Spracherkennung für: .ts vermutete Sprache: Unknown {[0] [0] [0]} [Methode: Schwerpunktbildung, einfache Gewichte, sechs Dimensionen]
import { formatCliCommand } from "../cli/command-format.js";
import type { ConfigWriteOptions } from "../config/io.js";
import type { OpenClawConfig } from "../config/types.js";
import type { ConfigFileSnapshot } from "../config/types.openclaw.js";
import { resolveSecretInputRef } from "../config/types.secrets.js";
import { shouldRequireGatewayTokenForInstall } from "../gateway/auth-install-policy.js";
import { hasAmbiguousGatewayAuthModeConfig } from "../gateway/auth-mode-policy.js";
import { resolveGatewayAuthToken } from "../gateway/auth-token-resolution.js";
import { resolveGatewayAuth } from "../gateway/auth.js";
import { normalizeOptionalString } from "../shared/string-coerce.js";
import {
readConfigFileSnapshotForWrite,
writeConfigFile,
} from "./gateway-install-token.persist.runtime.js";
import { randomToken } from "./random-token.js";
type GatewayInstallTokenOptions = {
config: OpenClawConfig;
configSnapshot?: ConfigFileSnapshot;
configWriteOptions?: ConfigWriteOptions;
env: NodeJS.ProcessEnv;
explicitToken?: string;
autoGenerateWhenMissing?: boolean;
persistGeneratedToken?: boolean;
};
export type GatewayInstallTokenResolution = {
token?: string;
tokenRefConfigured: boolean;
unavailableReason?: string;
warnings: string[];
};
async function maybePersistAutoGeneratedGatewayInstallToken(params: {
token: string;
config: OpenClawConfig;
configSnapshot?: ConfigFileSnapshot;
configWriteOptions?: ConfigWriteOptions;
warnings: string[];
}): Promise<string | undefined> {
try {
const prepared =
params.configSnapshot && params.configWriteOptions
? {
snapshot: params.configSnapshot,
writeOptions: params.configWriteOptions,
}
: await readConfigFileSnapshotForWrite();
const snapshot = params.configSnapshot ?? prepared.snapshot;
if (snapshot.exists && !snapshot.valid) {
params.warnings.push(
"Warning: config file exists but is invalid; skipping token persistence.",
);
return params.token;
}
const baseConfig = snapshot.exists ? (snapshot.sourceConfig ?? snapshot.config) : {};
const existingTokenRef = resolveSecretInputRef({
value: baseConfig.gateway?.auth?.token,
defaults: baseConfig.secrets?.defaults,
}).ref;
const baseConfigToken =
existingTokenRef || typeof baseConfig.gateway?.auth?.token !== "string"
? undefined
: normalizeOptionalString(baseConfig.gateway.auth.token);
if (!existingTokenRef && !baseConfigToken) {
await writeConfigFile(
{
...baseConfig,
gateway: {
...baseConfig.gateway,
auth: {
...baseConfig.gateway?.auth,
mode: baseConfig.gateway?.auth?.mode ?? "token",
token: params.token,
},
},
},
{
baseSnapshot: snapshot,
...prepared.writeOptions,
...params.configWriteOptions,
skipRuntimeSnapshotRefresh: true,
},
);
return params.token;
}
if (baseConfigToken) {
return baseConfigToken;
}
params.warnings.push(
"Warning: gateway.auth.token is SecretRef-managed; skipping plaintext token persistence.",
);
return undefined;
} catch (err) {
params.warnings.push(`Warning: could not persist token to config: ${String(err)}`);
return params.token;
}
}
function formatAmbiguousGatewayAuthModeReason(): string {
return [
"gateway.auth.token and gateway.auth.password are both configured while gateway.auth.mode is unset.",
`Set ${formatCliCommand("openclaw config set gateway.auth.mode token")} or ${formatCliCommand("openclaw config set gateway.auth.mode password")}.`,
].join(" ");
}
export async function resolveGatewayInstallToken(
options: GatewayInstallTokenOptions,
): Promise<GatewayInstallTokenResolution> {
const cfg = options.config;
const warnings: string[] = [];
if (hasAmbiguousGatewayAuthModeConfig(cfg)) {
const tokenRefConfigured = Boolean(
resolveSecretInputRef({
value: cfg.gateway?.auth?.token,
defaults: cfg.secrets?.defaults,
}).ref,
);
return {
token: undefined,
tokenRefConfigured,
unavailableReason: formatAmbiguousGatewayAuthModeReason(),
warnings,
};
}
const resolvedAuth = resolveGatewayAuth({
authConfig: cfg.gateway?.auth,
env: options.env,
tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
});
const needsToken =
shouldRequireGatewayTokenForInstall(cfg, options.env) && !resolvedAuth.allowTailscale;
if (!needsToken) {
const tokenRefConfigured = Boolean(
resolveSecretInputRef({
value: cfg.gateway?.auth?.token,
defaults: cfg.secrets?.defaults,
}).ref,
);
return {
token: undefined,
tokenRefConfigured,
unavailableReason: undefined,
warnings,
};
}
const resolvedToken = await resolveGatewayAuthToken({
cfg,
env: options.env,
explicitToken: options.explicitToken,
envFallback: "no-secret-ref",
unresolvedReasonStyle: "detailed",
});
const tokenRefConfigured = resolvedToken.secretRefConfigured;
let token = resolvedToken.source === "secretRef" ? undefined : resolvedToken.token;
let unavailableReason: string | undefined;
if (tokenRefConfigured && resolvedToken.source === "secretRef" && needsToken) {
warnings.push(
"gateway.auth.token is SecretRef-managed; install will not persist a resolved token in service environment. Ensure the SecretRef is resolvable in the daemon runtime context.",
);
} else if (tokenRefConfigured && !token && needsToken) {
unavailableReason = `gateway.auth.token SecretRef is configured but unresolved (${resolvedToken.unresolvedRefReason ?? "unknown reason"}).`;
}
const allowAutoGenerate = options.autoGenerateWhenMissing ?? false;
const persistGeneratedToken = options.persistGeneratedToken ?? false;
if (!token && !tokenRefConfigured && allowAutoGenerate) {
token = randomToken();
warnings.push(
persistGeneratedToken
? "No gateway token found. Auto-generated one and saving to config."
: "No gateway token found. Auto-generated one for this run without saving to config.",
);
if (persistGeneratedToken) {
token = await maybePersistAutoGeneratedGatewayInstallToken({
token,
config: cfg,
configSnapshot: options.configSnapshot,
configWriteOptions: options.configWriteOptions,
warnings,
});
}
}
return {
token,
tokenRefConfigured,
unavailableReason,
warnings,
};
}
¤ Dauer der Verarbeitung: 0.0 Sekunden
(vorverarbeitet am 2026-04-27)
¤
*© Formatika GbR, Deutschland
|
|
