From 190a74baeabb6563b269a860dee7069bc5235a40 Mon Sep 17 00:00:00 2001 From: Rodrigo Uroz Date: Thu, 29 Jan 2026 14:58:36 -0300 Subject: [PATCH] fix(gateway): add autoApprove to Zod config schema The TypeScript type was added but the Zod validation schema was missing, causing config validation to reject the autoApprove field. Co-Authored-By: Claude Opus 4.5 --- src/config/zod-schema.ts | 10 ++++++++++ src/gateway/net.test.ts | 6 ++++++ src/gateway/net.ts | 3 ++- src/gateway/server/ws-connection/message-handler.ts | 3 ++- 4 files changed, 20 insertions(+), 2 deletions(-) diff --git a/src/config/zod-schema.ts b/src/config/zod-schema.ts index ce4115517..e1f4beb9b 100644 --- a/src/config/zod-schema.ts +++ b/src/config/zod-schema.ts @@ -439,6 +439,16 @@ export const MoltbotSchema = z .optional(), allowCommands: z.array(z.string()).optional(), denyCommands: z.array(z.string()).optional(), + autoApprove: z + .object({ + enabled: z.boolean().optional(), + roles: z.array(z.string()).optional(), + ipAllowlist: z.array(z.string()).optional(), + requireToken: z.boolean().optional(), + auditLog: z.boolean().optional(), + }) + .strict() + .optional(), }) .strict() .optional(), diff --git a/src/gateway/net.test.ts b/src/gateway/net.test.ts index 50db59021..9f0fd0dbe 100644 --- a/src/gateway/net.test.ts +++ b/src/gateway/net.test.ts @@ -75,6 +75,12 @@ describe("isIpv4InCidr", () => { expect(isIpv4InCidr("10.0.0.1", "invalid")).toBe(false); expect(isIpv4InCidr("10.0.0.1", "10.0.0.0")).toBe(false); }); + + it("returns false for invalid IPv4 input", () => { + expect(isIpv4InCidr("999.0.0.1", "10.0.0.0/8")).toBe(false); + expect(isIpv4InCidr("10.0.0.1", "999.0.0.0/8")).toBe(false); + expect(isIpv4InCidr("10.0.0.256", "10.0.0.0/8")).toBe(false); + }); }); describe("isValidCidr", () => { diff --git a/src/gateway/net.ts b/src/gateway/net.ts index 5d51fd013..1f9de6400 100644 --- a/src/gateway/net.ts +++ b/src/gateway/net.ts @@ -197,10 +197,11 @@ function ipv4ToNumber(ip: string): number { * @returns True if the IP is within the CIDR range */ export function isIpv4InCidr(ip: string, cidr: string): boolean { + if (!isValidIPv4(ip)) return false; + if (!isValidCidr(cidr)) return false; const [range, bitsStr] = cidr.split("/"); if (!range || !bitsStr) return false; const bits = parseInt(bitsStr, 10); - if (Number.isNaN(bits) || bits < 0 || bits > 32) return false; const ipNum = ipv4ToNumber(ip); const rangeNum = ipv4ToNumber(range); diff --git a/src/gateway/server/ws-connection/message-handler.ts b/src/gateway/server/ws-connection/message-handler.ts index 39bae7435..5f6053f7f 100644 --- a/src/gateway/server/ws-connection/message-handler.ts +++ b/src/gateway/server/ws-connection/message-handler.ts @@ -626,6 +626,7 @@ export function attachGatewayWsMessageHandler(params: { return; } + const tokenAuthOk = authMethod === "token" || authMethod === "device-token"; const skipPairing = allowControlUiBypass && hasSharedAuth; if (device && devicePublicKey && !skipPairing) { // Auto-approve logic with security checks @@ -647,7 +648,7 @@ export function attachGatewayWsMessageHandler(params: { } // Check token is valid (if required, which is the default) - if (autoApproveConfig.requireToken !== false && !authOk) return false; + if (autoApproveConfig.requireToken !== false && !tokenAuthOk) return false; return true; })();