github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 20:38:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(gateway): deprecate query param hook token auth for security (#2200)

Browse Source 
* feat(gateway): deprecate query param hook token auth for security

Query parameter tokens appear in:
- Server access logs
- Browser history
- Referrer headers
- Network monitoring tools

This change adds a deprecation warning when tokens are provided via
query parameter, encouraging migration to header-based authentication
(Authorization: Bearer <token> or X-Clawdbot-Token header).

Changes:
- Modified extractHookToken to return { token, fromQuery } object
- Added deprecation warning in server-http.ts when fromQuery is true
- Updated tests to verify the new return type and fromQuery flag

Fixes #2148

Co-Authored-By: Claude <noreply@anthropic.com>

* fix: deprecate hook query token auth (#2200) (thanks @YuriNachos)

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
This commit is contained in:
Yuri Chukhlib
2026-01-26 15:51:25 +01:00
committed by GitHub
parent f3e3c4573b
commit 961b4adc1c
5 changed files with 32 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/gateway/hooks.ts
View File

@@ -41,21 +41,26 @@ export function resolveHooksConfig(cfg: ClawdbotConfig): HooksConfigResolved | n
};
}
export function extractHookToken(req: IncomingMessage, url: URL): string | undefined {
export type HookTokenResult = {
token: string | undefined;
fromQuery: boolean;
};
export function extractHookToken(req: IncomingMessage, url: URL): HookTokenResult {
const auth =
typeof req.headers.authorization === "string" ? req.headers.authorization.trim() : "";
if (auth.toLowerCase().startsWith("bearer ")) {
const token = auth.slice(7).trim();
if (token) return token;
if (token) return { token, fromQuery: false };
}
const headerToken =
typeof req.headers["x-clawdbot-token"] === "string"
? req.headers["x-clawdbot-token"].trim()
: "";
if (headerToken) return headerToken;
if (headerToken) return { token: headerToken, fromQuery: false };
const queryToken = url.searchParams.get("token");
if (queryToken) return queryToken.trim();
return undefined;
if (queryToken) return { token: queryToken.trim(), fromQuery: true };
return { token: undefined, fromQuery: false };
}
export async function readJsonBody(