Ayuriel/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(gateway): enable device identity for loopback probes when token SecretRef is unresolved (#51016)

Browse Source
This commit is contained in:
LehaoLin 2026-03-21 01:44:08 +08:00
parent 06311f89e0
commit d398aaf048
2 changed files with 4 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/gateway/probe.test.ts
View File

@ -61,7 +61,7 @@ describe("probeGateway", () => {
expect(result.ok).toBe(true);
});
it("keeps device identity enabled for remote probes", async () => {
it("enables device identity for remote probes", async () => {
await probeGateway({
url: "wss://gateway.example/ws",
auth: { token: "secret" },
@ -71,13 +71,13 @@ describe("probeGateway", () => {
expect(gatewayClientState.options?.deviceIdentity).toBeUndefined();
});
it("keeps device identity disabled for unauthenticated loopback probes", async () => {
it("enables device identity for loopback probes", async () => {
await probeGateway({
url: "ws://127.0.0.1:18789",
timeoutMs: 1_000,
});
expect(gatewayClientState.options?.deviceIdentity).toBeNull();
expect(gatewayClientState.options?.deviceIdentity).toBeUndefined();
});
it("skips detail RPCs for lightweight reachability probes", async () => {

12
src/gateway/probe.ts
View File

@ -4,7 +4,6 @@ import type { SystemPresence } from "../infra/system-presence.js";
import { GATEWAY_CLIENT_MODES, GATEWAY_CLIENT_NAMES } from "../utils/message-channel.js";
import { GatewayClient } from "./client.js";
import { READ_SCOPE } from "./method-scopes.js";
import { isLoopbackHost } from "./net.js";
export type GatewayProbeAuth = {
token?: string;
@ -42,16 +41,7 @@ export async function probeGateway(opts: {
let connectError: string | null = null;
let close: GatewayProbeClose | null = null;
const disableDeviceIdentity = (() => {
try {
const hostname = new URL(opts.url).hostname;
// Local authenticated probes should stay device-bound so read/detail RPCs
// are not scope-limited by the shared-auth scope stripping hardening.
return isLoopbackHost(hostname) && !(opts.auth?.token || opts.auth?.password);
} catch {
return false;
}
})();
const disableDeviceIdentity = false;
const detailLevel = opts.includeDetails === false ? "none" : (opts.detailLevel ?? "full");