fix: harden device pairing token generation and verification (#16535)

Merged via /review-pr -> /prepare-pr -> /merge-pr. Prepared head SHA: bcbb50e368 Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com> Reviewed-by: @gumadeiras
2026-05-09 12:57:40 +00:00 · 2026-02-14 16:23:33 -05:00
parent b97191b81a
commit 48b3d7096c
6 changed files with 134 additions and 29 deletions
--- a/src/infra/device-pairing.test.ts
+++ b/src/infra/device-pairing.test.ts
@@ -10,19 +10,41 @@ import {
  verifyDeviceToken,
 } from "./device-pairing.js";

+async function setupPairedOperatorDevice(baseDir: string, scopes: string[]) {
+  const request = await requestDevicePairing(
+    {
+      deviceId: "device-1",
+      publicKey: "public-key-1",
+      role: "operator",
+      scopes,
+    },
+    baseDir,
+  );
+  await approveDevicePairing(request.request.requestId, baseDir);
+}
+
+function requireToken(token: string | undefined): string {
+  expect(typeof token).toBe("string");
+  if (typeof token !== "string") {
+    throw new Error("expected operator token to be issued");
+  }
+  return token;
+}
+
 describe("device pairing tokens", () => {
+  test("generates base64url device tokens with 256-bit entropy output length", async () => {
+    const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
+    await setupPairedOperatorDevice(baseDir, ["operator.admin"]);
+
+    const paired = await getPairedDevice("device-1", baseDir);
+    const token = requireToken(paired?.tokens?.operator?.token);
+    expect(token).toMatch(/^[A-Za-z0-9_-]{43}$/);
+    expect(Buffer.from(token, "base64url")).toHaveLength(32);
+  });
+
  test("preserves existing token scopes when rotating without scopes", async () => {
    const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
-    const request = await requestDevicePairing(
-      {
-        deviceId: "device-1",
-        publicKey: "public-key-1",
-        role: "operator",
-        scopes: ["operator.admin"],
-      },
-      baseDir,
-    );
-    await approveDevicePairing(request.request.requestId, baseDir);
+    await setupPairedOperatorDevice(baseDir, ["operator.admin"]);

    await rotateDeviceToken({
      deviceId: "device-1",
@@ -45,23 +67,13 @@ describe("device pairing tokens", () => {

  test("verifies token and rejects mismatches", async () => {
    const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
-    const request = await requestDevicePairing(
-      {
-        deviceId: "device-1",
-        publicKey: "public-key-1",
-        role: "operator",
-        scopes: ["operator.read"],
-      },
-      baseDir,
-    );
-    await approveDevicePairing(request.request.requestId, baseDir);
+    await setupPairedOperatorDevice(baseDir, ["operator.read"]);
    const paired = await getPairedDevice("device-1", baseDir);
-    const token = paired?.tokens?.operator?.token;
-    expect(token).toBeTruthy();
+    const token = requireToken(paired?.tokens?.operator?.token);

    const ok = await verifyDeviceToken({
      deviceId: "device-1",
-      token: token ?? "",
+      token,
      role: "operator",
      scopes: ["operator.read"],
      baseDir,
@@ -70,7 +82,7 @@ describe("device pairing tokens", () => {

    const mismatch = await verifyDeviceToken({
      deviceId: "device-1",
-      token: "x".repeat((token ?? "1234").length),
+      token: "x".repeat(token.length),
      role: "operator",
      scopes: ["operator.read"],
      baseDir,
@@ -78,4 +90,23 @@ describe("device pairing tokens", () => {
    expect(mismatch.ok).toBe(false);
    expect(mismatch.reason).toBe("token-mismatch");
  });
+
+  test("treats multibyte same-length token input as mismatch without throwing", async () => {
+    const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
+    await setupPairedOperatorDevice(baseDir, ["operator.read"]);
+    const paired = await getPairedDevice("device-1", baseDir);
+    const token = requireToken(paired?.tokens?.operator?.token);
+    const multibyteToken = "é".repeat(token.length);
+    expect(Buffer.from(multibyteToken).length).not.toBe(Buffer.from(token).length);
+
+    await expect(
+      verifyDeviceToken({
+        deviceId: "device-1",
+        token: multibyteToken,
+        role: "operator",
+        scopes: ["operator.read"],
+        baseDir,
+      }),
+    ).resolves.toEqual({ ok: false, reason: "token-mismatch" });
+  });
 });