github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 15:58:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(security): normalize hook auth rate-limit client keys

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-22 08:40:39 +01:00
parent aab20e58d7
commit 3284d2eb22
5 changed files with 63 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/gateway/auth-rate-limit.ts
View File

@@ -16,7 +16,7 @@
* {@link createAuthRateLimiter} and pass it where needed.
*/
import { isLoopbackAddress } from "./net.js";
import { isLoopbackAddress, resolveClientIp } from "./net.js";
// ---------------------------------------------------------------------------
// Types
@@ -81,6 +81,14 @@ const PRUNE_INTERVAL_MS = 60_000; // prune stale entries every minute
// Implementation
// ---------------------------------------------------------------------------
/**
* Canonicalize client IPs used for auth throttling so all call sites
* share one representation (including IPv4-mapped IPv6 forms).
*/
export function normalizeRateLimitClientIp(ip: string | undefined): string {
return resolveClientIp({ remoteAddr: ip }) ?? "unknown";
}
export function createAuthRateLimiter(config?: RateLimitConfig): AuthRateLimiter {
const maxAttempts = config?.maxAttempts ?? DEFAULT_MAX_ATTEMPTS;
const windowMs = config?.windowMs ?? DEFAULT_WINDOW_MS;
@@ -101,7 +109,7 @@ export function createAuthRateLimiter(config?: RateLimitConfig): AuthRateLimiter
}
function normalizeIp(ip: string | undefined): string {
return (ip ?? "").trim() || "unknown";
return normalizeRateLimitClientIp(ip);
}
function resolveKey(