feat(gateway): deprecate query param hook token auth for security (#2200)

* feat(gateway): deprecate query param hook token auth for security Query parameter tokens appear in: - Server access logs - Browser history - Referrer headers - Network monitoring tools This change adds a deprecation warning when tokens are provided via query parameter, encouraging migration to header-based authentication (Authorization: Bearer <token> or X-Clawdbot-Token header). Changes: - Modified extractHookToken to return { token, fromQuery } object - Added deprecation warning in server-http.ts when fromQuery is true - Updated tests to verify the new return type and fromQuery flag Fixes #2148 Co-Authored-By: Claude <noreply@anthropic.com> * fix: deprecate hook query token auth (#2200) (thanks @YuriNachos) --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Peter Steinberger <steipete@gmail.com>
2026-05-08 11:41:24 +00:00 · 2026-01-26 15:51:25 +01:00
parent f3e3c4573b
commit 961b4adc1c
5 changed files with 32 additions and 13 deletions
--- a/src/gateway/server-http.ts
+++ b/src/gateway/server-http.ts
@@ -76,13 +76,20 @@ export function createHooksRequestHandler(
      return false;
    }

-    const token = extractHookToken(req, url);
+    const { token, fromQuery } = extractHookToken(req, url);
    if (!token || token !== hooksConfig.token) {
      res.statusCode = 401;
      res.setHeader("Content-Type", "text/plain; charset=utf-8");
      res.end("Unauthorized");
      return true;
    }
+    if (fromQuery) {
+      logHooks.warn(
+        "Hook token provided via query parameter is deprecated for security reasons. " +
+          "Tokens in URLs appear in logs, browser history, and referrer headers. " +
+          "Use Authorization: Bearer <token> or X-Clawdbot-Token header instead.",
+      );
+    }

    if (req.method !== "POST") {
      res.statusCode = 405;