fix: deprecate hook query token auth (#2200) (thanks @YuriNachos)

This commit is contained in:
Peter Steinberger 2026-01-26 14:49:59 +00:00
parent 94f49f72ec
commit 627df67126
3 changed files with 11 additions and 10 deletions

View File

@ -6,6 +6,7 @@ Docs: https://docs.clawd.bot
Status: unreleased. Status: unreleased.
### Changes ### Changes
- Gateway: warn on hook tokens via query params; document header auth preference. (#2200) Thanks @YuriNachos.
- Doctor: warn on gateway exposure without auth. (#2016) Thanks @Alex-Alaniz. - Doctor: warn on gateway exposure without auth. (#2016) Thanks @Alex-Alaniz.
- Docs: add Vercel AI Gateway to providers sidebar. (#1901) Thanks @jerilynzheng. - Docs: add Vercel AI Gateway to providers sidebar. (#1901) Thanks @jerilynzheng.
- Agents: expand cron tool description with full schema docs. (#1988) Thanks @tomascupr. - Agents: expand cron tool description with full schema docs. (#1988) Thanks @tomascupr.

View File

@ -27,10 +27,10 @@ Notes:
## Auth ## Auth
Every request must include the hook token: Every request must include the hook token. Prefer headers:
- `Authorization: Bearer <token>` - `Authorization: Bearer <token>` (recommended)
- or `x-clawdbot-token: <token>` - `x-clawdbot-token: <token>`
- or `?token=<token>` - `?token=<token>` (deprecated; logs a warning and will be removed in a future major release)
## Endpoints ## Endpoints

View File

@ -77,6 +77,12 @@ export function createHooksRequestHandler(
} }
const { token, fromQuery } = extractHookToken(req, url); const { token, fromQuery } = extractHookToken(req, url);
if (!token || token !== hooksConfig.token) {
res.statusCode = 401;
res.setHeader("Content-Type", "text/plain; charset=utf-8");
res.end("Unauthorized");
return true;
}
if (fromQuery) { if (fromQuery) {
logHooks.warn( logHooks.warn(
"Hook token provided via query parameter is deprecated for security reasons. " + "Hook token provided via query parameter is deprecated for security reasons. " +
@ -84,12 +90,6 @@ export function createHooksRequestHandler(
"Use Authorization: Bearer <token> or X-Clawdbot-Token header instead.", "Use Authorization: Bearer <token> or X-Clawdbot-Token header instead.",
); );
} }
if (!token || token !== hooksConfig.token) {
res.statusCode = 401;
res.setHeader("Content-Type", "text/plain; charset=utf-8");
res.end("Unauthorized");
return true;
}
if (req.method !== "POST") { if (req.method !== "POST") {
res.statusCode = 405; res.statusCode = 405;