github/openclaw
1
1
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-02-19 18:39:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix(doctor): reconcile gateway service token drift after re-pair

Browse Source 
`openclaw doctor` audited gateway service runtime/path settings but did not
check whether the daemon's `OPENCLAW_GATEWAY_TOKEN` matched
`gateway.auth.token` in `openclaw.json`.

After re-pairing or token rotation, the config token and service env token can
drift. The daemon may keep running with a stale service token, leading to
unauthorized handshake failures for cron/tool clients.

Add a gateway service audit check for token drift and pass
`cfg.gateway.auth.token` into service audits so doctor treats config as the
source of truth when deciding whether to reinstall the service.

Key design decisions:
- Use `gateway.auth.token` from `openclaw.json` as the authority for service
  token drift detection
- Only flag mismatch when an authoritative config token exists
- Keep fix in existing doctor service-repair flow (no separate migration step)
- Add focused tests for both audit mismatch behavior and doctor wiring

Fixes #18175
This commit is contained in:
norunners
2026-02-16 13:37:04 -08:00
committed by Peter Steinberger
parent 5f821ed067
commit d799a3994f
4 changed files with 179 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

117
src/commands/doctor-gateway-services.test.ts Normal file
View File

@@ -0,0 +1,117 @@
import { describe, expect, it, vi } from "vitest";
import type { OpenClawConfig } from "../config/config.js";
const mocks = vi.hoisted(() => ({
readCommand: vi.fn(),
install: vi.fn(),
auditGatewayServiceConfig: vi.fn(),
buildGatewayInstallPlan: vi.fn(),
resolveGatewayPort: vi.fn(() => 18789),
resolveIsNixMode: vi.fn(() => false),
note: vi.fn(),
}));
vi.mock("../config/paths.js", () => ({
resolveGatewayPort: mocks.resolveGatewayPort,
resolveIsNixMode: mocks.resolveIsNixMode,
}));
vi.mock("../daemon/inspect.js", () => ({
findExtraGatewayServices: vi.fn().mockResolvedValue([]),
renderGatewayServiceCleanupHints: vi.fn().mockReturnValue([]),
}));
vi.mock("../daemon/runtime-paths.js", () => ({
renderSystemNodeWarning: vi.fn().mockReturnValue(undefined),
resolveSystemNodeInfo: vi.fn().mockResolvedValue(null),
}));
vi.mock("../daemon/service-audit.js", () => ({
auditGatewayServiceConfig: mocks.auditGatewayServiceConfig,
needsNodeRuntimeMigration: vi.fn(() => false),
SERVICE_AUDIT_CODES: {
gatewayEntrypointMismatch: "gateway-entrypoint-mismatch",
},
}));
vi.mock("../daemon/service.js", () => ({
resolveGatewayService: () => ({
readCommand: mocks.readCommand,
install: mocks.install,
}),
}));
vi.mock("../terminal/note.js", () => ({
note: mocks.note,
}));
vi.mock("./daemon-install-helpers.js", () => ({
buildGatewayInstallPlan: mocks.buildGatewayInstallPlan,
}));
import { maybeRepairGatewayServiceConfig } from "./doctor-gateway-services.js";
describe("maybeRepairGatewayServiceConfig", () => {
it("treats gateway.auth.token as source of truth for service token repairs", async () => {
mocks.readCommand.mockResolvedValue({
programArguments: ["/usr/bin/node", "/usr/local/bin/openclaw", "gateway", "--port", "18789"],
environment: {
OPENCLAW_GATEWAY_TOKEN: "stale-token",
},
});
mocks.auditGatewayServiceConfig.mockResolvedValue({
ok: false,
issues: [
{
code: "gateway-token-mismatch",
message: "Gateway service OPENCLAW_GATEWAY_TOKEN does not match gateway.auth.token",
level: "recommended",
},
],
});
mocks.buildGatewayInstallPlan.mockResolvedValue({
programArguments: ["/usr/bin/node", "/usr/local/bin/openclaw", "gateway", "--port", "18789"],
workingDirectory: "/tmp",
environment: {
OPENCLAW_GATEWAY_TOKEN: "config-token",
},
});
mocks.install.mockResolvedValue(undefined);
const cfg: OpenClawConfig = {
gateway: {
auth: {
mode: "token",
token: "config-token",
},
},
};
await maybeRepairGatewayServiceConfig(
cfg,
"local",
{ log: vi.fn(), error: vi.fn(), exit: vi.fn() },
{
confirm: vi.fn().mockResolvedValue(true),
confirmRepair: vi.fn().mockResolvedValue(true),
confirmAggressive: vi.fn().mockResolvedValue(true),
confirmSkipInNonInteractive: vi.fn().mockResolvedValue(true),
select: vi.fn().mockResolvedValue("node"),
shouldRepair: false,
shouldForce: false,
},
);
expect(mocks.auditGatewayServiceConfig).toHaveBeenCalledWith(
expect.objectContaining({
expectedGatewayToken: "config-token",
}),
);
expect(mocks.buildGatewayInstallPlan).toHaveBeenCalledWith(
expect.objectContaining({
token: "config-token",
}),
);
expect(mocks.install).toHaveBeenCalledTimes(1);
});
});

1
src/commands/doctor-gateway-services.ts
View File

@@ -118,6 +118,7 @@ export async function maybeRepairGatewayServiceConfig(
const audit = await auditGatewayServiceConfig({
env: process.env,
command,
expectedGatewayToken: cfg.gateway?.auth?.token,
});
const needsNodeRuntime = needsNodeRuntimeMigration(audit.issues);
const systemNodeInfo = needsNodeRuntime

36
src/daemon/service-audit.test.ts
View File

@@ -60,4 +60,40 @@ describe("auditGatewayServiceConfig", () => {
audit.issues.some((issue) => issue.code === SERVICE_AUDIT_CODES.gatewayPathMissingDirs),
).toBe(false);
});
it("flags gateway token mismatch when service token is stale", async () => {
const audit = await auditGatewayServiceConfig({
env: { HOME: "/tmp" },
platform: "linux",
expectedGatewayToken: "new-token",
command: {
programArguments: ["/usr/bin/node", "gateway"],
environment: {
PATH: "/usr/local/bin:/usr/bin:/bin",
OPENCLAW_GATEWAY_TOKEN: "old-token",
},
},
});
expect(
audit.issues.some((issue) => issue.code === SERVICE_AUDIT_CODES.gatewayTokenMismatch),
).toBe(true);
});
it("does not flag gateway token mismatch when service token matches config token", async () => {
const audit = await auditGatewayServiceConfig({
env: { HOME: "/tmp" },
platform: "linux",
expectedGatewayToken: "new-token",
command: {
programArguments: ["/usr/bin/node", "gateway"],
environment: {
PATH: "/usr/local/bin:/usr/bin:/bin",
OPENCLAW_GATEWAY_TOKEN: "new-token",
},
},
});
expect(
audit.issues.some((issue) => issue.code === SERVICE_AUDIT_CODES.gatewayTokenMismatch),
).toBe(false);
});
});

25
src/daemon/service-audit.ts
View File

@@ -34,6 +34,7 @@ export const SERVICE_AUDIT_CODES = {
gatewayPathMissing: "gateway-path-missing",
gatewayPathMissingDirs: "gateway-path-missing-dirs",
gatewayPathNonMinimal: "gateway-path-nonminimal",
gatewayTokenMismatch: "gateway-token-mismatch",
gatewayRuntimeBun: "gateway-runtime-bun",
gatewayRuntimeNodeVersionManager: "gateway-runtime-node-version-manager",
gatewayRuntimeNodeSystemMissing: "gateway-runtime-node-system-missing",
@@ -200,6 +201,28 @@ function auditGatewayCommand(programArguments: string[] | undefined, issues: Ser
}
}
function auditGatewayToken(
command: GatewayServiceCommand,
issues: ServiceConfigIssue[],
expectedGatewayToken?: string,
) {
const expectedToken = expectedGatewayToken?.trim();
if (!expectedToken) {
return;
}
const serviceToken = command?.environment?.OPENCLAW_GATEWAY_TOKEN?.trim();
if (serviceToken === expectedToken) {
return;
}
issues.push({
code: SERVICE_AUDIT_CODES.gatewayTokenMismatch,
message:
"Gateway service OPENCLAW_GATEWAY_TOKEN does not match gateway.auth.token in openclaw.json",
detail: serviceToken ? "service token is stale" : "service token is missing",
level: "recommended",
});
}
function isNodeRuntime(execPath: string): boolean {
const base = path.basename(execPath).toLowerCase();
return base === "node" || base === "node.exe";
@@ -341,11 +364,13 @@ export async function auditGatewayServiceConfig(params: {
env: Record<string, string | undefined>;
command: GatewayServiceCommand;
platform?: NodeJS.Platform;
expectedGatewayToken?: string;
}): Promise<ServiceConfigAudit> {
const issues: ServiceConfigIssue[] = [];
const platform = params.platform ?? process.platform;
auditGatewayCommand(params.command?.programArguments, issues);
auditGatewayToken(params.command, issues, params.expectedGatewayToken);
auditGatewayServicePath(params.command, issues, params.env, platform);
await auditGatewayRuntime(params.env, params.command, issues, platform);