openclaw/scripts/setup-auth-system.sh

#!/bin/bash
# Setup OpenClaw Auth Management System
# Run this once to set up:
# 1. Long-lived Claude Code token
# 2. Auth monitoring with notifications
# 3. Instructions for Termux widgets

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

echo "=== OpenClaw Auth System Setup ==="
echo ""

# Step 1: Check current auth status
echo "Step 1: Checking current auth status..."
"$SCRIPT_DIR/claude-auth-status.sh" full || true
echo ""

# Step 2: Set up long-lived token
echo "Step 2: Long-lived token setup"
echo ""
echo "Option A: Use 'claude setup-token' (recommended)"
echo "  - Creates a long-lived API token"
echo "  - No daily re-auth needed"
echo "  - Run: claude setup-token"
echo ""
echo "Would you like to set up a long-lived token now? [y/N]"
read -r SETUP_TOKEN

if [[ "$SETUP_TOKEN" =~ ^[Yy] ]]; then
    echo ""
    echo "Opening https://console.anthropic.com/settings/api-keys"
    echo "Create a new key or copy existing one, then paste below."
    echo ""
    claude setup-token
fi

echo ""

# Step 3: Set up auth monitoring
echo "Step 3: Auth monitoring setup"
echo ""
echo "The auth monitor checks expiry every 30 minutes and notifies you."
echo ""
echo "Configure notification channels:"
echo ""

# Check for ntfy
echo "  ntfy.sh: Free push notifications to your phone"
echo "  1. Install ntfy app on your phone"
echo "  2. Subscribe to a topic (e.g., 'openclaw-alerts')"
echo ""
echo "Enter ntfy.sh topic (or leave blank to skip):"
read -r NTFY_TOPIC

# Phone notification
echo ""
echo "  OpenClaw message: Send warning via OpenClaw itself"
echo "Enter your phone number for alerts (or leave blank to skip):"
read -r PHONE_NUMBER

# Install systemd units
SERVICE_TEMPLATE="$SCRIPT_DIR/systemd/openclaw-auth-monitor.service"
SYSTEMD_USER_DIR="$HOME/.config/systemd/user"
SERVICE_TARGET="$SYSTEMD_USER_DIR/openclaw-auth-monitor.service"
TIMER_TARGET="$SYSTEMD_USER_DIR/openclaw-auth-monitor.timer"
AUTH_MONITOR_PATH="$SCRIPT_DIR/auth-monitor.sh"

echo ""
echo "Installing systemd timer..."
mkdir -p "$SYSTEMD_USER_DIR"

SERVICE_TEMP="$(mktemp "$SYSTEMD_USER_DIR/openclaw-auth-monitor.service.XXXXXX")"
SERVICE_RENDERED=""
cleanup_service_temp() {
    rm -f "$SERVICE_TEMP" "$SERVICE_RENDERED"
}
trap cleanup_service_temp EXIT
SERVICE_RENDERED="$(mktemp "$SYSTEMD_USER_DIR/openclaw-auth-monitor.service.rendered.XXXXXX")"

cp "$SERVICE_TEMPLATE" "$SERVICE_TEMP"

systemd_quote_arg() {
    local value="$1"
    value="${value//\\/\\\\}"
    value="${value//%/%%}"
    value="${value//\$/\$\$}"
    value="${value//\"/\\\"}"
    printf '"%s"' "$value"
}

render_environment_line() {
    local key="$1"
    local placeholder="$2"
    local value="$3"

    if [ -n "$value" ]; then
        printf 'Environment=%s=%s' "$key" "$value"
    else
        printf '# Environment=%s=%s' "$key" "$placeholder"
    fi
}

RENDERED_EXEC_START="ExecStart=$(systemd_quote_arg "$AUTH_MONITOR_PATH")"
RENDERED_NTFY_LINE="$(render_environment_line "NOTIFY_NTFY" "openclaw-alerts" "$NTFY_TOPIC")"
RENDERED_PHONE_LINE="$(render_environment_line "NOTIFY_PHONE" "+1234567890" "$PHONE_NUMBER")"
FOUND_EXEC_START=0
FOUND_NTFY=0
FOUND_PHONE=0

while IFS= read -r line || [ -n "$line" ]; do
    if [[ "$line" =~ ^[[:space:]]*ExecStart=.*$ ]]; then
        printf '%s\n' "$RENDERED_EXEC_START"
        FOUND_EXEC_START=1
    elif [[ "$line" =~ ^[[:space:]]*#?[[:space:]]*Environment=NOTIFY_NTFY=.*$ ]]; then
        printf '%s\n' "$RENDERED_NTFY_LINE"
        FOUND_NTFY=1
    elif [[ "$line" =~ ^[[:space:]]*#?[[:space:]]*Environment=NOTIFY_PHONE=.*$ ]]; then
        printf '%s\n' "$RENDERED_PHONE_LINE"
        FOUND_PHONE=1
    else
        printf '%s\n' "$line"
    fi
done < "$SERVICE_TEMP" > "$SERVICE_RENDERED"

if [ "$FOUND_EXEC_START" -ne 1 ]; then
    echo "ERROR: ExecStart line not found in $SERVICE_TEMPLATE" >&2
    exit 1
fi
if [ "$FOUND_NTFY" -ne 1 ]; then
    echo "ERROR: NOTIFY_NTFY placeholder not found in $SERVICE_TEMPLATE" >&2
    exit 1
fi
if [ "$FOUND_PHONE" -ne 1 ]; then
    echo "ERROR: NOTIFY_PHONE placeholder not found in $SERVICE_TEMPLATE" >&2
    exit 1
fi

mv "$SERVICE_RENDERED" "$SERVICE_TEMP"

mv "$SERVICE_TEMP" "$SERVICE_TARGET"
trap - EXIT
cp "$SCRIPT_DIR/systemd/openclaw-auth-monitor.timer" "$TIMER_TARGET"
systemctl --user daemon-reload
systemctl --user enable --now openclaw-auth-monitor.timer

echo "Auth monitor installed and running."
echo ""

# Step 4: Termux widget setup
echo "Step 4: Termux widget setup (for phone)"
echo ""
echo "To set up quick auth from your phone:"
echo ""
echo "1. Install Termux and Termux:Widget from F-Droid"
echo "2. Create ~/.shortcuts/ directory in Termux:"
echo "   mkdir -p ~/.shortcuts"
echo ""
echo "3. Copy the widget scripts:"
echo "   scp $SCRIPT_DIR/termux-quick-auth.sh phone:~/.shortcuts/ClawdAuth"
echo "   scp $SCRIPT_DIR/termux-auth-widget.sh phone:~/.shortcuts/ClawdAuth-Full"
echo ""
echo "4. Make them executable on phone:"
echo "   ssh phone 'chmod +x ~/.shortcuts/Clawd*'"
echo ""
echo "5. Add Termux:Widget to your home screen"
echo "6. Tap the widget to see your auth scripts"
echo ""
echo "The quick widget (ClawdAuth) shows status and opens auth URL if needed."
echo "The full widget (ClawdAuth-Full) provides guided re-auth flow."
echo ""

# Summary
echo "=== Setup Complete ==="
echo ""
echo "What's configured:"
echo "  - Auth status: $SCRIPT_DIR/claude-auth-status.sh"
echo "  - Mobile re-auth: $SCRIPT_DIR/mobile-reauth.sh"
echo "  - Auth monitor: systemctl --user status openclaw-auth-monitor.timer"
echo ""
echo "Quick commands:"
echo "  Check auth:  $SCRIPT_DIR/claude-auth-status.sh"
echo "  Re-auth:     $SCRIPT_DIR/mobile-reauth.sh"
echo "  Test monitor: $SCRIPT_DIR/auth-monitor.sh"
echo ""