fix(gateway): add autoApprove to Zod config schema

The TypeScript type was added but the Zod validation schema was missing, causing config validation to reject the autoApprove field. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 14:58:36 -03:00 · 2026-01-29 14:58:36 -03:00 · 190a74baea
commit 190a74baea
parent bb71224dad
4 changed files with 20 additions and 2 deletions
--- a/src/config/zod-schema.ts
+++ b/src/config/zod-schema.ts
@ -439,6 +439,16 @@ export const MoltbotSchema = z
              .optional(),
            allowCommands: z.array(z.string()).optional(),
            denyCommands: z.array(z.string()).optional(),
+            autoApprove: z
+              .object({
+                enabled: z.boolean().optional(),
+                roles: z.array(z.string()).optional(),
+                ipAllowlist: z.array(z.string()).optional(),
+                requireToken: z.boolean().optional(),
+                auditLog: z.boolean().optional(),
+              })
+              .strict()
+              .optional(),
          })
          .strict()
          .optional(),
--- a/src/gateway/net.test.ts
+++ b/src/gateway/net.test.ts
@ -75,6 +75,12 @@ describe("isIpv4InCidr", () => {
    expect(isIpv4InCidr("10.0.0.1", "invalid")).toBe(false);
    expect(isIpv4InCidr("10.0.0.1", "10.0.0.0")).toBe(false);
  });
+
+  it("returns false for invalid IPv4 input", () => {
+    expect(isIpv4InCidr("999.0.0.1", "10.0.0.0/8")).toBe(false);
+    expect(isIpv4InCidr("10.0.0.1", "999.0.0.0/8")).toBe(false);
+    expect(isIpv4InCidr("10.0.0.256", "10.0.0.0/8")).toBe(false);
+  });
 });

 describe("isValidCidr", () => {
--- a/src/gateway/net.ts
+++ b/src/gateway/net.ts
@ -197,10 +197,11 @@ function ipv4ToNumber(ip: string): number {
 * @returns True if the IP is within the CIDR range
 */
 export function isIpv4InCidr(ip: string, cidr: string): boolean {
+  if (!isValidIPv4(ip)) return false;
+  if (!isValidCidr(cidr)) return false;
  const [range, bitsStr] = cidr.split("/");
  if (!range || !bitsStr) return false;
  const bits = parseInt(bitsStr, 10);
-  if (Number.isNaN(bits) || bits < 0 || bits > 32) return false;

  const ipNum = ipv4ToNumber(ip);
  const rangeNum = ipv4ToNumber(range);
--- a/src/gateway/server/ws-connection/message-handler.ts
+++ b/src/gateway/server/ws-connection/message-handler.ts
@ -626,6 +626,7 @@ export function attachGatewayWsMessageHandler(params: {
          return;
        }

+        const tokenAuthOk = authMethod === "token" || authMethod === "device-token";
        const skipPairing = allowControlUiBypass && hasSharedAuth;
        if (device && devicePublicKey && !skipPairing) {
          // Auto-approve logic with security checks
@ -647,7 +648,7 @@ export function attachGatewayWsMessageHandler(params: {
            }

            // Check token is valid (if required, which is the default)
-            if (autoApproveConfig.requireToken !== false && !authOk) return false;
+            if (autoApproveConfig.requireToken !== false && !tokenAuthOk) return false;

            return true;
          })();