admin/DeskClaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(deps): update dependencies and devDependencies in package.json (#100)

Browse Source
This commit is contained in:
Haze
2026-02-18 20:28:42 +08:00
committed by GitHub
Unverified
parent 26ce009a41
commit 5005d405d9
4 changed files with 1270 additions and 1008 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
electron/gateway/manager.ts
View File

@@ -22,6 +22,13 @@ import { GatewayEventType, JsonRpcNotification, isNotification, isResponse } fro
import { logger } from '../utils/logger';
import { getUvMirrorEnv } from '../utils/uv-env';
import { isPythonReady, setupManagedPython } from '../utils/uv-setup';
import {
loadOrCreateDeviceIdentity,
signDevicePayload,
publicKeyRawBase64UrlFromPem,
buildDeviceAuthPayload,
type DeviceIdentity,
} from '../utils/device-identity';
/**
* Gateway connection status
@@ -120,10 +127,22 @@ export class GatewayManager extends EventEmitter {
reject: (error: Error) => void;
timeout: NodeJS.Timeout;
}> = new Map();
private deviceIdentity: DeviceIdentity | null = null;
constructor(config?: Partial<ReconnectConfig>) {
super();
this.reconnectConfig = { ...DEFAULT_RECONNECT_CONFIG, ...config };
this.initDeviceIdentity();
}
private initDeviceIdentity(): void {
try {
const identityPath = path.join(app.getPath('userData'), 'clawx-device-identity.json');
this.deviceIdentity = loadOrCreateDeviceIdentity(identityPath);
logger.debug(`Device identity loaded (deviceId=${this.deviceIdentity.deviceId})`);
} catch (err) {
logger.warn('Failed to load device identity, scopes will be limited:', err);
}
}
private sanitizeSpawnArgs(args: string[]): string[] {
@@ -757,7 +776,34 @@ export class GatewayManager extends EventEmitter {
// Send proper connect handshake as required by OpenClaw Gateway protocol
// The Gateway expects: { type: "req", id: "...", method: "connect", params: ConnectParams }
// Since 2026.2.15, scopes are only granted when a signed device identity is included.
connectId = `connect-${Date.now()}`;
const role = 'operator';
const scopes = ['operator.admin'];
const signedAtMs = Date.now();
const clientId = 'gateway-client';
const clientMode = 'ui';
const device = (() => {
if (!this.deviceIdentity) return undefined;
const payload = buildDeviceAuthPayload({
deviceId: this.deviceIdentity.deviceId,
clientId,
clientMode,
role,
scopes,
signedAtMs,
token: gatewayToken ?? null,
});
const signature = signDevicePayload(this.deviceIdentity.privateKeyPem, payload);
return {
id: this.deviceIdentity.deviceId,
publicKey: publicKeyRawBase64UrlFromPem(this.deviceIdentity.publicKeyPem),
signature,
signedAt: signedAtMs,
};
})();
const connectFrame = {
type: 'req',
id: connectId,
@@ -766,18 +812,19 @@ export class GatewayManager extends EventEmitter {
minProtocol: 3,
maxProtocol: 3,
client: {
id: 'gateway-client',
id: clientId,
displayName: 'ClawX',
version: '0.1.0',
platform: process.platform,
mode: 'ui',
mode: clientMode,
},
auth: {
token: gatewayToken,
},
caps: [],
role: 'operator',
scopes: [],
role,
scopes,
device,
},
};

128
electron/utils/device-identity.ts Normal file
View File

@@ -0,0 +1,128 @@
/**
* Device identity utilities for OpenClaw Gateway authentication.
*
* OpenClaw Gateway 2026.2.15+ requires a signed device identity in the
* connect handshake to grant scopes (operator.read, operator.write, etc.).
* Without a device, the gateway strips all requested scopes.
*/
import crypto from 'crypto';
import fs from 'fs';
import path from 'path';
export interface DeviceIdentity {
deviceId: string;
publicKeyPem: string;
privateKeyPem: string;
}
export interface DeviceAuthPayloadParams {
deviceId: string;
clientId: string;
clientMode: string;
role: string;
scopes: string[];
signedAtMs: number;
token?: string | null;
nonce?: string | null;
version?: 'v1' | 'v2';
}
const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
function base64UrlEncode(buf: Buffer): string {
return buf.toString('base64').replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/g, '');
}
function derivePublicKeyRaw(publicKeyPem: string): Buffer {
const spki = crypto.createPublicKey(publicKeyPem).export({ type: 'spki', format: 'der' }) as Buffer;
if (
spki.length === ED25519_SPKI_PREFIX.length + 32 &&
spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)
) {
return spki.subarray(ED25519_SPKI_PREFIX.length);
}
return spki;
}
function fingerprintPublicKey(publicKeyPem: string): string {
const raw = derivePublicKeyRaw(publicKeyPem);
return crypto.createHash('sha256').update(raw).digest('hex');
}
function generateIdentity(): DeviceIdentity {
const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519');
const publicKeyPem = (publicKey.export({ type: 'spki', format: 'pem' }) as Buffer).toString();
const privateKeyPem = (privateKey.export({ type: 'pkcs8', format: 'pem' }) as Buffer).toString();
return {
deviceId: fingerprintPublicKey(publicKeyPem),
publicKeyPem,
privateKeyPem,
};
}
/**
* Load device identity from disk, or create and persist a new one.
* The identity file is stored at `filePath` with mode 0o600.
*/
export function loadOrCreateDeviceIdentity(filePath: string): DeviceIdentity {
try {
if (fs.existsSync(filePath)) {
const raw = fs.readFileSync(filePath, 'utf8');
const parsed = JSON.parse(raw);
if (
parsed?.version === 1 &&
typeof parsed.deviceId === 'string' &&
typeof parsed.publicKeyPem === 'string' &&
typeof parsed.privateKeyPem === 'string'
) {
const derivedId = fingerprintPublicKey(parsed.publicKeyPem);
if (derivedId && derivedId !== parsed.deviceId) {
const updated = { ...parsed, deviceId: derivedId };
fs.writeFileSync(filePath, `${JSON.stringify(updated, null, 2)}\n`, { mode: 0o600 });
return { deviceId: derivedId, publicKeyPem: parsed.publicKeyPem, privateKeyPem: parsed.privateKeyPem };
}
return { deviceId: parsed.deviceId, publicKeyPem: parsed.publicKeyPem, privateKeyPem: parsed.privateKeyPem };
}
}
} catch {
// fall through to create a new identity
}
const identity = generateIdentity();
const dir = path.dirname(filePath);
if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
const stored = { version: 1, ...identity, createdAtMs: Date.now() };
fs.writeFileSync(filePath, `${JSON.stringify(stored, null, 2)}\n`, { mode: 0o600 });
try { fs.chmodSync(filePath, 0o600); } catch { /* ignore */ }
return identity;
}
/** Sign a string payload with the Ed25519 private key, returns base64url signature. */
export function signDevicePayload(privateKeyPem: string, payload: string): string {
const key = crypto.createPrivateKey(privateKeyPem);
return base64UrlEncode(crypto.sign(null, Buffer.from(payload, 'utf8'), key));
}
/** Encode the raw Ed25519 public key bytes (from PEM) as base64url. */
export function publicKeyRawBase64UrlFromPem(publicKeyPem: string): string {
return base64UrlEncode(derivePublicKeyRaw(publicKeyPem));
}
/** Build the canonical payload string that must be signed for device auth. */
export function buildDeviceAuthPayload(params: DeviceAuthPayloadParams): string {
const version = params.version ?? (params.nonce ? 'v2' : 'v1');
const scopes = params.scopes.join(',');
const token = params.token ?? '';
const base = [
version,
params.deviceId,
params.clientId,
params.clientMode,
params.role,
scopes,
String(params.signedAtMs),
token,
];
if (version === 'v2') base.push(params.nonce ?? '');
return base.join('|');
}