vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-14 02:31:24 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6517c700de9bb0ee11b41ab625ef3b63d01b6083
openclaw/src/gateway/server/plugin-route-runtime-scopes.test.ts
Pavan Kumar Gondhi 6517c700de fix(nostr): require operator.admin scope for profile mutation routes [AI] (#63553) 
* fix: address issue

* fix: address review feedback

* fix: address review feedback

* fix: finalize issue changes

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address review-pr skill feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* docs: add changelog entry for PR merge
2026-04-10 16:38:41 +05:30

95 lines
3.2 KiB
TypeScript
Raw Blame History

import type { IncomingMessage } from "node:http";
import { describe, expect, it } from "vitest";
import { resolvePluginRouteRuntimeOperatorScopes } from "./plugin-route-runtime-scopes.js";
function createReq(headers: Record<string, string> = {}): IncomingMessage {
return { headers } as IncomingMessage;
}
describe("resolvePluginRouteRuntimeOperatorScopes", () => {
it("preserves declared trusted-proxy scopes when the header is present", () => {
expect(
resolvePluginRouteRuntimeOperatorScopes(createReq({ "x-openclaw-scopes": "operator.read" }), {
authMethod: "trusted-proxy",
trustDeclaredOperatorScopes: true,
}),
).toEqual(["operator.read"]);
});
it("keeps trusted-proxy plugin routes on write scope when the header is absent", () => {
expect(
resolvePluginRouteRuntimeOperatorScopes(createReq(), {
authMethod: "trusted-proxy",
trustDeclaredOperatorScopes: true,
}),
).toEqual(["operator.write"]);
});
it("keeps shared-secret bearer plugin routes on write scope even when scopes are declared", () => {
expect(
resolvePluginRouteRuntimeOperatorScopes(
createReq({
authorization: "Bearer secret",
"x-openclaw-scopes": "operator.admin,operator.write",
}),
{ authMethod: "token", trustDeclaredOperatorScopes: false },
),
).toEqual(["operator.write"]);
});
it("does not trust caller-declared admin scopes on plugin routes for mode=none requests", () => {
expect(
resolvePluginRouteRuntimeOperatorScopes(
createReq({ "x-openclaw-scopes": "operator.admin,operator.write" }),
{ authMethod: "none", trustDeclaredOperatorScopes: true },
),
).toEqual(["operator.write"]);
});
it("restores trusted default operator scopes for shared-secret bearer routes opting into trusted-operator surface", () => {
expect(
resolvePluginRouteRuntimeOperatorScopes(
createReq({
authorization: "Bearer secret",
}),
{ authMethod: "token", trustDeclaredOperatorScopes: false },
"trusted-operator",
),
).toEqual([
"operator.admin",
"operator.read",
"operator.write",
"operator.approvals",
"operator.pairing",
"operator.talk.secrets",
]);
});
it("restores trusted default operator scopes for trusted-proxy routes opting into trusted-operator when scopes header is absent", () => {
expect(
resolvePluginRouteRuntimeOperatorScopes(
createReq(),
{ authMethod: "trusted-proxy", trustDeclaredOperatorScopes: true },
"trusted-operator",
),
).toEqual([
"operator.admin",
"operator.read",
"operator.write",
"operator.approvals",
"operator.pairing",
"operator.talk.secrets",
]);
});
it("preserves trusted-proxy declared scopes for routes opting into trusted-operator surface", () => {
expect(
resolvePluginRouteRuntimeOperatorScopes(
createReq({ "x-openclaw-scopes": "operator.admin,operator.write" }),
{ authMethod: "trusted-proxy", trustDeclaredOperatorScopes: true },
"trusted-operator",
),
).toEqual(["operator.admin", "operator.write"]);
});
});
Reference in New Issue View Git Blame Copy Permalink