fix: switch pairing setup codes to bootstrap tokens

2026-03-27 09:21:35 +07:00 · 2026-03-12 22:22:44 +00:00
parent 9cd54ea882
commit bf89947a8e
53 changed files with 1035 additions and 106 deletions
--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/DeepLinks.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/DeepLinks.swift
@@ -9,13 +9,15 @@ public struct GatewayConnectDeepLink: Codable, Sendable, Equatable {
    public let host: String
    public let port: Int
    public let tls: Bool
+    public let bootstrapToken: String?
    public let token: String?
    public let password: String?

-    public init(host: String, port: Int, tls: Bool, token: String?, password: String?) {
+    public init(host: String, port: Int, tls: Bool, bootstrapToken: String?, token: String?, password: String?) {
        self.host = host
        self.port = port
        self.tls = tls
+        self.bootstrapToken = bootstrapToken
        self.token = token
        self.password = password
    }
@@ -25,7 +27,7 @@ public struct GatewayConnectDeepLink: Codable, Sendable, Equatable {
        return URL(string: "\(scheme)://\(self.host):\(self.port)")
    }

-    /// Parse a device-pair setup code (base64url-encoded JSON: `{url, token?, password?}`).
+    /// Parse a device-pair setup code (base64url-encoded JSON: `{url, bootstrapToken?, token?, password?}`).
    public static func fromSetupCode(_ code: String) -> GatewayConnectDeepLink? {
        guard let data = Self.decodeBase64Url(code) else { return nil }
        guard let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any] else { return nil }
@@ -41,9 +43,16 @@ public struct GatewayConnectDeepLink: Codable, Sendable, Equatable {
            return nil
        }
        let port = parsed.port ?? (tls ? 443 : 18789)
+        let bootstrapToken = json["bootstrapToken"] as? String
        let token = json["token"] as? String
        let password = json["password"] as? String
-        return GatewayConnectDeepLink(host: hostname, port: port, tls: tls, token: token, password: password)
+        return GatewayConnectDeepLink(
+            host: hostname,
+            port: port,
+            tls: tls,
+            bootstrapToken: bootstrapToken,
+            token: token,
+            password: password)
    }

    private static func decodeBase64Url(_ input: String) -> Data? {
@@ -140,6 +149,7 @@ public enum DeepLinkParser {
                    host: hostParam,
                    port: port,
                    tls: tls,
+                    bootstrapToken: nil,
                    token: query["token"],
                    password: query["password"]))

--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayChannel.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayChannel.swift
@@ -112,6 +112,7 @@ public struct GatewayConnectOptions: Sendable {
 public enum GatewayAuthSource: String, Sendable {
    case deviceToken = "device-token"
    case sharedToken = "shared-token"
+    case bootstrapToken = "bootstrap-token"
    case password = "password"
    case none = "none"
 }
@@ -131,6 +132,12 @@ private let defaultOperatorConnectScopes: [String] = [
    "operator.pairing",
 ]

+private extension String {
+    var nilIfEmpty: String? {
+        self.isEmpty ? nil : self
+    }
+}
+
 private enum GatewayConnectErrorCodes {
    static let authTokenMismatch = GatewayConnectAuthDetailCode.authTokenMismatch.rawValue
    static let authDeviceTokenMismatch = GatewayConnectAuthDetailCode.authDeviceTokenMismatch.rawValue
@@ -154,6 +161,7 @@ public actor GatewayChannelActor {
    private var connectWaiters: [CheckedContinuation<Void, Error>] = []
    private var url: URL
    private var token: String?
+    private var bootstrapToken: String?
    private var password: String?
    private let session: WebSocketSessioning
    private var backoffMs: Double = 500
@@ -185,6 +193,7 @@ public actor GatewayChannelActor {
    public init(
        url: URL,
        token: String?,
+        bootstrapToken: String? = nil,
        password: String? = nil,
        session: WebSocketSessionBox? = nil,
        pushHandler: (@Sendable (GatewayPush) async -> Void)? = nil,
@@ -193,6 +202,7 @@ public actor GatewayChannelActor {
    {
        self.url = url
        self.token = token
+        self.bootstrapToken = bootstrapToken
        self.password = password
        self.session = session?.session ?? URLSession(configuration: .default)
        self.pushHandler = pushHandler
@@ -402,22 +412,29 @@ public actor GatewayChannelActor {
            (includeDeviceIdentity && identity != nil)
                ? DeviceAuthStore.loadToken(deviceId: identity!.deviceId, role: role)?.token
                : nil
+        let explicitToken = self.token?.trimmingCharacters(in: .whitespacesAndNewlines).nilIfEmpty
+        let explicitBootstrapToken =
+            self.bootstrapToken?.trimmingCharacters(in: .whitespacesAndNewlines).nilIfEmpty
+        let explicitPassword = self.password?.trimmingCharacters(in: .whitespacesAndNewlines).nilIfEmpty
        let shouldUseDeviceRetryToken =
            includeDeviceIdentity && self.pendingDeviceTokenRetry &&
-            storedToken != nil && self.token != nil && self.isTrustedDeviceRetryEndpoint()
+            storedToken != nil && explicitToken != nil && self.isTrustedDeviceRetryEndpoint()
        if shouldUseDeviceRetryToken {
            self.pendingDeviceTokenRetry = false
        }
        // Keep shared credentials explicit when provided. Device token retry is attached
        // only on a bounded second attempt after token mismatch.
-        let authToken = self.token ?? (includeDeviceIdentity ? storedToken : nil)
+        let authToken = explicitToken ?? (includeDeviceIdentity ? storedToken : nil)
+        let authBootstrapToken = authToken == nil ? explicitBootstrapToken : nil
        let authDeviceToken = shouldUseDeviceRetryToken ? storedToken : nil
        let authSource: GatewayAuthSource
-        if authDeviceToken != nil || (self.token == nil && storedToken != nil) {
+        if authDeviceToken != nil || (explicitToken == nil && storedToken != nil) {
            authSource = .deviceToken
        } else if authToken != nil {
            authSource = .sharedToken
-        } else if self.password != nil {
+        } else if authBootstrapToken != nil {
+            authSource = .bootstrapToken
+        } else if explicitPassword != nil {
            authSource = .password
        } else {
            authSource = .none
@@ -430,7 +447,9 @@ public actor GatewayChannelActor {
                auth["deviceToken"] = ProtoAnyCodable(authDeviceToken)
            }
            params["auth"] = ProtoAnyCodable(auth)
-        } else if let password = self.password {
+        } else if let authBootstrapToken {
+            params["auth"] = ProtoAnyCodable(["bootstrapToken": ProtoAnyCodable(authBootstrapToken)])
+        } else if let password = explicitPassword {
            params["auth"] = ProtoAnyCodable(["password": ProtoAnyCodable(password)])
        }
        let signedAtMs = Int(Date().timeIntervalSince1970 * 1000)
@@ -443,7 +462,7 @@ public actor GatewayChannelActor {
                role: role,
                scopes: scopes,
                signedAtMs: signedAtMs,
-                token: authToken,
+                token: authToken ?? authBootstrapToken,
                nonce: connectNonce,
                platform: platform,
                deviceFamily: InstanceIdentity.deviceFamily)
@@ -472,7 +491,7 @@ public actor GatewayChannelActor {
        } catch {
            let shouldRetryWithDeviceToken = self.shouldRetryWithStoredDeviceToken(
                error: error,
-                explicitGatewayToken: self.token,
+                explicitGatewayToken: explicitToken,
                storedToken: storedToken,
                attemptedDeviceTokenRetry: authDeviceToken != nil)
            if shouldRetryWithDeviceToken {
--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayErrors.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayErrors.swift
@@ -5,6 +5,7 @@ public enum GatewayConnectAuthDetailCode: String, Sendable {
    case authRequired = "AUTH_REQUIRED"
    case authUnauthorized = "AUTH_UNAUTHORIZED"
    case authTokenMismatch = "AUTH_TOKEN_MISMATCH"
+    case authBootstrapTokenInvalid = "AUTH_BOOTSTRAP_TOKEN_INVALID"
    case authDeviceTokenMismatch = "AUTH_DEVICE_TOKEN_MISMATCH"
    case authTokenMissing = "AUTH_TOKEN_MISSING"
    case authTokenNotConfigured = "AUTH_TOKEN_NOT_CONFIGURED"
@@ -92,6 +93,7 @@ public struct GatewayConnectAuthError: LocalizedError, Sendable {
    public var isNonRecoverable: Bool {
        switch self.detail {
        case .authTokenMissing,
+            .authBootstrapTokenInvalid,
            .authTokenNotConfigured,
            .authPasswordMissing,
            .authPasswordMismatch,
--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayNodeSession.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayNodeSession.swift
@@ -64,6 +64,7 @@ public actor GatewayNodeSession {
    private var channel: GatewayChannelActor?
    private var activeURL: URL?
    private var activeToken: String?
+    private var activeBootstrapToken: String?
    private var activePassword: String?
    private var activeConnectOptionsKey: String?
    private var connectOptions: GatewayConnectOptions?
@@ -194,6 +195,7 @@ public actor GatewayNodeSession {
    public func connect(
        url: URL,
        token: String?,
+        bootstrapToken: String?,
        password: String?,
        connectOptions: GatewayConnectOptions,
        sessionBox: WebSocketSessionBox?,
@@ -204,6 +206,7 @@ public actor GatewayNodeSession {
        let nextOptionsKey = self.connectOptionsKey(connectOptions)
        let shouldReconnect = self.activeURL != url ||
            self.activeToken != token ||
+            self.activeBootstrapToken != bootstrapToken ||
            self.activePassword != password ||
            self.activeConnectOptionsKey != nextOptionsKey ||
            self.channel == nil
@@ -221,6 +224,7 @@ public actor GatewayNodeSession {
            let channel = GatewayChannelActor(
                url: url,
                token: token,
+                bootstrapToken: bootstrapToken,
                password: password,
                session: sessionBox,
                pushHandler: { [weak self] push in
@@ -233,6 +237,7 @@ public actor GatewayNodeSession {
            self.channel = channel
            self.activeURL = url
            self.activeToken = token
+            self.activeBootstrapToken = bootstrapToken
            self.activePassword = password
            self.activeConnectOptionsKey = nextOptionsKey
        }
@@ -257,6 +262,7 @@ public actor GatewayNodeSession {
        self.channel = nil
        self.activeURL = nil
        self.activeToken = nil
+        self.activeBootstrapToken = nil
        self.activePassword = nil
        self.activeConnectOptionsKey = nil
        self.hasEverConnected = false
--- a/apps/shared/OpenClawKit/Tests/OpenClawKitTests/DeepLinksSecurityTests.swift
+++ b/apps/shared/OpenClawKit/Tests/OpenClawKitTests/DeepLinksSecurityTests.swift
@@ -20,11 +20,17 @@ import Testing
            string: "openclaw://gateway?host=127.0.0.1&port=18789&tls=0&token=abc")!
        #expect(
            DeepLinkParser.parse(url) == .gateway(
-                .init(host: "127.0.0.1", port: 18789, tls: false, token: "abc", password: nil)))
+                .init(
+                    host: "127.0.0.1",
+                    port: 18789,
+                    tls: false,
+                    bootstrapToken: nil,
+                    token: "abc",
+                    password: nil)))
    }

    @Test func setupCodeRejectsInsecureNonLoopbackWs() {
-        let payload = #"{"url":"ws://attacker.example:18789","token":"tok"}"#
+        let payload = #"{"url":"ws://attacker.example:18789","bootstrapToken":"tok"}"#
        let encoded = Data(payload.utf8)
            .base64EncodedString()
            .replacingOccurrences(of: "+", with: "-")
@@ -34,7 +40,7 @@ import Testing
    }

    @Test func setupCodeRejectsInsecurePrefixBypassHost() {
-        let payload = #"{"url":"ws://127.attacker.example:18789","token":"tok"}"#
+        let payload = #"{"url":"ws://127.attacker.example:18789","bootstrapToken":"tok"}"#
        let encoded = Data(payload.utf8)
            .base64EncodedString()
            .replacingOccurrences(of: "+", with: "-")
@@ -44,7 +50,7 @@ import Testing
    }

    @Test func setupCodeAllowsLoopbackWs() {
-        let payload = #"{"url":"ws://127.0.0.1:18789","token":"tok"}"#
+        let payload = #"{"url":"ws://127.0.0.1:18789","bootstrapToken":"tok"}"#
        let encoded = Data(payload.utf8)
            .base64EncodedString()
            .replacingOccurrences(of: "+", with: "-")
@@ -55,7 +61,8 @@ import Testing
                host: "127.0.0.1",
                port: 18789,
                tls: false,
-                token: "tok",
+                bootstrapToken: "tok",
+                token: nil,
                password: nil))
    }
 }
--- a/apps/shared/OpenClawKit/Tests/OpenClawKitTests/GatewayErrorsTests.swift
+++ b/apps/shared/OpenClawKit/Tests/OpenClawKitTests/GatewayErrorsTests.swift
@@ -0,0 +1,14 @@
+import OpenClawKit
+import Testing
+
+@Suite struct GatewayErrorsTests {
+    @Test func bootstrapTokenInvalidIsNonRecoverable() {
+        let error = GatewayConnectAuthError(
+            message: "setup code expired",
+            detailCode: GatewayConnectAuthDetailCode.authBootstrapTokenInvalid.rawValue,
+            canRetryWithDeviceToken: false)
+
+        #expect(error.isNonRecoverable)
+        #expect(error.detail == .authBootstrapTokenInvalid)
+    }
+}
--- a/apps/shared/OpenClawKit/Tests/OpenClawKitTests/GatewayNodeSessionTests.swift
+++ b/apps/shared/OpenClawKit/Tests/OpenClawKitTests/GatewayNodeSessionTests.swift
@@ -266,6 +266,7 @@ struct GatewayNodeSessionTests {
        try await gateway.connect(
            url: URL(string: "ws://example.invalid")!,
            token: nil,
+            bootstrapToken: nil,
            password: nil,
            connectOptions: options,
            sessionBox: WebSocketSessionBox(session: session),