nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

refactor(browser): centralize http auth

This commit is contained in:
Peter Steinberger 2026-02-14 13:30:11 +01:00
parent cd84885a4a
commit af50b914a4
3 changed files with 66 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
src/browser/bridge-server.ts
View File

@ -1,12 +1,11 @@
import type { Server } from "node:http";
import type { IncomingMessage } from "node:http";
import type { AddressInfo } from "node:net";
import express from "express";
import type { ResolvedBrowserConfig } from "./config.js";
import type { BrowserRouteRegistrar } from "./routes/types.js";
import { isLoopbackHost } from "../gateway/net.js";
import { safeEqualSecret } from "../security/secret-equal.js";
import { deleteBridgeAuthForPort, setBridgeAuthForPort } from "./bridge-auth-registry.js";
import { isAuthorizedBrowserRequest } from "./http-auth.js";
import { registerBrowserRoutes } from "./routes/index.js";
import {
type BrowserServerState,
@ -14,67 +13,6 @@ import {
type ProfileContext,
} from "./server-context.js";
function firstHeaderValue(value: string | string[] | undefined): string {
return Array.isArray(value) ? (value[0] ?? "") : (value ?? "");
}
function parseBearerToken(authorization: string): string | undefined {
if (!authorization || !authorization.toLowerCase().startsWith("bearer ")) {
return undefined;
}
const token = authorization.slice(7).trim();
return token || undefined;
}
function parseBasicPassword(authorization: string): string | undefined {
if (!authorization || !authorization.toLowerCase().startsWith("basic ")) {
return undefined;
}
const encoded = authorization.slice(6).trim();
if (!encoded) {
return undefined;
}
try {
const decoded = Buffer.from(encoded, "base64").toString("utf8");
const sep = decoded.indexOf(":");
if (sep < 0) {
return undefined;
}
const password = decoded.slice(sep + 1).trim();
return password || undefined;
} catch {
return undefined;
}
}
function isAuthorizedBrowserRequest(
req: IncomingMessage,
auth: { token?: string; password?: string },
): boolean {
const authorization = firstHeaderValue(req.headers.authorization).trim();
if (auth.token) {
const bearer = parseBearerToken(authorization);
if (bearer && safeEqualSecret(bearer, auth.token)) {
return true;
}
}
if (auth.password) {
const passwordHeader = firstHeaderValue(req.headers["x-openclaw-password"]).trim();
if (passwordHeader && safeEqualSecret(passwordHeader, auth.password)) {
return true;
}
const basicPassword = parseBasicPassword(authorization);
if (basicPassword && safeEqualSecret(basicPassword, auth.password)) {
return true;
}
}
return false;
}
export type BrowserBridge = {
server: Server;
port: number;

63
src/browser/http-auth.ts Normal file
View File

@ -0,0 +1,63 @@
import type { IncomingMessage } from "node:http";
import { safeEqualSecret } from "../security/secret-equal.js";
function firstHeaderValue(value: string | string[] | undefined): string {
return Array.isArray(value) ? (value[0] ?? "") : (value ?? "");
}
function parseBearerToken(authorization: string): string | undefined {
if (!authorization || !authorization.toLowerCase().startsWith("bearer ")) {
return undefined;
}
const token = authorization.slice(7).trim();
return token || undefined;
}
function parseBasicPassword(authorization: string): string | undefined {
if (!authorization || !authorization.toLowerCase().startsWith("basic ")) {
return undefined;
}
const encoded = authorization.slice(6).trim();
if (!encoded) {
return undefined;
}
try {
const decoded = Buffer.from(encoded, "base64").toString("utf8");
const sep = decoded.indexOf(":");
if (sep < 0) {
return undefined;
}
const password = decoded.slice(sep + 1).trim();
return password || undefined;
} catch {
return undefined;
}
}
export function isAuthorizedBrowserRequest(
req: IncomingMessage,
auth: { token?: string; password?: string },
): boolean {
const authorization = firstHeaderValue(req.headers.authorization).trim();
if (auth.token) {
const bearer = parseBearerToken(authorization);
if (bearer && safeEqualSecret(bearer, auth.token)) {
return true;
}
}
if (auth.password) {
const passwordHeader = firstHeaderValue(req.headers["x-openclaw-password"]).trim();
if (passwordHeader && safeEqualSecret(passwordHeader, auth.password)) {
return true;
}
const basicPassword = parseBasicPassword(authorization);
if (basicPassword && safeEqualSecret(basicPassword, auth.password)) {
return true;
}
}
return false;
}

65
src/browser/server.ts
View File

@ -1,12 +1,12 @@
import type { IncomingMessage, Server } from "node:http";
import type { Server } from "node:http";
import express from "express";
import type { BrowserRouteRegistrar } from "./routes/types.js";
import { loadConfig } from "../config/config.js";
import { createSubsystemLogger } from "../logging/subsystem.js";
import { safeEqualSecret } from "../security/secret-equal.js";
import { resolveBrowserConfig, resolveProfile } from "./config.js";
import { ensureBrowserControlAuth, resolveBrowserControlAuth } from "./control-auth.js";
import { ensureChromeExtensionRelayServer } from "./extension-relay.js";
import { isAuthorizedBrowserRequest } from "./http-auth.js";
import { isPwAiLoaded } from "./pw-ai-state.js";
import { registerBrowserRoutes } from "./routes/index.js";
import {
@ -19,67 +19,6 @@ let state: BrowserServerState | null = null;
const log = createSubsystemLogger("browser");
const logServer = log.child("server");
function firstHeaderValue(value: string | string[] | undefined): string {
return Array.isArray(value) ? (value[0] ?? "") : (value ?? "");
}
function parseBearerToken(authorization: string): string | undefined {
if (!authorization || !authorization.toLowerCase().startsWith("bearer ")) {
return undefined;
}
const token = authorization.slice(7).trim();
return token || undefined;
}
function parseBasicPassword(authorization: string): string | undefined {
if (!authorization || !authorization.toLowerCase().startsWith("basic ")) {
return undefined;
}
const encoded = authorization.slice(6).trim();
if (!encoded) {
return undefined;
}
try {
const decoded = Buffer.from(encoded, "base64").toString("utf8");
const sep = decoded.indexOf(":");
if (sep < 0) {
return undefined;
}
const password = decoded.slice(sep + 1).trim();
return password || undefined;
} catch {
return undefined;
}
}
function isAuthorizedBrowserRequest(
req: IncomingMessage,
auth: { token?: string; password?: string },
): boolean {
const authorization = firstHeaderValue(req.headers.authorization).trim();
if (auth.token) {
const bearer = parseBearerToken(authorization);
if (bearer && safeEqualSecret(bearer, auth.token)) {
return true;
}
}
if (auth.password) {
const passwordHeader = firstHeaderValue(req.headers["x-openclaw-password"]).trim();
if (passwordHeader && safeEqualSecret(passwordHeader, auth.password)) {
return true;
}
const basicPassword = parseBasicPassword(authorization);
if (basicPassword && safeEqualSecret(basicPassword, auth.password)) {
return true;
}
}
return false;
}
export async function startBrowserControlServerFromConfig(): Promise<BrowserServerState | null> {
if (state) {
return state;