8262a03060
Add a new extension that gates sensitive tool calls (exec, Bash, Write, Edit, NotebookEdit) behind GitHub Device Flow authentication. Users must approve on GitHub Mobile or enter a code at github.com/login/device before the bot can execute dangerous operations. Key changes: - Wire up before_tool_call hook in tool execution path (tool-hook-wrapper.ts) - Create 2fa-github extension with: - GitHub Device Authorization Flow implementation - File-based session store with TTL (~/.clawdbot/2fa-sessions.json) - Non-blocking flow: returns immediately with code, user retries after approval - Configurable tool list and session TTL (default 30 min) Configuration: plugins.entries.2fa-github.config.clientId: "Ov23..." # or GITHUB_2FA_CLIENT_ID env var Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
79 lines
2.2 KiB
TypeScript
79 lines
2.2 KiB
TypeScript
/**
|
|
* GitHub Mobile 2FA Gate Extension
|
|
*
|
|
* Gates sensitive tool calls behind GitHub Mobile push authentication.
|
|
* Users must approve on their phone before the bot can execute file writes,
|
|
* shell commands, or other dangerous operations.
|
|
*
|
|
* Configuration:
|
|
* ```yaml
|
|
* plugins:
|
|
* 2fa-github:
|
|
* enabled: true
|
|
* clientId: "Iv1.your_client_id_here"
|
|
* tokenTtlMinutes: 30
|
|
* sensitiveTools:
|
|
* - Bash
|
|
* - Write
|
|
* - Edit
|
|
* - NotebookEdit
|
|
* gateAllTools: false
|
|
* ```
|
|
*
|
|
* Or via environment variable:
|
|
* ```bash
|
|
* export GITHUB_2FA_CLIENT_ID="Iv1.your_client_id_here"
|
|
* ```
|
|
*
|
|
* GitHub OAuth App Setup:
|
|
* 1. Go to GitHub Settings > Developer Settings > OAuth Apps
|
|
* 2. Click "New OAuth App"
|
|
* 3. Fill in application name and URLs (callback URL not used)
|
|
* 4. IMPORTANT: Check "Enable Device Flow"
|
|
* 5. Copy the Client ID (no secret needed for device flow)
|
|
*/
|
|
|
|
import type { MoltbotPluginApi } from "clawdbot/plugin-sdk";
|
|
import { register2FAHook } from "./src/hook.js";
|
|
import { twoFactorConfigSchema } from "./src/config.js";
|
|
|
|
const plugin = {
|
|
id: "2fa-github",
|
|
name: "GitHub Mobile 2FA Gate",
|
|
description: "Gates sensitive tools behind GitHub Mobile push authentication",
|
|
configSchema: twoFactorConfigSchema,
|
|
|
|
register(api: MoltbotPluginApi) {
|
|
register2FAHook(api);
|
|
|
|
// Register CLI commands for managing 2FA sessions
|
|
api.registerCli(
|
|
({ program }) => {
|
|
const twofa = program.command("2fa").description("GitHub 2FA gate commands");
|
|
|
|
twofa
|
|
.command("status")
|
|
.description("Show 2FA session status")
|
|
.action(async () => {
|
|
const { getStats } = await import("./src/session-store.js");
|
|
const stats = getStats();
|
|
console.log(`Active sessions: ${stats.sessionCount}`);
|
|
console.log(`Pending verifications: ${stats.pendingCount}`);
|
|
});
|
|
|
|
twofa
|
|
.command("clear")
|
|
.description("Clear all 2FA sessions")
|
|
.action(async () => {
|
|
const { clearAll } = await import("./src/session-store.js");
|
|
clearAll();
|
|
console.log("All 2FA sessions cleared");
|
|
});
|
|
},
|
|
{ commands: ["2fa"] },
|
|
);
|
|
},
|
|
};
|
|
|
|
export default plugin;
|