vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-05 15:20:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(gateway): honor trusted proxy hook auth rate limits

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-12 21:35:41 +00:00
parent 143e593ab8
commit 4da617e178
5 changed files with 58 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/gateway/server-http.ts
View File

@@ -23,6 +23,7 @@ import {
import {
authorizeHttpGatewayConnect,
isLocalDirectRequest,
resolveRequestClientIp,
type GatewayAuthResult,
type ResolvedGatewayAuth,
} from "./auth.js";
@@ -351,9 +352,13 @@ export function createHooksRequestHandler(
bindHost: string;
port: number;
logHooks: SubsystemLogger;
getClientIpConfig?: () => {
trustedProxies?: string[];
allowRealIpFallback?: boolean;
};
} & HookDispatchers,
): HooksRequestHandler {
const { getHooksConfig, logHooks, dispatchAgentHook, dispatchWakeHook } = opts;
const { getHooksConfig, logHooks, dispatchAgentHook, dispatchWakeHook, getClientIpConfig } = opts;
const hookAuthLimiter = createAuthRateLimiter({
maxAttempts: HOOK_AUTH_FAILURE_LIMIT,
windowMs: HOOK_AUTH_FAILURE_WINDOW_MS,
@@ -364,7 +369,14 @@ export function createHooksRequestHandler(
});
const resolveHookClientKey = (req: IncomingMessage): string => {
return normalizeRateLimitClientIp(req.socket?.remoteAddress);
const clientIpConfig = getClientIpConfig?.();
const clientIp =
resolveRequestClientIp(
req,
clientIpConfig?.trustedProxies,
clientIpConfig?.allowRealIpFallback === true,
) ?? req.socket?.remoteAddress;
return normalizeRateLimitClientIp(clientIp);
};
return async (req, res) => {