fix(browser): authenticate sandbox browser bridge server

2026-05-09 08:27:39 +00:00 · 2026-02-14 12:54:16 +01:00
parent 3b56a6252b
commit 4711a943e3
6 changed files with 191 additions and 7 deletions
--- a/src/browser/bridge-server.ts
+++ b/src/browser/bridge-server.ts
@@ -1,8 +1,10 @@
 import type { Server } from "node:http";
+import type { IncomingMessage } from "node:http";
 import type { AddressInfo } from "node:net";
 import express from "express";
 import type { ResolvedBrowserConfig } from "./config.js";
 import type { BrowserRouteRegistrar } from "./routes/types.js";
+import { safeEqualSecret } from "../security/secret-equal.js";
 import { registerBrowserRoutes } from "./routes/index.js";
 import {
  type BrowserServerState,
@@ -10,6 +12,67 @@ import {
  type ProfileContext,
 } from "./server-context.js";

+function firstHeaderValue(value: string | string[] | undefined): string {
+  return Array.isArray(value) ? (value[0] ?? "") : (value ?? "");
+}
+
+function parseBearerToken(authorization: string): string | undefined {
+  if (!authorization || !authorization.toLowerCase().startsWith("bearer ")) {
+    return undefined;
+  }
+  const token = authorization.slice(7).trim();
+  return token || undefined;
+}
+
+function parseBasicPassword(authorization: string): string | undefined {
+  if (!authorization || !authorization.toLowerCase().startsWith("basic ")) {
+    return undefined;
+  }
+  const encoded = authorization.slice(6).trim();
+  if (!encoded) {
+    return undefined;
+  }
+  try {
+    const decoded = Buffer.from(encoded, "base64").toString("utf8");
+    const sep = decoded.indexOf(":");
+    if (sep < 0) {
+      return undefined;
+    }
+    const password = decoded.slice(sep + 1).trim();
+    return password || undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+function isAuthorizedBrowserRequest(
+  req: IncomingMessage,
+  auth: { token?: string; password?: string },
+): boolean {
+  const authorization = firstHeaderValue(req.headers.authorization).trim();
+
+  if (auth.token) {
+    const bearer = parseBearerToken(authorization);
+    if (bearer && safeEqualSecret(bearer, auth.token)) {
+      return true;
+    }
+  }
+
+  if (auth.password) {
+    const passwordHeader = firstHeaderValue(req.headers["x-openclaw-password"]).trim();
+    if (passwordHeader && safeEqualSecret(passwordHeader, auth.password)) {
+      return true;
+    }
+
+    const basicPassword = parseBasicPassword(authorization);
+    if (basicPassword && safeEqualSecret(basicPassword, auth.password)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
 export type BrowserBridge = {
  server: Server;
  port: number;
@@ -22,6 +85,7 @@ export async function startBrowserBridgeServer(params: {
  host?: string;
  port?: number;
  authToken?: string;
+  authPassword?: string;
  onEnsureAttachTarget?: (profile: ProfileContext["profile"]) => Promise<void>;
 }): Promise<BrowserBridge> {
  const host = params.host ?? "127.0.0.1";
@@ -43,11 +107,11 @@ export async function startBrowserBridgeServer(params: {
  });
  app.use(express.json({ limit: "1mb" }));

-  const authToken = params.authToken?.trim();
-  if (authToken) {
+  const authToken = params.authToken?.trim() || undefined;
+  const authPassword = params.authPassword?.trim() || undefined;
+  if (authToken || authPassword) {
    app.use((req, res, next) => {
-      const auth = String(req.headers.authorization ?? "").trim();
-      if (auth === `Bearer ${authToken}`) {
+      if (isAuthorizedBrowserRequest(req, { token: authToken, password: authPassword })) {
        return next();
      }
      res.status(401).send("Unauthorized");