github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-12 06:13:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(daemon): extract gateway token drift helper

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-08 00:27:41 +00:00
parent 02eef1d45a
commit 7ac7b39eff
3 changed files with 42 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/cli/daemon-cli/gateway-token-drift.test.ts Normal file
View File

@@ -0,0 +1,23 @@
import { describe, expect, it } from "vitest";
import type { OpenClawConfig } from "../../config/config.js";
import { resolveGatewayTokenForDriftCheck } from "./gateway-token-drift.js";
describe("resolveGatewayTokenForDriftCheck", () => {
it("prefers persisted config token over shell env", () => {
const token = resolveGatewayTokenForDriftCheck({
cfg: {
gateway: {
mode: "local",
auth: {
token: "config-token",
},
},
} as OpenClawConfig,
env: {
OPENCLAW_GATEWAY_TOKEN: "env-token",
} as NodeJS.ProcessEnv,
});
expect(token).toBe("config-token");
});
});

16
src/cli/daemon-cli/gateway-token-drift.ts Normal file
View File

@@ -0,0 +1,16 @@
import type { OpenClawConfig } from "../../config/config.js";
import { resolveGatewayCredentialsFromConfig } from "../../gateway/credentials.js";
export function resolveGatewayTokenForDriftCheck(params: {
cfg: OpenClawConfig;
env?: NodeJS.ProcessEnv;
}) {
return resolveGatewayCredentialsFromConfig({
cfg: params.cfg,
env: params.env,
modeOverride: "local",
// Drift checks should compare the persisted gateway token against the
// service token, not let an exported shell env mask config drift.
localTokenPrecedence: "config-first",
}).token;
}

15
src/cli/daemon-cli/lifecycle-core.ts
View File

@@ -5,12 +5,10 @@ import { checkTokenDrift } from "../../daemon/service-audit.js";
import type { GatewayService } from "../../daemon/service.js"; import type { GatewayService } from "../../daemon/service.js";
import { renderSystemdUnavailableHints } from "../../daemon/systemd-hints.js"; import { renderSystemdUnavailableHints } from "../../daemon/systemd-hints.js";
import { isSystemdUserServiceAvailable } from "../../daemon/systemd.js"; import { isSystemdUserServiceAvailable } from "../../daemon/systemd.js";
import { import { isGatewaySecretRefUnavailableError } from "../../gateway/credentials.js";
isGatewaySecretRefUnavailableError,
resolveGatewayCredentialsFromConfig,
} from "../../gateway/credentials.js";
import { isWSL } from "../../infra/wsl.js"; import { isWSL } from "../../infra/wsl.js";
import { defaultRuntime } from "../../runtime.js"; import { defaultRuntime } from "../../runtime.js";
import { resolveGatewayTokenForDriftCheck } from "./gateway-token-drift.js";
import { import {
buildDaemonServiceSnapshot, buildDaemonServiceSnapshot,
createNullWriter, createNullWriter,
@@ -284,14 +282,7 @@ export async function runServiceRestart(params: {
const command = await params.service.readCommand(process.env); const command = await params.service.readCommand(process.env);
const serviceToken = command?.environment?.OPENCLAW_GATEWAY_TOKEN; const serviceToken = command?.environment?.OPENCLAW_GATEWAY_TOKEN;
const cfg = loadConfig(); const cfg = loadConfig();
const configToken = resolveGatewayCredentialsFromConfig({ const configToken = resolveGatewayTokenForDriftCheck({ cfg, env: process.env });
cfg,
env: process.env,
modeOverride: "local",
// Drift checks should compare the persisted gateway token against the
// service token, not let an exported shell env mask config drift.
localTokenPrecedence: "config-first",
}).token;
const driftIssue = checkTokenDrift({ serviceToken, configToken }); const driftIssue = checkTokenDrift({ serviceToken, configToken });
if (driftIssue) { if (driftIssue) {
const warning = driftIssue.detail const warning = driftIssue.detail