Skip to content

feat(gateway): configurable extra trusted setup/control UI origins#255

Open
KrasimirKralev wants to merge 1 commit into
ID-Robots:betafrom
KrasimirKralev:feat/configurable-trusted-origins
Open

feat(gateway): configurable extra trusted setup/control UI origins#255
KrasimirKralev wants to merge 1 commit into
ID-Robots:betafrom
KrasimirKralev:feat/configurable-trusted-origins

Conversation

@KrasimirKralev

Copy link
Copy Markdown
Contributor

Closes #232.

Problem

gateway-pre-start.sh replaces controlUi.allowedOrigins with a computed list (defaults + this host's LAN IPs) on every boot. A deployment reached through a VPN overlay name, MagicDNS, or a stable HTTPS origin therefore had to hand-patch the generated config — fragile, and it drifts across updates.

Fix

A supported config hook: controlUi.extraAllowedOrigins in ~/.openclaw/openclaw.json.

  • New scripts/gateway_origins.py (importable → unit-testable):
    • normalize_origin(v) — validates a value as a full http(s)://host[:port] origin, rejecting bare hostnames, wildcards, paths/queries/fragments, and credentials so a configured entry can never quietly widen cross-origin access.
    • merge_extra_origins(defaults, configured) — unions validated extras into the defaults, drops duplicates, and returns the invalid entries for reporting.
  • gateway-pre-start.sh reads controlUi.extraAllowedOrigins, merges validated entries into the computed allowedOrigins, and logs WARN: ignoring invalid … for each rejected one. Missing/None key ⇒ defaults only (unchanged behavior). Import falls back to defaults-only if the module is ever unavailable — never blocks boot.

Usage

// ~/.openclaw/openclaw.json
{ "gateway": { "controlUi": { "extraAllowedOrigins": ["https://box.example.ts.net"] } } }

On the next gateway restart, pre-start validates and merges it into the active allowlist. Invalid entries are dropped with a logged warning.

Tests

src/tests/unit/gateway-origins.test.ts drives the module via python3 (the test job runs on ubuntu-latest): the module self-test plus explicit valid, invalid, and default cases — the three the acceptance criteria call for.

Security

Stays an explicit allowlist — no wildcards, defaults conservative. The goal is to kill brittle local patches, not loosen CORS.

Acceptance criteria

  • Operators can add a specific trusted origin through supported config
  • Invalid origins are rejected / reported clearly (pre-start WARN)
  • Generated config includes configured extra origins
  • No source patches required for deployment-specific hostnames
  • Tests cover valid, invalid, and default behavior

Follow-up: a user-facing docs-site guide entry will go as a separate PR to main (docs deploy from the default branch, per repo convention).

Closes ID-Robots#232. gateway-pre-start.sh replaced controlUi.allowedOrigins with a
computed list (defaults + LAN IPs) on every boot, so operators reaching the
device through a VPN/MagicDNS name had to hand-patch the generated config —
which drifts across updates.

- New scripts/gateway_origins.py: normalize_origin() validates a value as a
  full http/https origin (scheme://host[:port]) — rejecting bare hostnames,
  wildcards, paths, and credentials so a configured entry can't quietly widen
  cross-origin access — and merge_extra_origins() unions the validated extras
  into the defaults, dropping duplicates and reporting invalid entries.
- gateway-pre-start.sh reads controlUi.extraAllowedOrigins from openclaw.json,
  merges validated entries into the computed allowedOrigins, and logs a WARN
  for each rejected entry. Missing/None key = defaults only (unchanged). The
  module is imported (falls back to defaults-only if unavailable — never blocks
  boot).
- Extracted to an importable module so it's unit-testable:
  src/tests/unit/gateway-origins.test.ts drives it via python3 (self-test +
  explicit valid/invalid/default cases). Stays an explicit allowlist — no
  wildcards, defaults conservative.

Operators add e.g. controlUi.extraAllowedOrigins: ["https://box.example.ts.net"]
to ~/.openclaw/openclaw.json; pre-start validates + merges on next restart.

Validated: module self-test + functional merge check pass locally (bash -n
clean; no local node/bun on the dev box, so the vitest wrapper runs on CI).
@KrasimirKralev
KrasimirKralev requested a review from a team as a code owner July 5, 2026 11:39
@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@KrasimirKralev, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 53 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 412cac75-4c00-4b37-8244-e37d8f4c0653

📥 Commits

Reviewing files that changed from the base of the PR and between 7d7bf64 and 408ada7.

📒 Files selected for processing (3)
  • scripts/gateway-pre-start.sh
  • scripts/gateway_origins.py
  • src/tests/unit/gateway-origins.test.ts
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 5, 2026

Copy link
Copy Markdown

🦀 ClawReview

Scuttled over to say hello and get you oriented 🦀

Adds a supported config hook — controlUi.extraAllowedOrigins in ~/.openclaw/openclaw.json — so operators can register VPN overlay names, MagicDNS hostnames, or stable HTTPS origins as trusted gateway control-UI origins without hand-patching the generated allowlist on every update. A new importable Python module (scripts/gateway_origins.py) handles validation and merging; gateway-pre-start.sh calls it and logs a WARN for any rejected entry, gracefully falling back to defaults-only if the module is ever unavailable.

At a glance

  • ✨ Feature · touches gateway pre-start script + gateway origin validation
  • Base branch: beta · +129 source / +52 tests across 3 files
  • ✅ base beta matches the beta-first convention
  • ✅ conventional PR title
  • ℹ️ touches security-sensitive paths (scripts/gateway-pre-start.sh) — review with extra care

Good to know

  • ℹ️ Touches gateway-pre-start.sh, which runs on every gateway restart on customer devices — the graceful import fallback means a missing module never blocks boot.
  • ℹ️ Tests are TypeScript/Vitest files that shell out to python3 via execFileSync — an unusual cross-language approach; CI must have python3 available (ubuntu-latest does).
  • ℹ️ The new extraAllowedOrigins key is opt-in; existing deployments with no key set are unaffected (defaults-only path is unchanged).

— ClawReview 🦀, your resident reef crab. Just orientation — CodeRabbit does the line-by-line, humans do the merge. Conventions: docs.

@github-actions github-actions Bot added the area: install Auto-triage area label Jul 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: install Auto-triage area

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant