fix: deprecate hook query token auth (#2200) (thanks @YuriNachos)
This commit is contained in:
parent
94f49f72ec
commit
627df67126
@ -6,6 +6,7 @@ Docs: https://docs.clawd.bot
|
|||||||
Status: unreleased.
|
Status: unreleased.
|
||||||
|
|
||||||
### Changes
|
### Changes
|
||||||
|
- Gateway: warn on hook tokens via query params; document header auth preference. (#2200) Thanks @YuriNachos.
|
||||||
- Doctor: warn on gateway exposure without auth. (#2016) Thanks @Alex-Alaniz.
|
- Doctor: warn on gateway exposure without auth. (#2016) Thanks @Alex-Alaniz.
|
||||||
- Docs: add Vercel AI Gateway to providers sidebar. (#1901) Thanks @jerilynzheng.
|
- Docs: add Vercel AI Gateway to providers sidebar. (#1901) Thanks @jerilynzheng.
|
||||||
- Agents: expand cron tool description with full schema docs. (#1988) Thanks @tomascupr.
|
- Agents: expand cron tool description with full schema docs. (#1988) Thanks @tomascupr.
|
||||||
|
|||||||
@ -27,10 +27,10 @@ Notes:
|
|||||||
|
|
||||||
## Auth
|
## Auth
|
||||||
|
|
||||||
Every request must include the hook token:
|
Every request must include the hook token. Prefer headers:
|
||||||
- `Authorization: Bearer <token>`
|
- `Authorization: Bearer <token>` (recommended)
|
||||||
- or `x-clawdbot-token: <token>`
|
- `x-clawdbot-token: <token>`
|
||||||
- or `?token=<token>`
|
- `?token=<token>` (deprecated; logs a warning and will be removed in a future major release)
|
||||||
|
|
||||||
## Endpoints
|
## Endpoints
|
||||||
|
|
||||||
|
|||||||
@ -77,6 +77,12 @@ export function createHooksRequestHandler(
|
|||||||
}
|
}
|
||||||
|
|
||||||
const { token, fromQuery } = extractHookToken(req, url);
|
const { token, fromQuery } = extractHookToken(req, url);
|
||||||
|
if (!token || token !== hooksConfig.token) {
|
||||||
|
res.statusCode = 401;
|
||||||
|
res.setHeader("Content-Type", "text/plain; charset=utf-8");
|
||||||
|
res.end("Unauthorized");
|
||||||
|
return true;
|
||||||
|
}
|
||||||
if (fromQuery) {
|
if (fromQuery) {
|
||||||
logHooks.warn(
|
logHooks.warn(
|
||||||
"Hook token provided via query parameter is deprecated for security reasons. " +
|
"Hook token provided via query parameter is deprecated for security reasons. " +
|
||||||
@ -84,12 +90,6 @@ export function createHooksRequestHandler(
|
|||||||
"Use Authorization: Bearer <token> or X-Clawdbot-Token header instead.",
|
"Use Authorization: Bearer <token> or X-Clawdbot-Token header instead.",
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
if (!token || token !== hooksConfig.token) {
|
|
||||||
res.statusCode = 401;
|
|
||||||
res.setHeader("Content-Type", "text/plain; charset=utf-8");
|
|
||||||
res.end("Unauthorized");
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (req.method !== "POST") {
|
if (req.method !== "POST") {
|
||||||
res.statusCode = 405;
|
res.statusCode = 405;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user