github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 18:28:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

Gateway: align pairing scope checks for read access

Browse Source
This commit is contained in:
Shakker
2026-02-20 04:51:36 +00:00
committed by Shakker
parent 86f207adb0
commit 525d6e0671
8 changed files with 256 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/infra/device-pairing.test.ts
View File

@@ -114,6 +114,31 @@ describe("device pairing tokens", () => {
expect(mismatch.reason).toBe("token-mismatch");
});
test("accepts operator.read requests with an operator.admin token scope", async () => {
const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
await setupPairedOperatorDevice(baseDir, ["operator.admin"]);
const paired = await getPairedDevice("device-1", baseDir);
const token = requireToken(paired?.tokens?.operator?.token);
const readOk = await verifyDeviceToken({
deviceId: "device-1",
token,
role: "operator",
scopes: ["operator.read"],
baseDir,
});
expect(readOk.ok).toBe(true);
const writeMismatch = await verifyDeviceToken({
deviceId: "device-1",
token,
role: "operator",
scopes: ["operator.write"],
baseDir,
});
expect(writeMismatch).toEqual({ ok: false, reason: "scope-mismatch" });
});
test("treats multibyte same-length token input as mismatch without throwing", async () => {
const baseDir = await mkdtemp(join(tmpdir(), "openclaw-device-pairing-"));
await setupPairedOperatorDevice(baseDir, ["operator.read"]);

16
src/infra/device-pairing.ts
View File

@@ -1,5 +1,6 @@
import { randomUUID } from "node:crypto";
import { normalizeDeviceAuthScopes } from "../shared/device-auth.js";
import { roleScopesAllow } from "../shared/operator-scope-compat.js";
import {
createAsyncLock,
pruneExpiredPending,
@@ -152,17 +153,6 @@ function mergeScopes(...items: Array<string[] | undefined>): string[] | undefine
return [...scopes];
}
function scopesAllow(requested: string[], allowed: string[]): boolean {
if (requested.length === 0) {
return true;
}
if (allowed.length === 0) {
return false;
}
const allowedSet = new Set(allowed);
return requested.every((scope) => allowedSet.has(scope));
}
function newToken() {
return generatePairingToken();
}
@@ -411,7 +401,7 @@ export async function verifyDeviceToken(params: {
return { ok: false, reason: "token-mismatch" };
}
const requestedScopes = normalizeDeviceAuthScopes(params.scopes);
if (!scopesAllow(requestedScopes, entry.scopes)) {
if (!roleScopesAllow({ role, requestedScopes, allowedScopes: entry.scopes })) {
return { ok: false, reason: "scope-mismatch" };
}
entry.lastUsedAtMs = Date.now();
@@ -442,7 +432,7 @@ export async function ensureDeviceToken(params: {
}
const { device, role, tokens, existing } = context;
if (existing && !existing.revokedAtMs) {
if (scopesAllow(requestedScopes, existing.scopes)) {
if (roleScopesAllow({ role, requestedScopes, allowedScopes: existing.scopes })) {
return existing;
}
}