let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1011 from ivanrvpereira/fix/security-audit-gateway-auth

Browse Source 
fix(security): resolve local auth for gateway probe
This commit is contained in:
Peter Steinberger
2026-01-16 19:05:07 +00:00
committed by GitHub
parent 08525435e0 544ca062a3
commit 6bf627bce8
2 changed files with 145 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

144
src/security/audit.test.ts
View File

@@ -401,4 +401,148 @@ describe("security audit", () => {
]), ]),
); );
}); });
describe("maybeProbeGateway auth selection", () => {
it("uses local auth when gateway.mode is local", async () => {
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
gateway: {
mode: "local",
auth: { token: "local-token-abc123" },
},
};
await runSecurityAudit({
config: cfg,
deep: true,
deepTimeoutMs: 50,
includeFilesystem: false,
includeChannelSecurity: false,
probeGatewayFn: async (opts) => {
capturedAuth = opts.auth;
return {
ok: true,
url: opts.url,
connectLatencyMs: 10,
error: null,
close: null,
health: null,
status: null,
presence: null,
configSnapshot: null,
};
},
});
expect(capturedAuth?.token).toBe("local-token-abc123");
});
it("uses local auth when gateway.mode is undefined (default)", async () => {
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
gateway: {
auth: { token: "default-local-token" },
},
};
await runSecurityAudit({
config: cfg,
deep: true,
deepTimeoutMs: 50,
includeFilesystem: false,
includeChannelSecurity: false,
probeGatewayFn: async (opts) => {
capturedAuth = opts.auth;
return {
ok: true,
url: opts.url,
connectLatencyMs: 10,
error: null,
close: null,
health: null,
status: null,
presence: null,
configSnapshot: null,
};
},
});
expect(capturedAuth?.token).toBe("default-local-token");
});
it("uses remote auth when gateway.mode is remote with URL", async () => {
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
gateway: {
mode: "remote",
auth: { token: "local-token-should-not-use" },
remote: {
url: "ws://remote.example.com:18789",
token: "remote-token-xyz789",
},
},
};
await runSecurityAudit({
config: cfg,
deep: true,
deepTimeoutMs: 50,
includeFilesystem: false,
includeChannelSecurity: false,
probeGatewayFn: async (opts) => {
capturedAuth = opts.auth;
return {
ok: true,
url: opts.url,
connectLatencyMs: 10,
error: null,
close: null,
health: null,
status: null,
presence: null,
configSnapshot: null,
};
},
});
expect(capturedAuth?.token).toBe("remote-token-xyz789");
});
it("falls back to local auth when gateway.mode is remote but URL is missing", async () => {
let capturedAuth: { token?: string; password?: string } | undefined;
const cfg: ClawdbotConfig = {
gateway: {
mode: "remote",
auth: { token: "fallback-local-token" },
remote: {
token: "remote-token-should-not-use",
},
},
};
await runSecurityAudit({
config: cfg,
deep: true,
deepTimeoutMs: 50,
includeFilesystem: false,
includeChannelSecurity: false,
probeGatewayFn: async (opts) => {
capturedAuth = opts.auth;
return {
ok: true,
url: opts.url,
connectLatencyMs: 10,
error: null,
close: null,
health: null,
status: null,
presence: null,
configSnapshot: null,
};
},
});
expect(capturedAuth?.token).toBe("fallback-local-token");
});
});
}); });

2
src/security/audit.ts
View File

@@ -538,7 +538,7 @@ async function maybeProbeGateway(params: {
return { token, password }; return { token, password };
}; };
const auth = remoteUrlMissing ? resolveAuth("local") : resolveAuth("remote"); const auth = !isRemoteMode || remoteUrlMissing ? resolveAuth("local") : resolveAuth("remote");
const res = await params.probe({ url, auth, timeoutMs: params.timeoutMs }).catch((err) => ({ const res = await params.probe({ url, auth, timeoutMs: params.timeoutMs }).catch((err) => ({
ok: false, ok: false,
url, url,