vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-06-04 17:24:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6173a4babb99ca80e175cd53a2dec412ef1788e2
openclaw/src/shared/device-pairing-access.ts
Peter Steinberger 1e7510ae10 docs: continue inline comment pass (#88849) 
Adds broad inline comments and JSDoc for CLI, cron, outbound/channel, plugin SDK, ACP, shared helpers, net policy, and related utility contracts. Proof: git diff --check on latest exact head plus focused cron tests passed; CI had no failing checks observed before merge attempt.
2026-05-31 22:32:28 -04:00

123 lines
3.6 KiB
TypeScript
Raw Blame History

import { normalizeDeviceAuthScopes } from "./device-auth.js";
export type DevicePairingAccessSummary = {
/** Normalized role ids requested or approved for a device. */
roles: string[];
/** Normalized scope ids, including implied operator scopes. */
scopes: string[];
};
/** Approval classification shown when a pending pairing differs from existing grants. */
export type PendingDeviceApprovalKind =
| "new-pairing"
| "role-upgrade"
| "scope-upgrade"
| "re-approval";
export type PendingDeviceApprovalState = {
kind: PendingDeviceApprovalKind;
/** Access requested by the pending pairing attempt. */
requested: DevicePairingAccessSummary;
/** Existing active access, or null for a new pairing. */
approved: DevicePairingAccessSummary | null;
};
type PendingLike = {
role?: string;
roles?: string[];
scopes?: string[];
};
type PairedLike = {
role?: string;
roles?: string[];
scopes?: string[];
tokens?:
| Array<{
role?: string;
revokedAtMs?: number | null;
}>
| Record<
string,
{
role?: string;
revokedAtMs?: number | null;
}
>;
};
function normalizeRoleList(...items: Array<string | string[] | undefined>): string[] {
const roles = new Set<string>();
for (const item of items) {
if (!item) {
continue;
}
if (Array.isArray(item)) {
for (const role of item) {
const trimmed = role.trim();
if (trimmed) {
roles.add(trimmed);
}
}
continue;
}
const trimmed = item.trim();
if (trimmed) {
roles.add(trimmed);
}
}
return [...roles].toSorted();
}
function includesAll(allowed: readonly string[], requested: readonly string[]): boolean {
const allowedSet = new Set(allowed);
return requested.every((value) => allowedSet.has(value));
}
/** Normalizes requested roles/scopes from pending pairing records, including legacy singular role. */
export function summarizePendingDeviceAccess(request: PendingLike): DevicePairingAccessSummary {
return {
roles: normalizeRoleList(request.roles, request.role),
scopes: normalizeDeviceAuthScopes(request.scopes),
};
}
/** Summarizes currently approved device access, excluding roles whose tokens are revoked. */
export function summarizeApprovedDeviceAccess(device: PairedLike): DevicePairingAccessSummary {
const approvedRoles = normalizeRoleList(device.roles, device.role);
const tokenList = Array.isArray(device.tokens)
? device.tokens
: device.tokens
? Object.values(device.tokens)
: undefined;
const activeTokenRoles =
tokenList === undefined
? approvedRoles
: normalizeRoleList(
tokenList.filter((token) => !token.revokedAtMs).flatMap((token) => token.role ?? []),
).filter((role) => approvedRoles.includes(role));
return {
roles: activeTokenRoles,
scopes: normalizeDeviceAuthScopes(device.scopes),
};
}
/** Classifies a pending pairing request as new pairing, role upgrade, scope upgrade, or re-approval. */
export function resolvePendingDeviceApprovalState(
request: PendingLike,
paired?: PairedLike,
): PendingDeviceApprovalState {
const requested = summarizePendingDeviceAccess(request);
const approved = paired ? summarizeApprovedDeviceAccess(paired) : null;
if (!approved) {
return { kind: "new-pairing", requested, approved: null };
}
if (!includesAll(approved.roles, requested.roles)) {
return { kind: "role-upgrade", requested, approved };
}
if (!includesAll(approved.scopes, requested.scopes)) {
return { kind: "scope-upgrade", requested, approved };
}
return { kind: "re-approval", requested, approved };
}
Reference in New Issue View Git Blame Copy Permalink