fix: harden extension relay auth token flow

2026-05-20 13:35:00 +00:00 · 2026-02-21 19:24:37 +01:00
parent 89aad7b922
commit afa22acc4a
4 changed files with 152 additions and 52 deletions
--- a/src/browser/browser-utils.test.ts
+++ b/src/browser/browser-utils.test.ts
@@ -3,10 +3,15 @@ import { appendCdpPath, getHeadersWithAuth } from "./cdp.helpers.js";
 import { __test } from "./client-fetch.js";
 import { resolveBrowserConfig, resolveProfile } from "./config.js";
 import { shouldRejectBrowserMutation } from "./csrf.js";
+import {
+  ensureChromeExtensionRelayServer,
+  stopChromeExtensionRelayServer,
+} from "./extension-relay.js";
 import { toBoolean } from "./routes/utils.js";
 import type { BrowserServerState } from "./server-context.js";
 import { listKnownProfileNames } from "./server-context.js";
 import { resolveTargetIdFromTabs } from "./target-id.js";
+import { getFreePort } from "./test-port.js";

 describe("toBoolean", () => {
  it("parses yes/no and 1/0", () => {
@@ -161,6 +166,31 @@ describe("cdp.helpers", () => {
    });
    expect(headers.Authorization).toBe("Bearer token");
  });
+
+  it("does not add relay header for unknown loopback ports", () => {
+    const headers = getHeadersWithAuth("http://127.0.0.1:19444/json/version");
+    expect(headers["x-openclaw-relay-token"]).toBeUndefined();
+  });
+
+  it("adds relay header for known relay ports", async () => {
+    const port = await getFreePort();
+    const cdpUrl = `http://127.0.0.1:${port}`;
+    const prev = process.env.OPENCLAW_GATEWAY_TOKEN;
+    process.env.OPENCLAW_GATEWAY_TOKEN = "test-gateway-token";
+    try {
+      await ensureChromeExtensionRelayServer({ cdpUrl });
+      const headers = getHeadersWithAuth(`${cdpUrl}/json/version`);
+      expect(headers["x-openclaw-relay-token"]).toBeTruthy();
+      expect(headers["x-openclaw-relay-token"]).not.toBe("test-gateway-token");
+    } finally {
+      await stopChromeExtensionRelayServer({ cdpUrl }).catch(() => {});
+      if (prev === undefined) {
+        delete process.env.OPENCLAW_GATEWAY_TOKEN;
+      } else {
+        process.env.OPENCLAW_GATEWAY_TOKEN = prev;
+      }
+    }
+  });
 });

 describe("fetchBrowserJson loopback auth (bridge auth registry)", () => {