github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 17:04:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): harden hook and device token auth

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-13 01:23:26 +01:00
parent 54513f4240
commit 113ebfd6a2
9 changed files with 190 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/infra/device-pairing.ts
View File

@@ -2,6 +2,7 @@ import { randomUUID } from "node:crypto";
import fs from "node:fs/promises";
import path from "node:path";
import { resolveStateDir } from "../config/paths.js";
import { safeEqualSecret } from "../security/secret-equal.js";
export type DevicePairingPendingRequest = {
requestId: string;
@@ -431,7 +432,7 @@ export async function verifyDeviceToken(params: {
if (entry.revokedAtMs) {
return { ok: false, reason: "token-revoked" };
}
if (entry.token !== params.token) {
if (!safeEqualSecret(params.token, entry.token)) {
return { ok: false, reason: "token-mismatch" };
}
const requestedScopes = normalizeScopes(params.scopes);