nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
20,346 Commits 754 Branches 79 Tags 4 GiB
Commit Graph

38 Commits

Author SHA1 Message Date
Peter Steinberger bf89947a8e
fix: switch pairing setup codes to bootstrap tokens 2026-03-12 22:23:07 +00:00
Peter Steinberger 1d986f1c01
refactor(gateway): move request client ip resolution to net 2026-03-12 21:41:51 +00:00
Peter Steinberger 4da617e178
fix(gateway): honor trusted proxy hook auth rate limits 2026-03-12 21:35:57 +00:00
Vincent Koc 889a60e122 Gateway Auth: allowlist bootstrap password references 2026-03-07 16:27:00 -08:00
Peter Steinberger ab704b7aca fix(gateway): explain provider-object password bootstrap errors (#39230, thanks @ademczuk) 
Co-authored-by: ademczuk <andrew.demczuk@gmail.com>
 2026-03-07 22:44:44 +00:00
Peter Steinberger 3a74dc00bf fix(gateway): land #38725 from @ademczuk 
Source: #38725 / 533ff3e70b by @ademczuk.
Thanks @ademczuk.

Co-authored-by: ademczuk <andrew.demczuk@gmail.com>
 2026-03-07 22:35:38 +00:00
Vincent Koc 42e3d8d693
Secrets: add inline allowlist review set (#38314) 
* Secrets: add inline allowlist review set

* Secrets: narrow detect-secrets file exclusions

* Secrets: exclude Docker fingerprint false positive

* Secrets: allowlist test and docs false positives

* Secrets: refresh baseline after allowlist updates

* Secrets: fix gateway chat fixture pragma

* Secrets: format pre-commit config

* Android: keep talk mode fixture JSON valid

* Feishu: rely on client timeout injection

* Secrets: allowlist provider auth test fixtures

* Secrets: allowlist onboard search fixtures

* Secrets: allowlist onboard mode fixture

* Secrets: allowlist gateway auth mode fixture

* Secrets: allowlist APNS wake test key

* Secrets: allowlist gateway reload fixtures

* Secrets: allowlist moonshot video fixture

* Secrets: allowlist auto audio fixture

* Secrets: allowlist tiny audio fixture

* Secrets: allowlist embeddings fixtures

* Secrets: allowlist resolve fixtures

* Secrets: allowlist target registry pattern fixtures

* Secrets: allowlist gateway chat env fixture

* Secrets: refresh baseline after fixture allowlists

* Secrets: reapply gateway chat env allowlist

* Secrets: reapply gateway chat env allowlist

* Secrets: stabilize gateway chat env allowlist

* Secrets: allowlist runtime snapshot save fixture

* Secrets: allowlist oauth profile fixtures

* Secrets: allowlist compaction identifier fixture

* Secrets: allowlist model auth fixture

* Secrets: allowlist model status fixtures

* Secrets: allowlist custom onboarding fixture

* Secrets: allowlist mattermost token summary fixtures

* Secrets: allowlist gateway auth suite fixtures

* Secrets: allowlist channel summary fixture

* Secrets: allowlist provider usage auth fixtures

* Secrets: allowlist media proxy fixture

* Secrets: allowlist secrets audit fixtures

* Secrets: refresh baseline after final fixture allowlists

* Feishu: prefer explicit client timeout

* Feishu: test direct timeout precedence
 2026-03-06 19:35:26 -05:00
Josh Avant 72cf9253fc
Gateway: add SecretRef support for gateway.auth.token with auth-mode guardrails (#35094) 2026-03-05 12:53:56 -06:00
Peter Steinberger 08431da5d5 refactor(gateway): unify credential precedence across entrypoints 2026-02-22 18:55:44 +01:00
Peter Steinberger f14ebd743c refactor(security): unify local-host and tailnet CIDR checks 2026-02-22 17:20:27 +01:00
Peter Steinberger be7f825006 refactor(gateway): harden proxy client ip resolution 2026-02-21 13:36:23 +01:00
Peter Steinberger 36a0df423d refactor(gateway): make ws and http auth surfaces explicit 2026-02-21 13:33:09 +01:00
Peter Steinberger 356d61aacf fix(gateway): scope tailscale tokenless auth to websocket 2026-02-21 13:03:13 +01:00
Gustavo Madeira Santana c5698caca3
Security: default gateway auth bootstrap and explicit mode none (#20686) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: be1b73182c
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Co-authored-by: gumadeiras <5599352+gumadeiras@users.noreply.github.com>
Reviewed-by: @gumadeiras
 2026-02-19 02:35:50 -05:00
Peter Steinberger 1843bcf1db refactor(gateway): share host header parsing 2026-02-15 16:15:53 +00:00
Nick Taylor 1fb52b4d7b
feat(gateway): add trusted-proxy auth mode (#15940) 
Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: 279d4b304f
Co-authored-by: nickytonline <833231+nickytonline@users.noreply.github.com>
Co-authored-by: steipete <58493+steipete@users.noreply.github.com>
Reviewed-by: @steipete
 2026-02-14 12:32:17 +01:00
Harald Buerbaumer 30b6eccae5
feat(gateway): add auth rate-limiting & brute-force protection (#15035) 
* feat(gateway): add auth rate-limiting & brute-force protection

Add a per-IP sliding-window rate limiter to Gateway authentication
endpoints (HTTP, WebSocket upgrade, and WS message-level auth).

When gateway.auth.rateLimit is configured, failed auth attempts are
tracked per client IP. Once the threshold is exceeded within the
sliding window, further attempts are blocked with HTTP 429 + Retry-After
until the lockout period expires. Loopback addresses are exempt by
default so local CLI sessions are never locked out.

The limiter is only created when explicitly configured (undefined
otherwise), keeping the feature fully opt-in and backward-compatible.

* fix(gateway): isolate auth rate-limit scopes and normalize 429 responses

---------

Co-authored-by: buerbaumer <buerbaumer@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-02-13 15:32:38 +01:00
Peter Steinberger 113ebfd6a2 fix(security): harden hook and device token auth 2026-02-13 01:23:53 +01:00
quotentiroler 53910f3643 Deduplicate more 2026-02-09 18:56:58 -08:00
cpojer f06dd8df06
chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
cpojer 5ceff756e1
chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
Peter Steinberger 9a7160786a refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
Peter Steinberger 3314b3996e fix: harden gateway auth defaults 2026-01-26 18:24:26 +00:00
Peter Steinberger c4a80f4edb fix: require gateway auth by default 2026-01-26 12:56:33 +00:00
Peter Steinberger fd9be79be1 fix: harden tailscale serve auth 2026-01-26 12:49:19 +00:00
Peter Steinberger e6e71457e0 fix: honor trusted proxy client IPs (PR #1654) 
Thanks @ndbroadbent.

Co-authored-by: Nathan Broadbent <git@ndbroadbent.com>
 2026-01-25 01:52:19 +00:00
Peter Steinberger d88b239d3c feat: add device token auth and devices cli 2026-01-20 10:30:53 +00:00
Peter Steinberger 4965727f39 chore: run format and fix sandbox browser timeouts 2026-01-16 09:18:58 +00:00
Palash Oswal d43d4fcced
Gateway auth: accept local Tailscale Serve hostnames and tailnet IPs (#885) 
* Gateway auth: accept local Tailscale Serve hostnames and tailnet IPs

* fix: allow local Tailscale Serve hostnames (#885) (thanks @oswalpalash)

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
 2026-01-16 07:51:25 +00:00
Peter Steinberger c379191f80 chore: migrate to oxlint and oxfmt 
Co-authored-by: Christoph Nakazawa <christoph.pojer@gmail.com>
 2026-01-14 15:02:19 +00:00
Roshan Singh 7616b02bb1 Fix tailscale allowTailscale bypass in token mode 2026-01-13 04:34:28 +00:00
Peter Steinberger 36fa3c3cd3 fix: improve ws close diagnostics 2026-01-08 22:18:07 +00:00
Peter Steinberger c7cade5232 style: tidy gateway auth imports 2026-01-08 08:26:40 +01:00
Peter Steinberger b367ed75bf fix: wire gateway auth diagnostics into doctor 2026-01-08 08:26:40 +01:00
Peter Steinberger 246adaa119 chore: rename project to clawdbot 2026-01-04 14:38:51 +00:00
Peter Steinberger 5ecb65cbbe fix: persist gateway token for local CLI auth 2026-01-02 13:46:48 +01:00
Peter Steinberger c8c807adcc refactor: drop PAM auth and require password for funnel 2025-12-23 13:13:09 +00:00
Peter Steinberger d69064f364 fix(gateway): avoid crash in handshake auth 2025-12-21 00:41:06 +00:00