fix(browser): require auth on control HTTP and auto-bootstrap token

2026-05-08 18:58:26 +00:00 · 2026-02-13 02:01:57 +01:00
parent 85409e401b
commit 9230a2ae14
11 changed files with 634 additions and 5 deletions
--- a/src/browser/server.ts
+++ b/src/browser/server.ts
@@ -1,9 +1,11 @@
-import type { Server } from "node:http";
+import type { IncomingMessage, Server } from "node:http";
 import express from "express";
 import type { BrowserRouteRegistrar } from "./routes/types.js";
 import { loadConfig } from "../config/config.js";
 import { createSubsystemLogger } from "../logging/subsystem.js";
+import { safeEqualSecret } from "../security/secret-equal.js";
 import { resolveBrowserConfig, resolveProfile } from "./config.js";
+import { ensureBrowserControlAuth, resolveBrowserControlAuth } from "./control-auth.js";
 import { ensureChromeExtensionRelayServer } from "./extension-relay.js";
 import { registerBrowserRoutes } from "./routes/index.js";
 import { type BrowserServerState, createBrowserRouteContext } from "./server-context.js";
@@ -12,6 +14,67 @@ let state: BrowserServerState | null = null;
 const log = createSubsystemLogger("browser");
 const logServer = log.child("server");

+function firstHeaderValue(value: string | string[] | undefined): string {
+  return Array.isArray(value) ? (value[0] ?? "") : (value ?? "");
+}
+
+function parseBearerToken(authorization: string): string | undefined {
+  if (!authorization || !authorization.toLowerCase().startsWith("bearer ")) {
+    return undefined;
+  }
+  const token = authorization.slice(7).trim();
+  return token || undefined;
+}
+
+function parseBasicPassword(authorization: string): string | undefined {
+  if (!authorization || !authorization.toLowerCase().startsWith("basic ")) {
+    return undefined;
+  }
+  const encoded = authorization.slice(6).trim();
+  if (!encoded) {
+    return undefined;
+  }
+  try {
+    const decoded = Buffer.from(encoded, "base64").toString("utf8");
+    const sep = decoded.indexOf(":");
+    if (sep < 0) {
+      return undefined;
+    }
+    const password = decoded.slice(sep + 1).trim();
+    return password || undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+function isAuthorizedBrowserRequest(
+  req: IncomingMessage,
+  auth: { token?: string; password?: string },
+): boolean {
+  const authorization = firstHeaderValue(req.headers.authorization).trim();
+
+  if (auth.token) {
+    const bearer = parseBearerToken(authorization);
+    if (bearer && safeEqualSecret(bearer, auth.token)) {
+      return true;
+    }
+  }
+
+  if (auth.password) {
+    const passwordHeader = firstHeaderValue(req.headers["x-openclaw-password"]).trim();
+    if (passwordHeader && safeEqualSecret(passwordHeader, auth.password)) {
+      return true;
+    }
+
+    const basicPassword = parseBasicPassword(authorization);
+    if (basicPassword && safeEqualSecret(basicPassword, auth.password)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
 export async function startBrowserControlServerFromConfig(): Promise<BrowserServerState | null> {
  if (state) {
    return state;
@@ -23,6 +86,17 @@ export async function startBrowserControlServerFromConfig(): Promise<BrowserServ
    return null;
  }

+  let browserAuth = resolveBrowserControlAuth(cfg);
+  try {
+    const ensured = await ensureBrowserControlAuth({ cfg });
+    browserAuth = ensured.auth;
+    if (ensured.generatedToken) {
+      logServer.info("No browser auth configured; generated gateway.auth.token automatically.");
+    }
+  } catch (err) {
+    logServer.warn(`failed to auto-configure browser auth: ${String(err)}`);
+  }
+
  const app = express();
  app.use((req, res, next) => {
    const ctrl = new AbortController();
@@ -39,6 +113,15 @@ export async function startBrowserControlServerFromConfig(): Promise<BrowserServ
  });
  app.use(express.json({ limit: "1mb" }));

+  if (browserAuth.token || browserAuth.password) {
+    app.use((req, res, next) => {
+      if (isAuthorizedBrowserRequest(req, browserAuth)) {
+        return next();
+      }
+      res.status(401).send("Unauthorized");
+    });
+  }
+
  const ctx = createBrowserRouteContext({
    getState: () => state,
  });
@@ -76,7 +159,8 @@ export async function startBrowserControlServerFromConfig(): Promise<BrowserServ
    });
  }

-  logServer.info(`Browser control listening on http://127.0.0.1:${port}/`);
+  const authMode = browserAuth.token ? "token" : browserAuth.password ? "password" : "off";
+  logServer.info(`Browser control listening on http://127.0.0.1:${port}/ (auth=${authMode})`);
  return state;
 }