nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
openclaw/src/gateway
History
Harald Buerbaumer 30b6eccae5
feat(gateway): add auth rate-limiting & brute-force protection (#15035) 
* feat(gateway): add auth rate-limiting & brute-force protection

Add a per-IP sliding-window rate limiter to Gateway authentication
endpoints (HTTP, WebSocket upgrade, and WS message-level auth).

When gateway.auth.rateLimit is configured, failed auth attempts are
tracked per client IP. Once the threshold is exceeded within the
sliding window, further attempts are blocked with HTTP 429 + Retry-After
until the lockout period expires. Loopback addresses are exempt by
default so local CLI sessions are never locked out.

The limiter is only created when explicitly configured (undefined
otherwise), keeping the feature fully opt-in and backward-compatible.

* fix(gateway): isolate auth rate-limit scopes and normalize 429 responses

---------

Co-authored-by: buerbaumer <buerbaumer@users.noreply.github.com>
Co-authored-by: Peter Steinberger <steipete@gmail.com>
 		2026-02-13 15:32:38 +01:00
..
protocol fix: preserve inter-session input provenance (thanks @anbecker) 2026-02-13 02:02:01 +01:00
server feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
server-methods test: migrate suites to e2e coverage layout 2026-02-13 14:28:22 +00:00
assistant-identity.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
assistant-identity.ts feat(ui): add Agents dashboard 2026-02-02 21:31:17 -05:00
auth-rate-limit.test.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
auth-rate-limit.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
auth.test.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
auth.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
boot.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
boot.ts fix: fix(boot): use ephemeral session per boot to prevent stale context (openclaw#11764) thanks @mcinteerj 2026-02-12 09:41:43 -06:00
call.test.ts fix: context overflow compaction and subagent announce improvements (#11664) (thanks @tyler6204) 2026-02-07 20:02:32 -08:00
call.ts fix: context overflow compaction and subagent announce improvements (#11664) (thanks @tyler6204) 2026-02-07 20:02:32 -08:00
chat-abort.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
chat-attachments.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
chat-attachments.ts fix(gateway): increase WebSocket max payload to 5 MB for image uploads (#14486) 2026-02-12 17:48:49 +01:00
chat-sanitize.test.ts fix: hide message_id hints in web chat 2026-01-24 13:52:31 +00:00
chat-sanitize.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
client.e2e.test.ts test: migrate suites to e2e coverage layout 2026-02-13 14:28:22 +00:00
client.maxpayload.test.ts Gateway: enable canvas host + inject action bridge 2025-12-18 23:32:22 +01:00
client.ts chore: Enable `typescript/no-explicit-any` rule. 2026-02-02 16:18:09 +09:00
config-reload.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
config-reload.ts fix: ignore meta field changes in config file watcher (#13460) 2026-02-12 07:55:26 -06:00
control-ui-shared.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
control-ui.test.ts fix: harden control ui framing + ws origin 2026-02-03 16:00:57 -08:00
control-ui.ts fix: harden control ui framing + ws origin 2026-02-03 16:00:57 -08:00
device-auth.ts feat: enforce device-bound connect challenge 2026-01-20 13:04:19 +00:00
exec-approval-manager.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
gateway-cli-backend.live.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
gateway-models.profiles.live.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
gateway.e2e.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
hooks-mapping.test.ts feat(hooks): add agentId support to webhook mappings (#13672) 2026-02-10 19:23:58 -05:00
hooks-mapping.ts feat(hooks): add agentId support to webhook mappings (#13672) 2026-02-10 19:23:58 -05:00
hooks.test.ts fix: harden hook session key routing defaults 2026-02-13 02:09:14 +01:00
hooks.ts fix: harden hook session key routing defaults 2026-02-13 02:09:14 +01:00
http-common.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
http-utils.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
live-image-probe.ts refactor: consolidate PNG encoder and safeParseJson utilities (#12457) 2026-02-09 00:21:54 -08:00
net.test.ts fix(gateway): use LAN IP for WebSocket/probe URLs when bind=lan (#11448) 2026-02-07 19:16:51 -06:00
net.ts Update contributing, deduplicate more functions 2026-02-09 19:21:33 -08:00
node-command-policy.test.ts Gateway/Plugins: device pairing + phone control plugins (#11755) 2026-02-08 18:07:13 +01:00
node-command-policy.ts Gateway/Plugins: device pairing + phone control plugins (#11755) 2026-02-08 18:07:13 +01:00
node-registry.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
open-responses.schema.ts feat(gateway): implement OpenResponses /v1/responses endpoint phase 2 2026-01-20 07:37:01 +00:00
openai-http.e2e.test.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
openai-http.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
openresponses-http.e2e.test.ts fix: harden OpenResponses URL input fetching 2026-02-13 01:38:49 +01:00
openresponses-http.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
openresponses-parity.e2e.test.ts test(gateway): add OpenResponses parity E2E tests 2026-01-20 07:37:01 +00:00
origin-check.test.ts fix: harden control ui framing + ws origin 2026-02-03 16:00:57 -08:00
origin-check.ts refactor: centralize isPlainObject, isRecord, isErrno, isLoopbackHost utilities (#12926) 2026-02-09 17:02:55 -08:00
probe.ts refactor: consolidate duplicate utility functions (#12439) 2026-02-08 23:59:43 -08:00
server-broadcast.test.ts TUI/Gateway: fix pi streaming + tool routing + model display + msg updating (#8432) 2026-02-04 17:12:16 -05:00
server-broadcast.ts TUI/Gateway: fix pi streaming + tool routing + model display + msg updating (#8432) 2026-02-04 17:12:16 -05:00
server-browser.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
server-channels.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server-chat-registry.test.ts test(gateway): cover helper registries 2026-01-03 19:37:09 +01:00
server-chat.agent-events.test.ts feat(gateway): stream thinking events and decouple tool events from verbose level (#10568) 2026-02-10 19:17:21 -06:00
server-chat.ts feat(gateway): stream thinking events and decouple tool events from verbose level (#10568) 2026-02-10 19:17:21 -06:00
server-close.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server-constants.ts fix(gateway): increase WebSocket max payload to 5 MB for image uploads (#14486) 2026-02-12 17:48:49 +01:00
server-cron.ts fix(cron): pass agentId to runHeartbeatOnce for main-session jobs (#14140) 2026-02-11 22:22:29 -06:00
server-discovery-runtime.ts refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
server-discovery.test.ts refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
server-discovery.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
server-http.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
server-lanes.ts refactor: use command lane enum 2026-01-20 10:51:25 +00:00
server-maintenance.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server-methods-list.ts feat(gateway): add agents.create/update/delete methods (#11045) 2026-02-07 16:47:58 -08:00
server-methods.ts feat(gateway): add agents.create/update/delete methods (#11045) 2026-02-07 16:47:58 -08:00
server-mobile-nodes.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
server-model-catalog.ts refactor(gateway): split server runtime 2026-01-14 09:11:21 +00:00
server-node-events-types.ts refactor: remove bridge protocol 2026-01-19 10:08:29 +00:00
server-node-events.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server-node-events.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server-node-subscriptions.test.ts chore: Enable more lint rules, disable some that trigger a lot. Will clean up later. 2026-01-31 16:04:04 +09:00
server-node-subscriptions.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
server-plugins.test.ts refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
server-plugins.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server-reload-handlers.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server-restart-sentinel.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server-runtime-config.ts fix(ui): fix web UI after tsdown migration and typing changes 2026-02-03 13:56:20 -05:00
server-runtime-state.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
server-session-key.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
server-shared.ts refactor(gateway): split server helpers 2026-01-03 19:37:09 +01:00
server-startup-log.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server-startup-memory.test.ts Gateway: eager-init QMD backend on startup 2026-02-09 23:58:34 -08:00
server-startup-memory.ts Gateway: eager-init QMD backend on startup 2026-02-09 23:58:34 -08:00
server-startup.ts Gateway: eager-init QMD backend on startup 2026-02-09 23:58:34 -08:00
server-tailscale.ts chore: migrate to oxlint and oxfmt 2026-01-14 15:02:19 +00:00
server-utils.test.ts chore: migrate to oxlint and oxfmt 2026-01-14 15:02:19 +00:00
server-utils.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
server-wizard-sessions.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
server-ws-runtime.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
server.agent.gateway-server-agent-a.e2e.test.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
server.agent.gateway-server-agent-b.e2e.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server.auth.e2e.test.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
server.canvas-auth.e2e.test.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
server.channels.e2e.test.ts feat: Add Line plugin (#1630) 2026-01-25 12:22:36 +00:00
server.chat.gateway-server-chat-b.e2e.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server.chat.gateway-server-chat.e2e.test.ts TUI/Gateway: fix pi streaming + tool routing + model display + msg updating (#8432) 2026-02-04 17:12:16 -05:00
server.config-apply.e2e.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server.config-patch.e2e.test.ts security: redact credentials from config.get gateway responses (#9858) 2026-02-05 16:34:48 -08:00
server.cron.e2e.test.ts fix: cron scheduler reliability, store hardening, and UX improvements (#10776) 2026-02-06 18:03:03 -08:00
server.health.e2e.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server.hooks.e2e.test.ts fix: harden hook session key routing defaults 2026-02-13 02:09:14 +01:00
server.impl.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
server.ios-client-id.e2e.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server.models-voicewake-misc.e2e.test.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
server.nodes.late-invoke.test.ts perf(test): optimize heavy suites and stabilize lock timing 2026-02-13 13:29:07 +00:00
server.plugin-http-auth.test.ts fix: Unauthenticated Nostr profile API allows remote config tampering (#13719) 2026-02-12 07:55:22 -06:00
server.reload.e2e.test.ts chore: Enable more lint rules, disable some that trigger a lot. Will clean up later. 2026-01-31 16:04:04 +09:00
server.roles-allowlist-update.e2e.test.ts fix(update): honor update.channel for update.run 2026-02-03 17:57:55 -08:00
server.sessions-send.e2e.test.ts fix: preserve inter-session input provenance (thanks @anbecker) 2026-02-13 02:02:01 +01:00
server.sessions.gateway-server-sessions-a.e2e.test.ts fix: /status shows incorrect context percentage — totalTokens clamped to contextTokens (#15114) (#15133) 2026-02-12 23:52:19 -05:00
server.ts chore: migrate to oxlint and oxfmt 2026-01-14 15:02:19 +00:00
session-utils.fs.test.ts fix(ci): resolve windows test path assertion and sync protocol swift models 2026-02-13 02:39:34 +01:00
session-utils.fs.ts fix: preserve inter-session input provenance (thanks @anbecker) 2026-02-13 02:02:01 +01:00
session-utils.test.ts fix: /status shows incorrect context percentage — totalTokens clamped to contextTokens (#15114) (#15133) 2026-02-12 23:52:19 -05:00
session-utils.ts fix: /status shows incorrect context percentage — totalTokens clamped to contextTokens (#15114) (#15133) 2026-02-12 23:52:19 -05:00
session-utils.types.ts fix: /status shows incorrect context percentage — totalTokens clamped to contextTokens (#15114) (#15133) 2026-02-12 23:52:19 -05:00
sessions-patch.test.ts test: lock /think off persistence (#9564) 2026-02-09 16:08:15 -08:00
sessions-patch.ts Fix: Honor `/think off` for reasoning-capable models 2026-02-09 16:08:15 -08:00
sessions-resolve.ts refactor: rename to openclaw 2026-01-30 03:16:21 +01:00
test-helpers.e2e.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
test-helpers.mocks.ts security: redact credentials from config.get gateway responses (#9858) 2026-02-05 16:34:48 -08:00
test-helpers.openai-mock.ts chore: Enable "curly" rule to avoid single-statement if confusion/errors. 2026-01-31 16:19:20 +09:00
test-helpers.server.ts fix(gateway): default-deny missing connect scopes 2026-02-11 12:04:30 +01:00
test-helpers.ts refactor(src): split oversized modules 2026-01-14 01:17:56 +00:00
tools-invoke-http.test.ts fix: close OC-02 gaps in ACP permission + gateway HTTP deny config (#15390) (thanks @aether-ai-agent) 2026-02-13 14:30:06 +01:00
tools-invoke-http.ts feat(gateway): add auth rate-limiting & brute-force protection (#15035) 2026-02-13 15:32:38 +01:00
ws-log.test.ts fix: add agent context to ws logs 2026-01-17 20:37:36 +00:00
ws-log.ts chore: Enable "experimentalSortImports" in Oxfmt and reformat all imorts. 2026-02-01 10:03:47 +09:00
ws-logging.ts Gateway: optimize ws logs in normal mode 2025-12-18 13:27:52 +00:00