fix: silence unused hook token url param (#9436)

* fix: Gateway authentication token exposed in URL query parameters * fix: silence unused hook token url param * fix: remove gateway auth tokens from URLs (#9436) (thanks @coygeek) * test: fix Windows path separators in audit test (#9436) --------- Co-authored-by: George Pickett <gpickett00@gmail.com>
2026-05-10 01:52:44 +00:00 · 2026-02-05 18:08:29 -08:00
parent b1430aaaca
commit 717129f7f9
22 changed files with 107 additions and 172 deletions
--- a/src/gateway/hooks.test.ts
+++ b/src/gateway/hooks.test.ts
@@ -39,29 +39,25 @@ describe("gateway hooks helpers", () => {
    expect(() => resolveHooksConfig(cfg)).toThrow("hooks.path may not be '/'");
  });

-  test("extractHookToken prefers bearer > header > query", () => {
+  test("extractHookToken prefers bearer > header", () => {
    const req = {
      headers: {
        authorization: "Bearer top",
        "x-openclaw-token": "header",
      },
    } as unknown as IncomingMessage;
-    const url = new URL("http://localhost/hooks/wake?token=query");
-    const result1 = extractHookToken(req, url);
-    expect(result1.token).toBe("top");
-    expect(result1.fromQuery).toBe(false);
+    const result1 = extractHookToken(req);
+    expect(result1).toBe("top");

    const req2 = {
      headers: { "x-openclaw-token": "header" },
    } as unknown as IncomingMessage;
-    const result2 = extractHookToken(req2, url);
-    expect(result2.token).toBe("header");
-    expect(result2.fromQuery).toBe(false);
+    const result2 = extractHookToken(req2);
+    expect(result2).toBe("header");

    const req3 = { headers: {} } as unknown as IncomingMessage;
-    const result3 = extractHookToken(req3, url);
-    expect(result3.token).toBe("query");
-    expect(result3.fromQuery).toBe(true);
+    const result3 = extractHookToken(req3);
+    expect(result3).toBeUndefined();
  });

  test("normalizeWakePayload trims + validates", () => {