feat(gateway): configurable extra trusted setup/control UI origins#255
feat(gateway): configurable extra trusted setup/control UI origins#255KrasimirKralev wants to merge 1 commit into
Conversation
Closes ID-Robots#232. gateway-pre-start.sh replaced controlUi.allowedOrigins with a computed list (defaults + LAN IPs) on every boot, so operators reaching the device through a VPN/MagicDNS name had to hand-patch the generated config — which drifts across updates. - New scripts/gateway_origins.py: normalize_origin() validates a value as a full http/https origin (scheme://host[:port]) — rejecting bare hostnames, wildcards, paths, and credentials so a configured entry can't quietly widen cross-origin access — and merge_extra_origins() unions the validated extras into the defaults, dropping duplicates and reporting invalid entries. - gateway-pre-start.sh reads controlUi.extraAllowedOrigins from openclaw.json, merges validated entries into the computed allowedOrigins, and logs a WARN for each rejected entry. Missing/None key = defaults only (unchanged). The module is imported (falls back to defaults-only if unavailable — never blocks boot). - Extracted to an importable module so it's unit-testable: src/tests/unit/gateway-origins.test.ts drives it via python3 (self-test + explicit valid/invalid/default cases). Stays an explicit allowlist — no wildcards, defaults conservative. Operators add e.g. controlUi.extraAllowedOrigins: ["https://box.example.ts.net"] to ~/.openclaw/openclaw.json; pre-start validates + merges on next restart. Validated: module self-test + functional merge check pass locally (bash -n clean; no local node/bun on the dev box, so the vitest wrapper runs on CI).
|
Warning Review limit reached
Next review available in: 53 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🦀 ClawReviewScuttled over to say hello and get you oriented 🦀 Adds a supported config hook — At a glance
Good to know
— ClawReview 🦀, your resident reef crab. Just orientation — CodeRabbit does the line-by-line, humans do the merge. Conventions: docs. |
Closes #232.
Problem
gateway-pre-start.shreplacescontrolUi.allowedOriginswith a computed list (defaults + this host's LAN IPs) on every boot. A deployment reached through a VPN overlay name, MagicDNS, or a stable HTTPS origin therefore had to hand-patch the generated config — fragile, and it drifts across updates.Fix
A supported config hook:
controlUi.extraAllowedOriginsin~/.openclaw/openclaw.json.scripts/gateway_origins.py(importable → unit-testable):normalize_origin(v)— validates a value as a fullhttp(s)://host[:port]origin, rejecting bare hostnames, wildcards, paths/queries/fragments, and credentials so a configured entry can never quietly widen cross-origin access.merge_extra_origins(defaults, configured)— unions validated extras into the defaults, drops duplicates, and returns the invalid entries for reporting.gateway-pre-start.shreadscontrolUi.extraAllowedOrigins, merges validated entries into the computedallowedOrigins, and logsWARN: ignoring invalid …for each rejected one. Missing/Nonekey ⇒ defaults only (unchanged behavior). Import falls back to defaults-only if the module is ever unavailable — never blocks boot.Usage
On the next gateway restart, pre-start validates and merges it into the active allowlist. Invalid entries are dropped with a logged warning.
Tests
src/tests/unit/gateway-origins.test.tsdrives the module viapython3(thetestjob runs on ubuntu-latest): the module self-test plus explicit valid, invalid, and default cases — the three the acceptance criteria call for.Security
Stays an explicit allowlist — no wildcards, defaults conservative. The goal is to kill brittle local patches, not loosen CORS.
Acceptance criteria
WARN)Follow-up: a user-facing docs-site guide entry will go as a separate PR to
main(docs deploy from the default branch, per repo convention).