fix: silence unused hook token url param (#9436)

* fix: Gateway authentication token exposed in URL query parameters * fix: silence unused hook token url param * fix: remove gateway auth tokens from URLs (#9436) (thanks @coygeek) * test: fix Windows path separators in audit test (#9436) --------- Co-authored-by: George Pickett <gpickett00@gmail.com>
2026-05-10 09:22:45 +00:00 · 2026-02-05 18:08:29 -08:00
parent b1430aaaca
commit 717129f7f9
22 changed files with 107 additions and 172 deletions
--- a/src/gateway/hooks.ts
+++ b/src/gateway/hooks.ts
@@ -43,18 +43,13 @@ export function resolveHooksConfig(cfg: OpenClawConfig): HooksConfigResolved | n
  };
 }

-export type HookTokenResult = {
-  token: string | undefined;
-  fromQuery: boolean;
-};
-
-export function extractHookToken(req: IncomingMessage, url: URL): HookTokenResult {
+export function extractHookToken(req: IncomingMessage): string | undefined {
  const auth =
    typeof req.headers.authorization === "string" ? req.headers.authorization.trim() : "";
  if (auth.toLowerCase().startsWith("bearer ")) {
    const token = auth.slice(7).trim();
    if (token) {
-      return { token, fromQuery: false };
+      return token;
    }
  }
  const headerToken =
@@ -62,13 +57,9 @@ export function extractHookToken(req: IncomingMessage, url: URL): HookTokenResul
      ? req.headers["x-openclaw-token"].trim()
      : "";
  if (headerToken) {
-    return { token: headerToken, fromQuery: false };
+    return headerToken;
  }
-  const queryToken = url.searchParams.get("token");
-  if (queryToken) {
-    return { token: queryToken.trim(), fromQuery: true };
-  }
-  return { token: undefined, fromQuery: false };
+  return undefined;
 }

 export async function readJsonBody(