diff --git a/CHANGELOG.md b/CHANGELOG.md index 0c7e77e45..4e9d8553e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ Docs: https://docs.clawd.bot Status: unreleased. ### Changes +- Gateway: warn on hook tokens via query params; document header auth preference. (#2200) Thanks @YuriNachos. - Doctor: warn on gateway exposure without auth. (#2016) Thanks @Alex-Alaniz. - Docs: add Vercel AI Gateway to providers sidebar. (#1901) Thanks @jerilynzheng. - Agents: expand cron tool description with full schema docs. (#1988) Thanks @tomascupr. diff --git a/docs/automation/webhook.md b/docs/automation/webhook.md index 4fbf6bf50..12fc6b92a 100644 --- a/docs/automation/webhook.md +++ b/docs/automation/webhook.md @@ -27,10 +27,10 @@ Notes: ## Auth -Every request must include the hook token: -- `Authorization: Bearer ` -- or `x-clawdbot-token: ` -- or `?token=` +Every request must include the hook token. Prefer headers: +- `Authorization: Bearer ` (recommended) +- `x-clawdbot-token: ` +- `?token=` (deprecated; logs a warning and will be removed in a future major release) ## Endpoints diff --git a/src/gateway/server-http.ts b/src/gateway/server-http.ts index 17b4b0d7f..08415f346 100644 --- a/src/gateway/server-http.ts +++ b/src/gateway/server-http.ts @@ -77,6 +77,12 @@ export function createHooksRequestHandler( } const { token, fromQuery } = extractHookToken(req, url); + if (!token || token !== hooksConfig.token) { + res.statusCode = 401; + res.setHeader("Content-Type", "text/plain; charset=utf-8"); + res.end("Unauthorized"); + return true; + } if (fromQuery) { logHooks.warn( "Hook token provided via query parameter is deprecated for security reasons. " + @@ -84,12 +90,6 @@ export function createHooksRequestHandler( "Use Authorization: Bearer or X-Clawdbot-Token header instead.", ); } - if (!token || token !== hooksConfig.token) { - res.statusCode = 401; - res.setHeader("Content-Type", "text/plain; charset=utf-8"); - res.end("Unauthorized"); - return true; - } if (req.method !== "POST") { res.statusCode = 405;