feat(gateway): deprecate query param hook token auth for security (#2200)
* feat(gateway): deprecate query param hook token auth for security
Query parameter tokens appear in:
- Server access logs
- Browser history
- Referrer headers
- Network monitoring tools
This change adds a deprecation warning when tokens are provided via
query parameter, encouraging migration to header-based authentication
(Authorization: Bearer <token> or X-Clawdbot-Token header).
Changes:
- Modified extractHookToken to return { token, fromQuery } object
- Added deprecation warning in server-http.ts when fromQuery is true
- Updated tests to verify the new return type and fromQuery flag
Fixes #2148
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: deprecate hook query token auth (#2200) (thanks @YuriNachos)
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
This commit is contained in:
Yuri Chukhlib
GitHub
@@ -27,10 +27,10 @@ Notes:
|
||||
|
||||
## Auth
|
||||
|
||||
Every request must include the hook token:
|
||||
- `Authorization: Bearer <token>`
|
||||
- or `x-clawdbot-token: <token>`
|
||||
- or `?token=<token>`
|
||||
Every request must include the hook token. Prefer headers:
|
||||
- `Authorization: Bearer <token>` (recommended)
|
||||
- `x-clawdbot-token: <token>`
|
||||
- `?token=<token>` (deprecated; logs a warning and will be removed in a future major release)
|
||||
|
||||
## Endpoints
|
||||
|
||||
|
||||
Reference in New Issue
Block a user