Auth profiles: never persist plaintext when refs are present

2026-05-09 16:44:33 +00:00 · 2026-02-21 17:08:20 -08:00
parent 4c5a2c3c6d
commit e1301c31e7
5 changed files with 157 additions and 12 deletions
--- a/src/agents/auth-profiles.store.save.test.ts
+++ b/src/agents/auth-profiles.store.save.test.ts
@@ -0,0 +1,62 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+import { resolveAuthStorePath } from "./auth-profiles/paths.js";
+import { saveAuthProfileStore } from "./auth-profiles/store.js";
+import type { AuthProfileStore } from "./auth-profiles/types.js";
+
+describe("saveAuthProfileStore", () => {
+  it("strips plaintext when keyRef/tokenRef are present", async () => {
+    const agentDir = await fs.mkdtemp(path.join(os.tmpdir(), "openclaw-auth-save-"));
+    try {
+      const store: AuthProfileStore = {
+        version: 1,
+        profiles: {
+          "openai:default": {
+            type: "api_key",
+            provider: "openai",
+            key: "sk-runtime-value",
+            keyRef: { source: "env", id: "OPENAI_API_KEY" },
+          },
+          "github-copilot:default": {
+            type: "token",
+            provider: "github-copilot",
+            token: "gh-runtime-token",
+            tokenRef: { source: "env", id: "GITHUB_TOKEN" },
+          },
+          "anthropic:default": {
+            type: "api_key",
+            provider: "anthropic",
+            key: "sk-anthropic-plain",
+          },
+        },
+      };
+
+      saveAuthProfileStore(store, agentDir);
+
+      const parsed = JSON.parse(await fs.readFile(resolveAuthStorePath(agentDir), "utf8")) as {
+        profiles: Record<
+          string,
+          { key?: string; keyRef?: unknown; token?: string; tokenRef?: unknown }
+        >;
+      };
+
+      expect(parsed.profiles["openai:default"]?.key).toBeUndefined();
+      expect(parsed.profiles["openai:default"]?.keyRef).toEqual({
+        source: "env",
+        id: "OPENAI_API_KEY",
+      });
+
+      expect(parsed.profiles["github-copilot:default"]?.token).toBeUndefined();
+      expect(parsed.profiles["github-copilot:default"]?.tokenRef).toEqual({
+        source: "env",
+        id: "GITHUB_TOKEN",
+      });
+
+      expect(parsed.profiles["anthropic:default"]?.key).toBe("sk-anthropic-plain");
+    } finally {
+      await fs.rm(agentDir, { recursive: true, force: true });
+    }
+  });
+});