fix(browser): authenticate sandbox browser bridge server

2026-05-05 21:40:21 +00:00 · 2026-02-14 12:54:16 +01:00
parent 3b56a6252b
commit 4711a943e3
6 changed files with 191 additions and 7 deletions
--- a/src/browser/bridge-server.auth.test.ts
+++ b/src/browser/bridge-server.auth.test.ts
@@ -0,0 +1,76 @@
+import { afterEach, describe, expect, it } from "vitest";
+import { startBrowserBridgeServer, stopBrowserBridgeServer } from "./bridge-server.js";
+import {
+  DEFAULT_OPENCLAW_BROWSER_COLOR,
+  DEFAULT_OPENCLAW_BROWSER_PROFILE_NAME,
+} from "./constants.js";
+
+function buildResolvedConfig() {
+  return {
+    enabled: true,
+    evaluateEnabled: false,
+    controlPort: 0,
+    cdpProtocol: "http",
+    cdpHost: "127.0.0.1",
+    cdpIsLoopback: true,
+    remoteCdpTimeoutMs: 1500,
+    remoteCdpHandshakeTimeoutMs: 3000,
+    color: DEFAULT_OPENCLAW_BROWSER_COLOR,
+    executablePath: undefined,
+    headless: true,
+    noSandbox: false,
+    attachOnly: true,
+    defaultProfile: DEFAULT_OPENCLAW_BROWSER_PROFILE_NAME,
+    profiles: {
+      [DEFAULT_OPENCLAW_BROWSER_PROFILE_NAME]: {
+        cdpPort: 1,
+        color: DEFAULT_OPENCLAW_BROWSER_COLOR,
+      },
+    },
+  } as const;
+}
+
+describe("startBrowserBridgeServer auth", () => {
+  const servers: Array<{ stop: () => Promise<void> }> = [];
+
+  afterEach(async () => {
+    while (servers.length) {
+      const s = servers.pop();
+      if (s) {
+        await s.stop();
+      }
+    }
+  });
+
+  it("rejects unauthenticated requests when authToken is set", async () => {
+    const bridge = await startBrowserBridgeServer({
+      resolved: buildResolvedConfig(),
+      authToken: "secret-token",
+    });
+    servers.push({ stop: () => stopBrowserBridgeServer(bridge.server) });
+
+    const unauth = await fetch(`${bridge.baseUrl}/`);
+    expect(unauth.status).toBe(401);
+
+    const authed = await fetch(`${bridge.baseUrl}/`, {
+      headers: { Authorization: "Bearer secret-token" },
+    });
+    expect(authed.status).toBe(200);
+  });
+
+  it("accepts x-openclaw-password when authPassword is set", async () => {
+    const bridge = await startBrowserBridgeServer({
+      resolved: buildResolvedConfig(),
+      authPassword: "secret-password",
+    });
+    servers.push({ stop: () => stopBrowserBridgeServer(bridge.server) });
+
+    const unauth = await fetch(`${bridge.baseUrl}/`);
+    expect(unauth.status).toBe(401);
+
+    const authed = await fetch(`${bridge.baseUrl}/`, {
+      headers: { "x-openclaw-password": "secret-password" },
+    });
+    expect(authed.status).toBe(200);
+  });
+});