vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-06 15:20:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(ios): harden gateway pairing setup

Browse Source 
Harden iOS gateway setup-code pairing by rejecting non-loopback plaintext ws:// setup URLs before bootstrap token issuance, consolidating iOS setup parsing, and adding QR scan support from Settings.

Verification:
- pnpm test extensions/device-pair/index.test.ts
- swift test --package-path apps/shared/OpenClawKit --filter DeepLinksSecurityTests
- XcodeBuildMCP OpenClawLogicTests/DeepLinkParserTests
- targeted SwiftLint for touched iOS/OpenClawKit files
- pnpm exec oxfmt --check --threads=1 extensions/device-pair/index.ts extensions/device-pair/index.test.ts
- git diff --check origin/main...HEAD
- GitHub PR checks green on 58e5e60a5c
This commit is contained in:
Val Alexander
2026-05-04 02:11:47 -05:00
committed by GitHub
parent 5fe8cde28f
commit b2efd19648
15 changed files with 556 additions and 188 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
apps/shared/OpenClawKit/Sources/OpenClawKit/DeepLinks.swift
View File

@@ -6,6 +6,16 @@ public enum DeepLinkRoute: Sendable, Equatable {
}
public struct GatewayConnectDeepLink: Codable, Sendable, Equatable {
private struct SetupPayload: Decodable {
let url: String?
let host: String?
let port: Int?
let tls: Bool?
let bootstrapToken: String?
let token: String?
let password: String?
}
public let host: String
public let port: Int
public let tls: Bool
@@ -27,28 +37,118 @@ public struct GatewayConnectDeepLink: Codable, Sendable, Equatable {
return URL(string: "\(scheme)://\(self.host):\(self.port)")
}
/// Parse a device-pair setup code (base64url-encoded JSON: `{url, bootstrapToken?, token?, password?}`).
/// Parse a gateway setup input from the QR/scanner/manual entry surfaces.
///
/// Accepted inputs are:
/// - device-pair setup code (base64url-encoded JSON)
/// - raw setup JSON
/// - a copied message containing a `Setup code:` line
/// - an `openclaw://gateway?...` deep link
/// - a raw `ws://` or `wss://` gateway URL
public static func fromSetupInput(_ input: String) -> GatewayConnectDeepLink? {
let trimmed = input.trimmingCharacters(in: .whitespacesAndNewlines)
guard !trimmed.isEmpty else { return nil }
if let link = fromSetupCode(trimmed) {
return link
}
if let url = URL(string: trimmed),
let route = DeepLinkParser.parse(url),
case let .gateway(link) = route
{
return link
}
return fromGatewayURLString(
trimmed,
bootstrapToken: nil,
token: nil,
password: nil)
}
/// Parse a gateway setup payload from a device-pair setup code or copied setup text.
///
/// Accepted inputs are:
/// - base64url-encoded setup JSON
/// - raw setup JSON
/// - copied text/message content containing one or more extractable setup-code candidates
///
/// Accepted payload shapes are:
/// - `{url, bootstrapToken?, token?, password?}`
/// - `{host, port?, tls?, bootstrapToken?, token?, password?}`
///
/// URL-based payloads provide the gateway WebSocket URL via `url`. Host-based payloads
/// provide `host` plus optional `port` and `tls`. In both cases, the optional
/// `bootstrapToken`, `token`, and `password` fields are also supported.
public static func fromSetupCode(_ code: String) -> GatewayConnectDeepLink? {
guard let data = decodeBase64Url(code) else { return nil }
guard let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any] else { return nil }
guard let urlString = json["url"] as? String,
let parsed = URLComponents(string: urlString),
let trimmed = code.trimmingCharacters(in: .whitespacesAndNewlines)
guard !trimmed.isEmpty else { return nil }
if let link = decodeSetupPayload(from: Data(trimmed.utf8)) {
return link
}
if let data = decodeBase64Url(trimmed),
let link = decodeSetupPayload(from: data)
{
return link
}
for candidate in setupCodeCandidates(in: trimmed) where candidate != trimmed {
if let data = decodeBase64Url(candidate),
let link = decodeSetupPayload(from: data)
{
return link
}
}
return nil
}
private static func decodeSetupPayload(from data: Data) -> GatewayConnectDeepLink? {
guard let payload = try? JSONDecoder().decode(SetupPayload.self, from: data) else { return nil }
if let urlString = payload.url?.trimmingCharacters(in: .whitespacesAndNewlines),
!urlString.isEmpty
{
return fromGatewayURLString(
urlString,
bootstrapToken: payload.bootstrapToken,
token: payload.token,
password: payload.password)
}
guard let host = payload.host?.trimmingCharacters(in: .whitespacesAndNewlines),
!host.isEmpty
else {
return nil
}
let tls = payload.tls ?? true
if !tls, !LoopbackHost.isLoopbackHost(host) {
return nil
}
return GatewayConnectDeepLink(
host: host,
port: payload.port ?? (tls ? 443 : 18789),
tls: tls,
bootstrapToken: payload.bootstrapToken,
token: payload.token,
password: payload.password)
}
private static func fromGatewayURLString(
_ urlString: String,
bootstrapToken: String?,
token: String?,
password: String?) -> GatewayConnectDeepLink?
{
guard let parsed = URLComponents(string: urlString),
let hostname = parsed.host, !hostname.isEmpty
else { return nil }
let scheme = (parsed.scheme ?? "ws").lowercased()
guard scheme == "ws" || scheme == "wss" else { return nil }
let tls = scheme == "wss"
guard scheme == "ws" || scheme == "wss" || scheme == "http" || scheme == "https" else {
return nil
}
let tls = scheme == "wss" || scheme == "https"
if !tls, !LoopbackHost.isLoopbackHost(hostname) {
return nil
}
let port = parsed.port ?? (tls ? 443 : 18789)
let bootstrapToken = json["bootstrapToken"] as? String
let token = json["token"] as? String
let password = json["password"] as? String
return GatewayConnectDeepLink(
host: hostname,
port: port,
port: parsed.port ?? (tls ? 443 : 18789),
tls: tls,
bootstrapToken: bootstrapToken,
token: token,
@@ -65,6 +165,19 @@ public struct GatewayConnectDeepLink: Codable, Sendable, Equatable {
}
return Data(base64Encoded: base64)
}
private static func setupCodeCandidates(in input: String) -> [String] {
let surroundingPunctuation = CharacterSet(charactersIn: "`'\"“”‘’()[]{}<>.,;:")
return input
.components(separatedBy: .whitespacesAndNewlines)
.map { $0.trimmingCharacters(in: .whitespacesAndNewlines.union(surroundingPunctuation)) }
.filter { candidate in
guard candidate.count >= 24 else { return false }
return candidate.allSatisfy { ch in
ch.isLetter || ch.isNumber || ch == "-" || ch == "_" || ch == "="
}
}
}
}
public struct AgentDeepLink: Codable, Sendable, Equatable {

87
apps/shared/OpenClawKit/Tests/OpenClawKitTests/DeepLinksSecurityTests.swift
View File

@@ -2,6 +2,14 @@ import Foundation
import OpenClawKit
import Testing
private func setupCode(from payload: String) -> String {
Data(payload.utf8)
.base64EncodedString()
.replacingOccurrences(of: "+", with: "-")
.replacingOccurrences(of: "/", with: "_")
.replacingOccurrences(of: "=", with: "")
}
@Suite struct DeepLinksSecurityTests {
@Test func gatewayDeepLinkRejectsInsecureNonLoopbackWs() {
let url = URL(
@@ -31,33 +39,18 @@ import Testing
@Test func setupCodeRejectsInsecureNonLoopbackWs() {
let payload = #"{"url":"ws://attacker.example:18789","bootstrapToken":"tok"}"#
let encoded = Data(payload.utf8)
.base64EncodedString()
.replacingOccurrences(of: "+", with: "-")
.replacingOccurrences(of: "/", with: "_")
.replacingOccurrences(of: "=", with: "")
#expect(GatewayConnectDeepLink.fromSetupCode(encoded) == nil)
#expect(GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == nil)
}
@Test func setupCodeRejectsInsecurePrefixBypassHost() {
let payload = #"{"url":"ws://127.attacker.example:18789","bootstrapToken":"tok"}"#
let encoded = Data(payload.utf8)
.base64EncodedString()
.replacingOccurrences(of: "+", with: "-")
.replacingOccurrences(of: "/", with: "_")
.replacingOccurrences(of: "=", with: "")
#expect(GatewayConnectDeepLink.fromSetupCode(encoded) == nil)
#expect(GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == nil)
}
@Test func setupCodeAllowsLoopbackWs() {
let payload = #"{"url":"ws://127.0.0.1:18789","bootstrapToken":"tok"}"#
let encoded = Data(payload.utf8)
.base64EncodedString()
.replacingOccurrences(of: "+", with: "-")
.replacingOccurrences(of: "/", with: "_")
.replacingOccurrences(of: "=", with: "")
#expect(
GatewayConnectDeepLink.fromSetupCode(encoded) == .init(
GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == .init(
host: "127.0.0.1",
port: 18789,
tls: false,
@@ -65,4 +58,62 @@ import Testing
token: nil,
password: nil))
}
@Test func setupCodeParsesHostPayload() {
let payload = #"{"host":"gateway.tailnet.ts.net","port":443,"tls":true,"bootstrapToken":"tok"}"#
#expect(
GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == .init(
host: "gateway.tailnet.ts.net",
port: 443,
tls: true,
bootstrapToken: "tok",
token: nil,
password: nil))
}
@Test func setupCodeParsesHostPayloadWithTLSDefaultPort() {
let payload = #"{"host":"gateway.tailnet.ts.net","tls":true,"bootstrapToken":"tok"}"#
#expect(
GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == .init(
host: "gateway.tailnet.ts.net",
port: 443,
tls: true,
bootstrapToken: "tok",
token: nil,
password: nil))
}
@Test func setupCodeRejectsInsecureHostPayload() {
let payload = #"{"host":"gateway.tailnet.ts.net","port":18789,"tls":false,"bootstrapToken":"tok"}"#
#expect(GatewayConnectDeepLink.fromSetupCode(setupCode(from: payload)) == nil)
}
@Test func setupInputParsesFullCopiedSetupMessage() {
let payload = #"{"url":"wss://gateway.tailnet.ts.net","bootstrapToken":"tok"}"#
let message = """
Pairing setup code generated.
Setup code:
\(setupCode(from: payload))
"""
#expect(
GatewayConnectDeepLink.fromSetupInput(message) == .init(
host: "gateway.tailnet.ts.net",
port: 443,
tls: true,
bootstrapToken: "tok",
token: nil,
password: nil))
}
@Test func setupInputParsesRawGatewayURL() {
#expect(
GatewayConnectDeepLink.fromSetupInput("wss://gateway.example.com:444") == .init(
host: "gateway.example.com",
port: 444,
tls: true,
bootstrapToken: nil,
token: nil,
password: nil))
}
}