github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-10 07:12:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(auth-profiles): unify coercion and add rejected-entry diagnostics

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 14:42:00 +01:00
parent 96aad965ab
commit 8315c58675
2 changed files with 217 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

166
src/agents/auth-profiles.ensureauthprofilestore.test.ts
View File

@@ -1,9 +1,9 @@
import fs from "node:fs";
import os from "node:os";
import path from "node:path";
import { describe, expect, it } from "vitest";
import { describe, expect, it, vi } from "vitest";
import { ensureAuthProfileStore } from "./auth-profiles.js";
import { AUTH_STORE_VERSION } from "./auth-profiles/constants.js";
import { AUTH_STORE_VERSION, log } from "./auth-profiles/constants.js";
describe("ensureAuthProfileStore", () => {
it("migrates legacy auth.json and deletes it (PR #368)", () => {
@@ -123,35 +123,155 @@ describe("ensureAuthProfileStore", () => {
}
});
it("accepts mode/apiKey aliases so users who follow openclaw.json format are not silently broken", () => {
// A common mistake: users write auth-profiles.json using the same field names
// as openclaw.json auth.profiles ("mode" + "apiKey") instead of the canonical
// auth-profiles.json fields ("type" + "key"). The parser now normalises both.
const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-alias-"));
try {
const storeWithAliases = {
version: AUTH_STORE_VERSION,
profiles: {
"anthropic:work": {
provider: "anthropic",
mode: "api_key", // alias for "type"
apiKey: "sk-ant-alias-test", // alias for "key"
},
it("normalizes auth-profiles credential aliases with canonical-field precedence", () => {
const cases = [
{
name: "mode/apiKey aliases map to type/key",
profile: {
provider: "anthropic",
mode: "api_key",
apiKey: "sk-ant-alias",
},
};
expected: {
type: "api_key",
key: "sk-ant-alias",
},
},
{
name: "canonical type overrides conflicting mode alias",
profile: {
provider: "anthropic",
type: "api_key",
mode: "token",
key: "sk-ant-canonical",
},
expected: {
type: "api_key",
key: "sk-ant-canonical",
},
},
{
name: "canonical key overrides conflicting apiKey alias",
profile: {
provider: "anthropic",
type: "api_key",
key: "sk-ant-canonical",
apiKey: "sk-ant-alias",
},
expected: {
type: "api_key",
key: "sk-ant-canonical",
},
},
{
name: "canonical profile shape remains unchanged",
profile: {
provider: "anthropic",
type: "api_key",
key: "sk-ant-direct",
},
expected: {
type: "api_key",
key: "sk-ant-direct",
},
},
] as const;
for (const testCase of cases) {
const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-alias-"));
try {
const storeData = {
version: AUTH_STORE_VERSION,
profiles: {
"anthropic:work": testCase.profile,
},
};
fs.writeFileSync(
path.join(agentDir, "auth-profiles.json"),
`${JSON.stringify(storeData, null, 2)}\n`,
"utf8",
);
const store = ensureAuthProfileStore(agentDir);
expect(store.profiles["anthropic:work"], testCase.name).toMatchObject(testCase.expected);
} finally {
fs.rmSync(agentDir, { recursive: true, force: true });
}
}
});
it("normalizes mode/apiKey aliases while migrating legacy auth.json", () => {
const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-legacy-alias-"));
try {
fs.writeFileSync(
path.join(agentDir, "auth-profiles.json"),
`${JSON.stringify(storeWithAliases, null, 2)}\n`,
path.join(agentDir, "auth.json"),
`${JSON.stringify(
{
anthropic: {
provider: "anthropic",
mode: "api_key",
apiKey: "sk-ant-legacy",
},
},
null,
2,
)}\n`,
"utf8",
);
const store = ensureAuthProfileStore(agentDir);
const profile = store.profiles["anthropic:work"];
expect(profile).toBeDefined();
expect(profile?.type).toBe("api_key");
expect((profile as { key?: string }).key).toBe("sk-ant-alias-test");
expect(store.profiles["anthropic:default"]).toMatchObject({
type: "api_key",
provider: "anthropic",
key: "sk-ant-legacy",
});
} finally {
fs.rmSync(agentDir, { recursive: true, force: true });
}
});
it("logs one warning with aggregated reasons for rejected auth-profiles entries", () => {
const agentDir = fs.mkdtempSync(path.join(os.tmpdir(), "openclaw-auth-invalid-"));
const warnSpy = vi.spyOn(log, "warn").mockImplementation(() => undefined);
try {
const invalidStore = {
version: AUTH_STORE_VERSION,
profiles: {
"anthropic:missing-type": {
provider: "anthropic",
},
"openai:missing-provider": {
type: "api_key",
key: "sk-openai",
},
"qwen:not-object": "broken",
},
};
fs.writeFileSync(
path.join(agentDir, "auth-profiles.json"),
`${JSON.stringify(invalidStore, null, 2)}\n`,
"utf8",
);
const store = ensureAuthProfileStore(agentDir);
expect(store.profiles).toEqual({});
expect(warnSpy).toHaveBeenCalledTimes(1);
expect(warnSpy).toHaveBeenCalledWith(
"ignored invalid auth profile entries during store load",
{
source: "auth-profiles.json",
dropped: 3,
reasons: {
invalid_type: 1,
missing_provider: 1,
non_object: 1,
},
keys: ["anthropic:missing-type", "openai:missing-provider", "qwen:not-object"],
},
);
} finally {
warnSpy.mockRestore();
fs.rmSync(agentDir, { recursive: true, force: true });
}
});
});