vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-05 22:32:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d766bfc6b2b542ff28c90287e1a265d2cbb74da9
openclaw/src/gateway/http-utils.authorize-request.test.ts
Vincent Koc 6b3f99a11f fix(gateway): enforce trusted-proxy HTTP origin checks (#58229) 
* fix(gateway): enforce trusted-proxy HTTP origin checks

* Update CHANGELOG.md
2026-03-31 19:49:26 +09:00

133 lines
3.7 KiB
TypeScript
Raw Blame History

import type { IncomingMessage, ServerResponse } from "node:http";
import { beforeEach, describe, expect, it, vi } from "vitest";
vi.mock("./auth.js", () => ({
authorizeHttpGatewayConnect: vi.fn(),
}));
vi.mock("../config/config.js", () => ({
loadConfig: vi.fn(() => ({
gateway: {
controlUi: {
allowedOrigins: ["https://control.example.com"],
},
},
})),
}));
vi.mock("./http-common.js", () => ({
sendGatewayAuthFailure: vi.fn(),
}));
const { authorizeHttpGatewayConnect } = await import("./auth.js");
const { sendGatewayAuthFailure } = await import("./http-common.js");
const { authorizeGatewayHttpRequestOrReply } = await import("./http-utils.js");
function createReq(headers: Record<string, string> = {}): IncomingMessage {
return { headers } as IncomingMessage;
}
describe("authorizeGatewayHttpRequestOrReply", () => {
beforeEach(() => {
vi.mocked(authorizeHttpGatewayConnect).mockReset();
vi.mocked(sendGatewayAuthFailure).mockReset();
});
it("marks token-authenticated requests as untrusted for declared HTTP scopes", async () => {
vi.mocked(authorizeHttpGatewayConnect).mockResolvedValue({
ok: true,
method: "token",
});
await expect(
authorizeGatewayHttpRequestOrReply({
req: createReq({ authorization: "Bearer secret" }),
res: {} as ServerResponse,
auth: { mode: "trusted-proxy", allowTailscale: false, token: "secret" },
trustedProxies: ["127.0.0.1"],
}),
).resolves.toEqual({
authMethod: "token",
trustDeclaredOperatorScopes: false,
});
});
it("keeps trusted-proxy requests eligible for declared HTTP scopes", async () => {
vi.mocked(authorizeHttpGatewayConnect).mockResolvedValue({
ok: true,
method: "trusted-proxy",
user: "operator",
});
await expect(
authorizeGatewayHttpRequestOrReply({
req: createReq({ authorization: "Bearer upstream-idp-token" }),
res: {} as ServerResponse,
auth: {
mode: "trusted-proxy",
allowTailscale: false,
trustedProxy: { userHeader: "x-user" },
},
trustedProxies: ["127.0.0.1"],
}),
).resolves.toEqual({
authMethod: "trusted-proxy",
trustDeclaredOperatorScopes: true,
});
});
it("forwards browser-origin policy into HTTP auth", async () => {
vi.mocked(authorizeHttpGatewayConnect).mockResolvedValue({
ok: true,
method: "trusted-proxy",
user: "operator",
});
await authorizeGatewayHttpRequestOrReply({
req: createReq({
host: "gateway.example.com",
origin: "https://evil.example",
}),
res: {} as ServerResponse,
auth: {
mode: "trusted-proxy",
allowTailscale: false,
trustedProxy: { userHeader: "x-user" },
},
trustedProxies: ["127.0.0.1"],
});
expect(vi.mocked(authorizeHttpGatewayConnect)).toHaveBeenCalledWith(
expect.objectContaining({
browserOriginPolicy: {
requestHost: "gateway.example.com",
origin: "https://evil.example",
allowedOrigins: ["https://control.example.com"],
allowHostHeaderOriginFallback: false,
},
}),
);
});
it("replies with auth failure and returns null when auth fails", async () => {
const res = {} as ServerResponse;
vi.mocked(authorizeHttpGatewayConnect).mockResolvedValue({
ok: false,
reason: "unauthorized",
});
await expect(
authorizeGatewayHttpRequestOrReply({
req: createReq(),
res,
auth: { mode: "token", allowTailscale: false, token: "secret" },
}),
).resolves.toBeNull();
expect(sendGatewayAuthFailure).toHaveBeenCalledWith(res, {
ok: false,
reason: "unauthorized",
});
});
});
Reference in New Issue View Git Blame Copy Permalink