fix: enforce hooks token separation from gateway auth (#20813)

* fix(an-03): apply security fix Generated by staged fix workflow. * fix(an-03): apply security fix Generated by staged fix workflow. * fix(an-03): remove stale test-link artifact from patch Remove accidental a2ui test-link artifact from the tracked diff and keep startup auth enforcement centralized in startup-auth.ts.
2026-05-09 11:37:38 +00:00 · 2026-02-19 02:48:08 -08:00
parent 267bb3c81c
commit f7a7a28c56
4 changed files with 114 additions and 4 deletions
--- a/src/gateway/startup-auth.test.ts
+++ b/src/gateway/startup-auth.test.ts
@@ -13,7 +13,10 @@ vi.mock("../config/config.js", async (importOriginal) => {
  };
 });

-import { ensureGatewayStartupAuth } from "./startup-auth.js";
+import {
+  assertHooksTokenSeparateFromGatewayAuth,
+  ensureGatewayStartupAuth,
+} from "./startup-auth.js";

 describe("ensureGatewayStartupAuth", () => {
  async function expectEphemeralGeneratedTokenWhenOverridden(cfg: OpenClawConfig) {
@@ -188,4 +191,79 @@ describe("ensureGatewayStartupAuth", () => {
      },
    });
  });
+
+  it("throws when hooks token reuses gateway token resolved from env", async () => {
+    await expect(
+      ensureGatewayStartupAuth({
+        cfg: {
+          hooks: {
+            enabled: true,
+            token: "shared-gateway-token-1234567890",
+          },
+        },
+        env: {
+          OPENCLAW_GATEWAY_TOKEN: "shared-gateway-token-1234567890",
+        } as NodeJS.ProcessEnv,
+      }),
+    ).rejects.toThrow(/hooks\.token must not match gateway auth token/i);
+  });
+});
+
+describe("assertHooksTokenSeparateFromGatewayAuth", () => {
+  it("throws when hooks token reuses gateway token auth", () => {
+    expect(() =>
+      assertHooksTokenSeparateFromGatewayAuth({
+        cfg: {
+          hooks: {
+            enabled: true,
+            token: "shared-gateway-token-1234567890",
+          },
+        },
+        auth: {
+          mode: "token",
+          modeSource: "config",
+          token: "shared-gateway-token-1234567890",
+          allowTailscale: false,
+        },
+      }),
+    ).toThrow(/hooks\.token must not match gateway auth token/i);
+  });
+
+  it("allows hooks token when gateway auth is not token mode", () => {
+    expect(() =>
+      assertHooksTokenSeparateFromGatewayAuth({
+        cfg: {
+          hooks: {
+            enabled: true,
+            token: "shared-gateway-token-1234567890",
+          },
+        },
+        auth: {
+          mode: "password",
+          modeSource: "config",
+          password: "pw",
+          allowTailscale: false,
+        },
+      }),
+    ).not.toThrow();
+  });
+
+  it("allows matching values when hooks are disabled", () => {
+    expect(() =>
+      assertHooksTokenSeparateFromGatewayAuth({
+        cfg: {
+          hooks: {
+            enabled: false,
+            token: "shared-gateway-token-1234567890",
+          },
+        },
+        auth: {
+          mode: "token",
+          modeSource: "config",
+          token: "shared-gateway-token-1234567890",
+          allowTailscale: false,
+        },
+      }),
+    ).not.toThrow();
+  });
 });