let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(security): purge session store on logout

Browse Source
This commit is contained in:
Peter Steinberger
2025-12-02 16:33:44 +00:00
parent c9fbe2cb92
commit 8844674825
3 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -4,6 +4,7 @@
### Security
- Hardened the relay IPC socket: now lives under `~/.warelay/ipc`, enforces 0700 dir / 0600 socket perms, rejects symlink or foreign-owned paths, and includes unit tests to lock in the behavior.
- `warelay logout` now also prunes the shared session store (`~/.warelay/sessions.json`) alongside WhatsApp Web credentials, reducing leftover state after unlinking.
## 1.3.0 — 2025-12-02

3
src/web/logout.test.ts
View File

@@ -35,6 +35,8 @@ describe("web logout", () => {
const credsDir = path.join(tmpDir, ".warelay", "credentials");
fs.mkdirSync(credsDir, { recursive: true });
fs.writeFileSync(path.join(credsDir, "creds.json"), "{}");
const sessionsPath = path.join(tmpDir, ".warelay", "sessions.json");
fs.writeFileSync(sessionsPath, "{}");
const { logoutWeb, WA_WEB_AUTH_DIR } = await import("./session.js");
expect(WA_WEB_AUTH_DIR.startsWith(tmpDir)).toBe(true);
@@ -42,6 +44,7 @@ describe("web logout", () => {
expect(result).toBe(true);
expect(fs.existsSync(credsDir)).toBe(false);
expect(fs.existsSync(sessionsPath)).toBe(false);
});
it("no-ops when nothing to delete", async () => {

3
src/web/session.ts
View File

@@ -12,6 +12,7 @@ import {
} from "@whiskeysockets/baileys";
import qrcode from "qrcode-terminal";
import { SESSION_STORE_DEFAULT } from "../config/sessions.js";
import { danger, info, success } from "../globals.js";
import { getChildLogger } from "../logging.js";
import { defaultRuntime, type RuntimeEnv } from "../runtime.js";
@@ -160,6 +161,8 @@ export async function logoutWeb(runtime: RuntimeEnv = defaultRuntime) {
return false;
}
await fs.rm(WA_WEB_AUTH_DIR, { recursive: true, force: true });
// Also drop session store to clear lingering per-sender state after logout.
await fs.rm(SESSION_STORE_DEFAULT, { force: true });
runtime.log(
success(
"Cleared WhatsApp Web credentials. Run `warelay login --provider web` to relink.",