gateway: harden shared auth resolution across systemd, discord, and node host

2026-05-07 04:21:38 +00:00 · 2026-03-07 18:28:32 -06:00
parent a7f6e0a921
commit 25252ab5ab
28 changed files with 1498 additions and 255 deletions
--- a/src/gateway/connection-auth.ts
+++ b/src/gateway/connection-auth.ts
@@ -0,0 +1,66 @@
+import type { OpenClawConfig } from "../config/config.js";
+import type { ExplicitGatewayAuth } from "./call.js";
+import { resolveGatewayCredentialsWithSecretInputs } from "./call.js";
+import type {
+  GatewayCredentialMode,
+  GatewayCredentialPrecedence,
+  GatewayRemoteCredentialFallback,
+  GatewayRemoteCredentialPrecedence,
+} from "./credentials.js";
+import { resolveGatewayCredentialsFromConfig } from "./credentials.js";
+
+export type GatewayConnectionAuthOptions = {
+  config: OpenClawConfig;
+  env?: NodeJS.ProcessEnv;
+  explicitAuth?: ExplicitGatewayAuth;
+  urlOverride?: string;
+  urlOverrideSource?: "cli" | "env";
+  modeOverride?: GatewayCredentialMode;
+  includeLegacyEnv?: boolean;
+  localTokenPrecedence?: GatewayCredentialPrecedence;
+  localPasswordPrecedence?: GatewayCredentialPrecedence;
+  remoteTokenPrecedence?: GatewayRemoteCredentialPrecedence;
+  remotePasswordPrecedence?: GatewayRemoteCredentialPrecedence;
+  remoteTokenFallback?: GatewayRemoteCredentialFallback;
+  remotePasswordFallback?: GatewayRemoteCredentialFallback;
+};
+
+export async function resolveGatewayConnectionAuth(
+  params: GatewayConnectionAuthOptions,
+): Promise<{ token?: string; password?: string }> {
+  return await resolveGatewayCredentialsWithSecretInputs({
+    config: params.config,
+    env: params.env,
+    explicitAuth: params.explicitAuth,
+    urlOverride: params.urlOverride,
+    urlOverrideSource: params.urlOverrideSource,
+    modeOverride: params.modeOverride,
+    includeLegacyEnv: params.includeLegacyEnv,
+    localTokenPrecedence: params.localTokenPrecedence,
+    localPasswordPrecedence: params.localPasswordPrecedence,
+    remoteTokenPrecedence: params.remoteTokenPrecedence,
+    remotePasswordPrecedence: params.remotePasswordPrecedence,
+    remoteTokenFallback: params.remoteTokenFallback,
+    remotePasswordFallback: params.remotePasswordFallback,
+  });
+}
+
+export function resolveGatewayConnectionAuthFromConfig(
+  params: Omit<GatewayConnectionAuthOptions, "config"> & { cfg: OpenClawConfig },
+): { token?: string; password?: string } {
+  return resolveGatewayCredentialsFromConfig({
+    cfg: params.cfg,
+    env: params.env,
+    explicitAuth: params.explicitAuth,
+    urlOverride: params.urlOverride,
+    urlOverrideSource: params.urlOverrideSource,
+    modeOverride: params.modeOverride,
+    includeLegacyEnv: params.includeLegacyEnv,
+    localTokenPrecedence: params.localTokenPrecedence,
+    localPasswordPrecedence: params.localPasswordPrecedence,
+    remoteTokenPrecedence: params.remoteTokenPrecedence,
+    remotePasswordPrecedence: params.remotePasswordPrecedence,
+    remoteTokenFallback: params.remoteTokenFallback,
+    remotePasswordFallback: params.remotePasswordFallback,
+  });
+}