github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 20:24:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden device pairing token generation and verification (#16535)

Browse Source 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: bcbb50e368
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
This commit is contained in:
Gustavo Madeira Santana
2026-02-14 16:23:33 -05:00
committed by GitHub
parent b97191b81a
commit 48b3d7096c
6 changed files with 134 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/infra/device-pairing.ts
View File

@@ -1,5 +1,4 @@
import { randomUUID } from "node:crypto";
import { safeEqualSecret } from "../security/secret-equal.js";
import {
createAsyncLock,
pruneExpiredPending,
@@ -7,6 +6,7 @@ import {
resolvePairingPaths,
writeJsonAtomic,
} from "./pairing-files.js";
import { generatePairingToken, verifyPairingToken } from "./pairing-token.js";
export type DevicePairingPendingRequest = {
requestId: string;
@@ -176,7 +176,7 @@ function scopesAllow(requested: string[], allowed: string[]): boolean {
}
function newToken() {
return randomUUID().replaceAll("-", "");
return generatePairingToken();
}
export async function listDevicePairing(baseDir?: string): Promise<DevicePairingList> {
@@ -375,7 +375,7 @@ export async function verifyDeviceToken(params: {
if (entry.revokedAtMs) {
return { ok: false, reason: "token-revoked" };
}
if (!safeEqualSecret(params.token, entry.token)) {
if (!verifyPairingToken(params.token, entry.token)) {
return { ok: false, reason: "token-mismatch" };
}
const requestedScopes = normalizeScopes(params.scopes);