github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-31 02:06:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(secrets): normalize inline SecretRef token/key to tokenRef/keyRef in runtime snapshot (#31047)

Browse Source 
* fix(secrets): normalize inline SecretRef token/key to tokenRef/keyRef in runtime snapshot

When auth-profiles.json uses an inline SecretRef as the token or key
value directly (e.g. `"token": {"source":"file",...}`), the resolved
plaintext was written back to disk on every updateAuthProfileStoreWithLock
call, overwriting the SecretRef.

Root cause: collectTokenProfileAssignment and collectApiKeyProfileAssignment
detected inline SecretRefs but did not promote them to the canonical
tokenRef/keyRef fields. saveAuthProfileStore only strips plaintext when
tokenRef/keyRef is set, so the inline case fell through and persisted
plaintext on every save.

Fix: when an inline SecretRef is detected and no explicit tokenRef/keyRef
exists, promote it to the canonical field and delete the inline form.
saveAuthProfileStore then correctly strips the resolved plaintext on write.

Fixes #29108

* fix test: cast inline SecretRef loadAuthStore mocks to AuthProfileStore

* fix(secrets): fix TypeScript type error in runtime test loadAuthStore lambda

* test(secrets): keep explicit keyRef precedence over inline key ref

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
This commit is contained in:
Dale Babiy
2026-03-01 22:34:23 -05:00
committed by GitHub
parent d446722f2f
commit 8a4d8c889c
2 changed files with 105 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/secrets/runtime.ts
View File

@@ -241,6 +241,10 @@ function collectApiKeyProfileAssignment(params: {
if (!resolvedKeyRef) {
return;
}
if (inlineKeyRef && !keyRef) {
params.profile.keyRef = inlineKeyRef;
delete (params.profile as unknown as Record<string, unknown>).key;
}
if (keyRef && isNonEmptyString(params.profile.key)) {
params.context.warnings.push({
code: "SECRETS_REF_OVERRIDES_PLAINTEXT",
@@ -271,6 +275,10 @@ function collectTokenProfileAssignment(params: {
if (!resolvedTokenRef) {
return;
}
if (inlineTokenRef && !tokenRef) {
params.profile.tokenRef = inlineTokenRef;
delete (params.profile as unknown as Record<string, unknown>).token;
}
if (tokenRef && isNonEmptyString(params.profile.token)) {
params.context.warnings.push({
code: "SECRETS_REF_OVERRIDES_PLAINTEXT",