fix(gateway): reject known-weak example auth credentials at startup (#64586)

2026-05-06 18:00:54 +00:00 · 2026-04-12 09:33:05 -06:00
parent 4904e15349
commit f3b636481f
4 changed files with 197 additions and 6 deletions
--- a/.env.example
+++ b/.env.example
@@ -14,12 +14,15 @@
 # -----------------------------------------------------------------------------
 # Gateway auth + paths
 # -----------------------------------------------------------------------------
-# Recommended if the gateway binds beyond loopback.
-OPENCLAW_GATEWAY_TOKEN=change-me-to-a-long-random-token
-# Example generator: openssl rand -hex 32
+# Required if the gateway binds beyond loopback. Leave blank to have OpenClaw
+# auto-generate a token on first start, or provide your own using
+# `openssl rand -hex 32`. The gateway will refuse to start if this is set to
+# the documented example placeholder, so never copy-paste an example value
+# from docs or tutorials into this file verbatim.
+OPENCLAW_GATEWAY_TOKEN=

 # Optional alternative auth mode (use token OR password).
-# OPENCLAW_GATEWAY_PASSWORD=change-me-to-a-strong-password
+# OPENCLAW_GATEWAY_PASSWORD=

 # Optional path overrides (defaults shown for reference).
 # OPENCLAW_STATE_DIR=~/.openclaw