fix(dashboard): keep gateway tokens out of URL storage

2026-03-12 07:20:45 +00:00 · 2026-03-07 18:33:19 +00:00
parent f966dde476
commit 10d0e3f3ca
10 changed files with 187 additions and 26 deletions
--- a/apps/macos/Sources/OpenClaw/GatewayEndpointStore.swift
+++ b/apps/macos/Sources/OpenClaw/GatewayEndpointStore.swift
@@ -661,18 +661,20 @@ extension GatewayEndpointStore {
            components.path = "/"
        }

-        var queryItems: [URLQueryItem] = []
+        var fragmentItems: [URLQueryItem] = []
        if let token = config.token?.trimmingCharacters(in: .whitespacesAndNewlines),
           !token.isEmpty
        {
-            queryItems.append(URLQueryItem(name: "token", value: token))
+            fragmentItems.append(URLQueryItem(name: "token", value: token))
        }
-        if let password = config.password?.trimmingCharacters(in: .whitespacesAndNewlines),
-           !password.isEmpty
-        {
-            queryItems.append(URLQueryItem(name: "password", value: password))
+        components.queryItems = nil
+        if fragmentItems.isEmpty {
+            components.fragment = nil
+        } else {
+            var fragment = URLComponents()
+            fragment.queryItems = fragmentItems
+            components.fragment = fragment.percentEncodedQuery
        }
-        components.queryItems = queryItems.isEmpty ? nil : queryItems
        guard let url = components.url else {
            throw NSError(domain: "Dashboard", code: 2, userInfo: [
                NSLocalizedDescriptionKey: "Failed to build dashboard URL",
--- a/apps/macos/Tests/OpenClawIPCTests/GatewayEndpointStoreTests.swift
+++ b/apps/macos/Tests/OpenClawIPCTests/GatewayEndpointStoreTests.swift
@@ -216,6 +216,20 @@ import Testing
        #expect(url.absoluteString == "https://gateway.example:443/remote-ui/")
    }

+    @Test func dashboardURLUsesFragmentTokenAndOmitsPassword() throws {
+        let config: GatewayConnection.Config = try (
+            url: #require(URL(string: "ws://127.0.0.1:18789")),
+            token: "abc123",
+            password: "sekret")
+
+        let url = try GatewayEndpointStore.dashboardURL(
+            for: config,
+            mode: .local,
+            localBasePath: "/control")
+        #expect(url.absoluteString == "http://127.0.0.1:18789/control/#token=abc123")
+        #expect(url.query == nil)
+    }
+
    @Test func normalizeGatewayUrlAddsDefaultPortForLoopbackWs() {
        let url = GatewayRemoteConfig.normalizeGatewayUrl("ws://127.0.0.1")
        #expect(url?.port == 18789)