.spec.ts | ||
| memory-knowledge.spec.ts | ||
| mentions.spec.ts | ||
| notifications.spec.ts | ||
| onboarding-api.spec.ts | ||
| openapi.spec.ts | ||
| openclaw-harness.spec.ts | ||
| project-agents.spec.ts | ||
| projects-crud.spec.ts | ||
| quality-review.spec.ts | ||
| rate-limiting.spec.ts | ||
| search-and-export.spec.ts | ||
| security-audit.spec.ts | ||
| security-scan-api.spec.ts | ||
| session-controls.spec.ts | ||
| sessions-continue.spec.ts | ||
| skills-crud.spec.ts | ||
| skills-registry.spec.ts | ||
| task-comments.spec.ts | ||
| task-outcomes.spec.ts | ||
| task-queue.spec.ts | ||
| task-regression.spec.ts | ||
| tasks-crud.spec.ts | ||
| tenant-workspaces.spec.ts | ||
| timing-safe-auth.spec.ts | ||
| user-management.spec.ts | ||
| webhooks-crud.spec.ts | ||
| workflows-crud.spec.ts | ||
| workload-signals.spec.ts | ||
README.md
E2E Tests
Playwright end-to-end specs for Mission Control API and UI.
Running
# Start the dev server first (or let Playwright auto-start via reuseExistingServer)
pnpm dev --hostname 127.0.0.1 --port 3005
# Run all tests
pnpm test:e2e
# Run offline OpenClaw harness (no OpenClaw install required)
pnpm test:e2e:openclaw
# Run a specific spec
pnpm exec playwright test tests/tasks-crud.spec.ts
Test Environment
Tests require .env.local with:
API_KEY=test-api-key-e2e-12345MC_DISABLE_RATE_LIMIT=1(bypasses mutation/read rate limits, keeps login rate limit active)
OpenClaw Offline Harness
The harness runs Mission Control against fixture data and mock binaries/gateway:
- fixtures:
tests/fixtures/openclaw/ - mock CLI:
scripts/e2e-openclaw/bin/{openclaw,clawdbot} - mock gateway:
scripts/e2e-openclaw/mock-gateway.mjs
Profiles:
pnpm test:e2e:openclaw:local- local mode (gateway not running)pnpm test:e2e:openclaw:gateway- gateway mode (mock gateway running)
Spec Files
Security & Auth
auth-guards.spec.ts— All API routes return 401 without authcsrf-validation.spec.ts— CSRF origin header validationlegacy-cookie-removed.spec.ts— Old cookie format rejectedlogin-flow.spec.ts— Login, session, redirect lifecyclerate-limiting.spec.ts— Login brute-force protectiontiming-safe-auth.spec.ts— Constant-time API key comparison
CRUD Lifecycle
tasks-crud.spec.ts— Tasks POST/GET/PUT/DELETE with filters, Aegis gateagents-crud.spec.ts— Agents CRUD, lookup by name/id, admin-only deletetask-comments.spec.ts— Threaded comments on tasksworkflows-crud.spec.ts— Workflow template CRUDwebhooks-crud.spec.ts— Webhooks with secret masking and regenerationalerts-crud.spec.ts— Alert rule CRUD with full lifecycleuser-management.spec.ts— User admin CRUD
Features
notifications.spec.ts— Notification delivery and read trackingquality-review.spec.ts— Quality reviews with batch lookupsearch-and-export.spec.ts— Global search, data export, activity feed
Infrastructure
limit-caps.spec.ts— Endpoint limit caps enforceddelete-body.spec.ts— DELETE body standardization
Shared
helpers.ts— Factory functions (createTestTask,createTestAgent, etc.) and cleanup helpers