github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 04:52:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Gateway: align pairing scope checks for read access

Browse Source
This commit is contained in:
Shakker
2026-02-20 04:51:36 +00:00
committed by Shakker
parent 86f207adb0
commit 525d6e0671
8 changed files with 256 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/infra/device-pairing.ts
View File

@@ -1,5 +1,6 @@
import { randomUUID } from "node:crypto";
import { normalizeDeviceAuthScopes } from "../shared/device-auth.js";
import { roleScopesAllow } from "../shared/operator-scope-compat.js";
import {
createAsyncLock,
pruneExpiredPending,
@@ -152,17 +153,6 @@ function mergeScopes(...items: Array<string[] | undefined>): string[] | undefine
return [...scopes];
}
function scopesAllow(requested: string[], allowed: string[]): boolean {
if (requested.length === 0) {
return true;
}
if (allowed.length === 0) {
return false;
}
const allowedSet = new Set(allowed);
return requested.every((scope) => allowedSet.has(scope));
}
function newToken() {
return generatePairingToken();
}
@@ -411,7 +401,7 @@ export async function verifyDeviceToken(params: {
return { ok: false, reason: "token-mismatch" };
}
const requestedScopes = normalizeDeviceAuthScopes(params.scopes);
if (!scopesAllow(requestedScopes, entry.scopes)) {
if (!roleScopesAllow({ role, requestedScopes, allowedScopes: entry.scopes })) {
return { ok: false, reason: "scope-mismatch" };
}
entry.lastUsedAtMs = Date.now();
@@ -442,7 +432,7 @@ export async function ensureDeviceToken(params: {
}
const { device, role, tokens, existing } = context;
if (existing && !existing.revokedAtMs) {
if (scopesAllow(requestedScopes, existing.scopes)) {
if (roleScopesAllow({ role, requestedScopes, allowedScopes: existing.scopes })) {
return existing;
}
}