nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
14,831 Commits 736 Branches 79 Tags 2.7 GiB
Commit Graph

303 Commits

Author SHA1 Message Date
Peter Steinberger f41715a18f refactor(browser): split act route modules and dedupe path guards 2026-02-26 01:21:34 +01:00
Peter Steinberger 496a76c03b fix(security): harden browser trace/download temp path handling 2026-02-26 01:04:05 +01:00
Peter Steinberger ef326f5cd0 fix(browser): revalidate upload paths at use time 2026-02-26 00:40:56 +01:00
Peter Steinberger 31f2bf9519 test: fix gate regressions 2026-02-24 04:39:53 +00:00
Peter Steinberger f9de17106a refactor(browser): share relay token + options validation tests 2026-02-24 04:23:22 +00:00
Peter Steinberger 3f923e8313 test: add env -S allowlist bypass regressions 2026-02-24 02:28:00 +00:00
Peter Steinberger 5eb72ab769 fix(security): harden browser SSRF defaults and migrate legacy key 2026-02-24 01:52:01 +00:00
oneaix 216d99e585 fix(browser): derive relay auth token from gateway token in Chrome extension 
The extension relay server authenticates using an HMAC-SHA256 derived
token (`openclaw-extension-relay-v1:<port>`), but the Chrome extension
was sending the raw gateway token. This caused both the WebSocket
connection and the options page validation to fail with 401 Unauthorized.

Additionally, the options page validation request triggered a CORS
preflight (due to the custom `x-openclaw-relay-token` header) which the
relay rejects because OPTIONS requests lack auth headers. The options
page now delegates the check to the background service worker which has
host_permissions and bypasses CORS preflight.

Fixes #23842

Co-authored-by: Cursor <cursoragent@cursor.com>
(cherry picked from commit bbc654b9f0)
 2026-02-23 18:56:14 +00:00
Mustafa Kemal bb8f538cd4 Browser relay: accept raw gateway token in extension auth 
(cherry picked from commit e682a768d0)
 2026-02-23 18:56:14 +00:00
Peter Steinberger 1c753ea786 test: dedupe fixtures and test harness setup 2026-02-23 05:45:54 +00:00
Peter Steinberger 8af19ddc5b refactor: extract shared dedupe helpers for runtime paths 2026-02-23 05:43:43 +00:00
Peter Steinberger 2081b3a3c4 refactor(channels): dedupe hook and monitor execution paths 2026-02-22 21:19:09 +00:00
Peter Steinberger 8af6d1a186 refactor(test): dedupe repeated fixture setup helpers 2026-02-22 20:04:51 +00:00
Peter Steinberger 53ed7a0f5c test: dedupe repeated test fixtures and assertions 2026-02-22 18:37:25 +00:00
Peter Steinberger 772cf7df33 test: load chrome extension background utils across module modes 2026-02-22 18:29:20 +00:00
Peter Steinberger 2858901441 test(flaky): harden slow vmFork unit suites 
Co-authored-by: Ho Lim <166576253+HOYALIM@users.noreply.github.com>
 2026-02-22 19:08:59 +01:00
Peter Steinberger 9ea5228f42 fix(browser): recover stale remote target ids 
Co-authored-by: Ilya Strelov <10761735+strelov1@users.noreply.github.com>
 2026-02-22 19:08:38 +01:00
Peter Steinberger 1fe2043742 fix(browser): harden extension relay worker recovery 
Co-authored-by: codexGW <9350182+codexGW@users.noreply.github.com>
 2026-02-22 19:08:38 +01:00
Peter Steinberger 40494d67f2 fix(browser): harden extension relay reconnect race 
Co-authored-by: Ho Lim <166576253+HOYALIM@users.noreply.github.com>
 2026-02-22 19:08:38 +01:00
Peter Steinberger 78220db2be refactor(browser): dedupe control-server test harness 2026-02-22 17:54:51 +00:00
Peter Steinberger 296b19e413 test: dedupe gateway browser discord and channel coverage 2026-02-22 17:11:54 +00:00
Peter Steinberger f14ebd743c refactor(security): unify local-host and tailnet CIDR checks 2026-02-22 17:20:27 +01:00
tyler 9b23e5ce1f test: fix flaky auth tests when OPENCLAW_GATEWAY_TOKEN is present 2026-02-22 15:17:37 +01:00
Peter Steinberger 4a2492496e test: move browser and web auto-reply local suites out of e2e 2026-02-22 11:05:26 +00:00
Peter Steinberger 6c2e999776 refactor(security): unify secure id paths and guard weak patterns 2026-02-22 10:16:19 +01:00
Peter Steinberger ccc00d874c test(core): reduce mock reset overhead in targeted suites 2026-02-22 08:40:29 +00:00
Peter Steinberger 8a0a28763e test(core): reduce mock reset overhead across unit and e2e specs 2026-02-22 08:22:58 +00:00
Peter Steinberger 2557945a8d test(core): use lightweight clears in subagent and browser setup 2026-02-22 08:07:41 +00:00
Peter Steinberger 6e253096ed test(core): use lightweight clears in command and dispatch setup 2026-02-22 08:06:06 +00:00
Peter Steinberger 96674ca301 fix(ci): add explicit mock types in pw-session mock setup 2026-02-22 08:05:12 +00:00
Peter Steinberger 0194d50339 test: stabilize pw-session cdp mocking in parallel runs 2026-02-22 08:03:29 +00:00
Peter Steinberger 0c1a52307c fix: align draft/outbound typings and tests 2026-02-22 08:03:29 +00:00
Peter Steinberger d7f01c2c55 test(browser): use lightweight clears in server lifecycle setup 2026-02-22 08:01:15 +00:00
Peter Steinberger 639b2f5f5b test(browser): dedupe pw-session playwright mock wiring 2026-02-22 07:44:57 +00:00
Peter Steinberger 6bc753624f test(browser): dedupe generated-token persistence assertions 2026-02-22 07:44:57 +00:00
Peter Steinberger 4c8545ad53 test(browser): dedupe relay probe server scaffolding 2026-02-22 07:44:57 +00:00
Vignesh Natarajan 54e5f80424 Browser: accept canonical upload paths for symlinked roots 2026-02-21 21:54:57 -08:00
Peter Steinberger dfe0483d80 test(browser): table-drive scroll and click error rewrites 2026-02-21 23:58:33 +00:00
Peter Steinberger b1c50cc5c0 test(browser): tighten relay test watchdog timeouts 2026-02-21 23:07:58 +00:00
Peter Steinberger cc2ff68947 test: optimize gateway infra memory and security coverage 2026-02-21 21:44:50 +00:00
Peter Steinberger e2a50228a1 test(browser): dedupe chrome mocks and cover SIGKILL escalation 2026-02-21 21:40:39 +00:00
Peter Steinberger 59189750e4 test(browser): dedupe path fixture calls and cover root resolvers 2026-02-21 21:40:39 +00:00
Peter Steinberger 6fd31fc0b0 test(browser): dedupe invalid-path assertions and cover blank path rejection 2026-02-21 21:40:39 +00:00
Peter Steinberger ac6c344d9b test(browser): dedupe fixture lifecycle and cover directory-path rejection 2026-02-21 21:40:38 +00:00
Peter Steinberger e588e3cc20 refactor(test): standardize env helpers across suites 2026-02-21 19:13:46 +00:00
Peter Steinberger 764b1f2932 refactor: simplify relay runtime state 2026-02-21 19:31:30 +01:00
Peter Steinberger afa22acc4a fix: harden extension relay auth token flow 2026-02-21 19:24:42 +01:00
Peter Steinberger 8c1518f0f3 fix(sandbox): use one-time noVNC observer tokens 2026-02-21 13:56:58 +01:00
Peter Steinberger 4cd7d95746 style(browser): apply oxfmt cleanup for gate 2026-02-21 13:16:07 +01:00
Peter Steinberger 55aaeb5085 refactor(browser): centralize navigation guard enforcement 2026-02-21 11:46:11 +01:00