fix: enforce hooks token separation from gateway auth (#20813)

* fix(an-03): apply security fix Generated by staged fix workflow. * fix(an-03): apply security fix Generated by staged fix workflow. * fix(an-03): remove stale test-link artifact from patch Remove accidental a2ui test-link artifact from the tracked diff and keep startup auth enforcement centralized in startup-auth.ts.
2026-05-08 01:11:23 +00:00 · 2026-02-19 02:48:08 -08:00
parent 267bb3c81c
commit f7a7a28c56
4 changed files with 114 additions and 4 deletions
--- a/src/gateway/startup-auth.test.ts
+++ b/src/gateway/startup-auth.test.ts
@@ -13,7 +13,10 @@ vi.mock("../config/config.js", async (importOriginal) => {
  };
 });

-import { ensureGatewayStartupAuth } from "./startup-auth.js";
+import {
+  assertHooksTokenSeparateFromGatewayAuth,
+  ensureGatewayStartupAuth,
+} from "./startup-auth.js";

 describe("ensureGatewayStartupAuth", () => {
  async function expectEphemeralGeneratedTokenWhenOverridden(cfg: OpenClawConfig) {
@@ -188,4 +191,79 @@ describe("ensureGatewayStartupAuth", () => {
      },
    });
  });
+
+  it("throws when hooks token reuses gateway token resolved from env", async () => {
+    await expect(
+      ensureGatewayStartupAuth({
+        cfg: {
+          hooks: {
+            enabled: true,
+            token: "shared-gateway-token-1234567890",
+          },
+        },
+        env: {
+          OPENCLAW_GATEWAY_TOKEN: "shared-gateway-token-1234567890",
+        } as NodeJS.ProcessEnv,
+      }),
+    ).rejects.toThrow(/hooks\.token must not match gateway auth token/i);
+  });
+});
+
+describe("assertHooksTokenSeparateFromGatewayAuth", () => {
+  it("throws when hooks token reuses gateway token auth", () => {
+    expect(() =>
+      assertHooksTokenSeparateFromGatewayAuth({
+        cfg: {
+          hooks: {
+            enabled: true,
+            token: "shared-gateway-token-1234567890",
+          },
+        },
+        auth: {
+          mode: "token",
+          modeSource: "config",
+          token: "shared-gateway-token-1234567890",
+          allowTailscale: false,
+        },
+      }),
+    ).toThrow(/hooks\.token must not match gateway auth token/i);
+  });
+
+  it("allows hooks token when gateway auth is not token mode", () => {
+    expect(() =>
+      assertHooksTokenSeparateFromGatewayAuth({
+        cfg: {
+          hooks: {
+            enabled: true,
+            token: "shared-gateway-token-1234567890",
+          },
+        },
+        auth: {
+          mode: "password",
+          modeSource: "config",
+          password: "pw",
+          allowTailscale: false,
+        },
+      }),
+    ).not.toThrow();
+  });
+
+  it("allows matching values when hooks are disabled", () => {
+    expect(() =>
+      assertHooksTokenSeparateFromGatewayAuth({
+        cfg: {
+          hooks: {
+            enabled: false,
+            token: "shared-gateway-token-1234567890",
+          },
+        },
+        auth: {
+          mode: "token",
+          modeSource: "config",
+          token: "shared-gateway-token-1234567890",
+          allowTailscale: false,
+        },
+      }),
+    ).not.toThrow();
+  });
 });
--- a/src/gateway/startup-auth.ts
+++ b/src/gateway/startup-auth.ts
@@ -109,6 +109,7 @@ export async function ensureGatewayStartupAuth(params: {
    tailscaleOverride: params.tailscaleOverride,
  });
  if (resolved.mode !== "token" || (resolved.token?.trim().length ?? 0) > 0) {
+    assertHooksTokenSeparateFromGatewayAuth({ cfg: params.cfg, auth: resolved });
    return { cfg: params.cfg, auth: resolved, persistedGeneratedToken: false };
  }

@@ -138,6 +139,7 @@ export async function ensureGatewayStartupAuth(params: {
    authOverride: params.authOverride,
    tailscaleOverride: params.tailscaleOverride,
  });
+  assertHooksTokenSeparateFromGatewayAuth({ cfg: nextCfg, auth: nextAuth });
  return {
    cfg: nextCfg,
    auth: nextAuth,
@@ -145,3 +147,30 @@ export async function ensureGatewayStartupAuth(params: {
    persistedGeneratedToken: persist,
  };
 }
+
+export function assertHooksTokenSeparateFromGatewayAuth(params: {
+  cfg: OpenClawConfig;
+  auth: ResolvedGatewayAuth;
+}): void {
+  if (params.cfg.hooks?.enabled !== true) {
+    return;
+  }
+  const hooksToken =
+    typeof params.cfg.hooks.token === "string" ? params.cfg.hooks.token.trim() : "";
+  if (!hooksToken) {
+    return;
+  }
+  const gatewayToken =
+    params.auth.mode === "token" && typeof params.auth.token === "string"
+      ? params.auth.token.trim()
+      : "";
+  if (!gatewayToken) {
+    return;
+  }
+  if (hooksToken !== gatewayToken) {
+    return;
+  }
+  throw new Error(
+    "Invalid config: hooks.token must not match gateway auth token. Set a distinct hooks.token for hook ingress.",
+  );
+}