romtuck/openclaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d892cf0b7c
openclaw/docs/web/dashboard.md
VihariKanukollu cbbe9dd0a2 security: harden credential handling, API auth, and archive extraction 
- Control UI: switch token/password from query params to URL fragments (#token=...)
  - Auto-strips after first load, never logged in server access logs
  - Added defense-in-depth headers (Referrer-Policy, X-Frame-Options, CSP, nosniff)
- macOS: "Open Dashboard" now uses fragments instead of query params
- CLI/onboarding: emit fragment links instead of query param links
- Plugin HTTP: /api/** now requires Gateway auth (fixes unauthenticated Nostr API)
  - Added config toggle gateway.plugins.http.protectApiPaths (default: true)
- Control UI: sends Authorization header for Nostr profile save/import
- Android hardening:
  - WebView: disabled mixed content, multi-window, reduced file URL privileges
  - A2UI bridge: origin validation + 64KB payload cap
  - TLS: enabled hostname verification for DNS names
- Archive extraction: block path traversal + symlink/hardlink entries
- Dependencies: upgraded tar 7.5.7, hono 4.11.7, added overrides for vulnerabilities

Breaking: Old ?token=... dashboard links no longer auto-auth; use #token=... instead
2026-01-29 16:05:38 +05:30

2.1 KiB
Raw Blame History

summary read_when
Gateway dashboard (Control UI) access and auth
Changing dashboard authentication or exposure modes

Dashboard (Control UI)

The Gateway dashboard is the browser Control UI served at / by default (override with gateway.controlUi.basePath).

Quick open (local Gateway):

Key references:

Authentication is enforced at the WebSocket handshake via connect.params.auth (token or password). See gateway.auth in Gateway configuration.

Security note: the Control UI is an admin surface (chat, config, exec approvals). Do not expose it publicly. The UI stores the token in localStorage after first load. Prefer localhost, Tailscale Serve, or an SSH tunnel.

Fast path (recommended)

  • After onboarding, the CLI now auto-opens the dashboard with your token and prints the same tokenized link.
  • Re-open anytime: moltbot dashboard (copies link, opens browser if possible, shows SSH hint if headless).
  • The token stays local (URL fragment only); the UI strips it after first load and saves it in localStorage.

Token basics (local vs remote)

  • Localhost: open http://127.0.0.1:18789/. If you see “unauthorized,” run moltbot dashboard and use the tokenized link (#token=...).
  • Token source: gateway.auth.token (or CLAWDBOT_GATEWAY_TOKEN); the UI stores it after first load.
  • Not localhost: use Tailscale Serve (tokenless if gateway.auth.allowTailscale: true), tailnet bind with a token, or an SSH tunnel. See Web surfaces.

If you see “unauthorized” / 1008

  • Run moltbot dashboard to get a fresh tokenized link.
  • Ensure the gateway is reachable (local: moltbot status; remote: SSH tunnel ssh -N -L 18789:127.0.0.1:18789 user@host then open http://127.0.0.1:18789/#token=...).
  • In the dashboard settings, paste the same token you configured in gateway.auth.token (or CLAWDBOT_GATEWAY_TOKEN).