vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-04-07 23:31:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dae0400a8ff81319e39c50d1f684bde69bc517e9
openclaw/src/gateway/http-auth-helpers.ts
Vincent Koc 6b3f99a11f fix(gateway): enforce trusted-proxy HTTP origin checks (#58229) 
* fix(gateway): enforce trusted-proxy HTTP origin checks

* Update CHANGELOG.md
2026-03-31 19:49:26 +09:00

59 lines
2.3 KiB
TypeScript
Raw Blame History

import type { IncomingMessage, ServerResponse } from "node:http";
import type { AuthRateLimiter } from "./auth-rate-limit.js";
import { authorizeHttpGatewayConnect, type ResolvedGatewayAuth } from "./auth.js";
import { sendGatewayAuthFailure } from "./http-common.js";
import { getBearerToken, getHeader, resolveHttpBrowserOriginPolicy } from "./http-utils.js";
import { CLI_DEFAULT_OPERATOR_SCOPES } from "./method-scopes.js";
const OPERATOR_SCOPES_HEADER = "x-openclaw-scopes";
export async function authorizeGatewayBearerRequestOrReply(params: {
req: IncomingMessage;
res: ServerResponse;
auth: ResolvedGatewayAuth;
trustedProxies?: string[];
allowRealIpFallback?: boolean;
rateLimiter?: AuthRateLimiter;
}): Promise<boolean> {
const token = getBearerToken(params.req);
const browserOriginPolicy = resolveHttpBrowserOriginPolicy(params.req);
const authResult = await authorizeHttpGatewayConnect({
auth: params.auth,
connectAuth: token ? { token, password: token } : null,
req: params.req,
trustedProxies: params.trustedProxies,
allowRealIpFallback: params.allowRealIpFallback,
rateLimiter: params.rateLimiter,
browserOriginPolicy,
});
if (!authResult.ok) {
sendGatewayAuthFailure(params.res, authResult);
return false;
}
return true;
}
export function resolveGatewayRequestedOperatorScopes(req: IncomingMessage): string[] {
const raw = getHeader(req, OPERATOR_SCOPES_HEADER)?.trim();
if (raw === undefined) {
// No x-openclaw-scopes header present at all: the caller is a plain
// Bearer-token HTTP client (curl, OpenAI SDK, etc.) that has already
// passed gateway token authentication. Grant the same default operator
// scopes that the CLI and other first-party callers receive so that
// authenticated HTTP requests are not denied by the method-scope gate.
//
// When the header IS present (even if empty), honour the declared value
// so that callers can voluntarily restrict their own privilege set and
// the CVE-2026-32919 / CVE-2026-28473 security boundary is preserved.
return [...CLI_DEFAULT_OPERATOR_SCOPES];
}
if (!raw) {
// Header present but empty string → caller explicitly declared no scopes.
return [];
}
return raw
.split(",")
.map((scope) => scope.trim())
.filter((scope) => scope.length > 0);
}
Reference in New Issue View Git Blame Copy Permalink