github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 20:14:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(daemon): warn on token drift during restart (#18018)

Browse Source 
When the gateway token in config differs from the token embedded in the
service plist/unit file, restart will not apply the new token. This can
cause silent auth failures after OAuth token switches.

Changes:
- Add checkTokenDrift() to service-audit.ts
- Call it in runServiceRestart() before restarting
- Warn user with suggestion to run 'openclaw gateway install --force'

Closes #18018
This commit is contained in:
Operative-001
2026-02-16 14:03:28 +01:00
committed by Peter Steinberger
parent 8af4712c40
commit d6e85aa6ba
3 changed files with 90 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
src/daemon/service-audit.test.ts
View File

@@ -1,5 +1,5 @@
import { describe, expect, it } from "vitest";
import { auditGatewayServiceConfig, SERVICE_AUDIT_CODES } from "./service-audit.js";
import { auditGatewayServiceConfig, checkTokenDrift, SERVICE_AUDIT_CODES } from "./service-audit.js";
import { buildMinimalServicePath } from "./service-env.js";
describe("auditGatewayServiceConfig", () => {
@@ -97,3 +97,39 @@ describe("auditGatewayServiceConfig", () => {
).toBe(false);
});
});
describe("checkTokenDrift", () => {
it("returns null when both tokens are undefined", () => {
const result = checkTokenDrift({ serviceToken: undefined, configToken: undefined });
expect(result).toBeNull();
});
it("returns null when both tokens are empty strings", () => {
const result = checkTokenDrift({ serviceToken: "", configToken: "" });
expect(result).toBeNull();
});
it("returns null when tokens match", () => {
const result = checkTokenDrift({ serviceToken: "same-token", configToken: "same-token" });
expect(result).toBeNull();
});
it("detects drift when config has token but service has different token", () => {
const result = checkTokenDrift({ serviceToken: "old-token", configToken: "new-token" });
expect(result).not.toBeNull();
expect(result?.code).toBe(SERVICE_AUDIT_CODES.gatewayTokenDrift);
expect(result?.message).toContain("differs from service token");
});
it("detects drift when config has token but service has no token", () => {
const result = checkTokenDrift({ serviceToken: undefined, configToken: "new-token" });
expect(result).not.toBeNull();
expect(result?.code).toBe(SERVICE_AUDIT_CODES.gatewayTokenDrift);
});
it("returns null when service has token but config does not", () => {
// This is not really drift - service will work, just config is incomplete
const result = checkTokenDrift({ serviceToken: "service-token", configToken: undefined });
expect(result).toBeNull();
});
});