fix: deprecate hook query token auth (#2200) (thanks @YuriNachos)

This commit is contained in:
Peter Steinberger 2026-01-26 14:49:59 +00:00
parent 94f49f72ec
commit 627df67126
3 changed files with 11 additions and 10 deletions

View File

@ -6,6 +6,7 @@ Docs: https://docs.clawd.bot
Status: unreleased.
### Changes
- Gateway: warn on hook tokens via query params; document header auth preference. (#2200) Thanks @YuriNachos.
- Doctor: warn on gateway exposure without auth. (#2016) Thanks @Alex-Alaniz.
- Docs: add Vercel AI Gateway to providers sidebar. (#1901) Thanks @jerilynzheng.
- Agents: expand cron tool description with full schema docs. (#1988) Thanks @tomascupr.

View File

@ -27,10 +27,10 @@ Notes:
## Auth
Every request must include the hook token:
- `Authorization: Bearer <token>`
- or `x-clawdbot-token: <token>`
- or `?token=<token>`
Every request must include the hook token. Prefer headers:
- `Authorization: Bearer <token>` (recommended)
- `x-clawdbot-token: <token>`
- `?token=<token>` (deprecated; logs a warning and will be removed in a future major release)
## Endpoints

View File

@ -77,6 +77,12 @@ export function createHooksRequestHandler(
}
const { token, fromQuery } = extractHookToken(req, url);
if (!token || token !== hooksConfig.token) {
res.statusCode = 401;
res.setHeader("Content-Type", "text/plain; charset=utf-8");
res.end("Unauthorized");
return true;
}
if (fromQuery) {
logHooks.warn(
"Hook token provided via query parameter is deprecated for security reasons. " +
@ -84,12 +90,6 @@ export function createHooksRequestHandler(
"Use Authorization: Bearer <token> or X-Clawdbot-Token header instead.",
);
}
if (!token || token !== hooksConfig.token) {
res.statusCode = 401;
res.setHeader("Content-Type", "text/plain; charset=utf-8");
res.end("Unauthorized");
return true;
}
if (req.method !== "POST") {
res.statusCode = 405;