github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-08 05:51:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(gateway): harden canvas auth with session capabilities

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-19 15:50:42 +01:00
parent f76f98b268
commit c45f3c5b00
11 changed files with 353 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/gateway/server/ws-connection/message-handler.ts
View File

@@ -30,6 +30,11 @@ import {
} from "../../auth-rate-limit.js";
import type { GatewayAuthResult, ResolvedGatewayAuth } from "../../auth.js";
import { authorizeGatewayConnect, isLocalDirectRequest } from "../../auth.js";
import {
buildCanvasScopedHostUrl,
CANVAS_CAPABILITY_TTL_MS,
mintCanvasCapabilityToken,
} from "../../canvas-capability.js";
import { buildDeviceAuthPayload } from "../../device-auth.js";
import { isLoopbackAddress, isTrustedProxyAddress, resolveGatewayClientIp } from "../../net.js";
import { resolveHostName } from "../../net.js";
@@ -822,6 +827,15 @@ export function attachGatewayWsMessageHandler(params: {
snapshot.health = cachedHealth;
snapshot.stateVersion.health = getHealthVersion();
}
const canvasCapability =
role === "node" && canvasHostUrl ? mintCanvasCapabilityToken() : undefined;
const canvasCapabilityExpiresAtMs = canvasCapability
? Date.now() + CANVAS_CAPABILITY_TTL_MS
: undefined;
const scopedCanvasHostUrl =
canvasHostUrl && canvasCapability
? (buildCanvasScopedHostUrl(canvasHostUrl, canvasCapability) ?? canvasHostUrl)
: canvasHostUrl;
const helloOk = {
type: "hello-ok",
protocol: PROTOCOL_VERSION,
@@ -833,7 +847,7 @@ export function attachGatewayWsMessageHandler(params: {
},
features: { methods: gatewayMethods, events },
snapshot,
canvasHostUrl,
canvasHostUrl: scopedCanvasHostUrl,
auth: deviceToken
? {
deviceToken: deviceToken.token,
@@ -856,6 +870,8 @@ export function attachGatewayWsMessageHandler(params: {
connId,
presenceKey,
clientIp: reportedClientIp,
canvasCapability,
canvasCapabilityExpiresAtMs,
};
setClient(nextClient);
setHandshakeState("connected");