admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

refactor: unify gateway SecretRef auth resolution paths

Browse Source
This commit is contained in:
Peter Steinberger
2026-03-07 21:32:42 +00:00
parent 5f26970200
commit fecca6fd8d
9 changed files with 318 additions and 189 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
src/cli/daemon-cli/status.gather.ts
View File

@@ -12,7 +12,6 @@ import type {
import {
hasConfiguredSecretInput,
normalizeSecretInputString,
resolveSecretInputRef,
} from "../../config/types.secrets.js";
import { readLastGatewayErrorLine } from "../../daemon/diagnostics.js";
import type { FindExtraGatewayServicesOptions } from "../../daemon/inspect.js";
@@ -27,6 +26,7 @@ import {
trimToUndefined,
} from "../../gateway/credentials.js";
import { resolveGatewayBindHost } from "../../gateway/net.js";
import { resolveRequiredConfiguredSecretRefInputString } from "../../gateway/resolve-configured-secret-input-string.js";
import {
formatPortDiagnostics,
inspectPortUsage,
@@ -35,8 +35,6 @@ import {
} from "../../infra/ports.js";
import { pickPrimaryTailnetIPv4 } from "../../infra/tailnet.js";
import { loadGatewayTlsRuntime } from "../../infra/tls/gateway.js";
import { secretRefKey } from "../../secrets/ref-contract.js";
import { resolveSecretRefValues } from "../../secrets/resolve.js";
import { probeGatewayStatus } from "./probe.js";
import { normalizeListenerAddress, parsePortFromArgs, pickProbeHostForBind } from "./shared.js";
import type { GatewayRpcOpts } from "./types.js";
@@ -127,13 +125,6 @@ async function resolveDaemonProbeToken(params: {
}
const defaults = params.daemonCfg.secrets?.defaults;
const configured = params.daemonCfg.gateway?.auth?.token;
const { ref } = resolveSecretInputRef({
value: configured,
defaults,
});
if (!ref) {
return normalizeSecretInputString(configured);
}
const authMode = params.daemonCfg.gateway?.auth?.mode;
if (authMode === "password" || authMode === "none" || authMode === "trusted-proxy") {
return undefined;
@@ -149,15 +140,16 @@ async function resolveDaemonProbeToken(params: {
return undefined;
}
}
const resolved = await resolveSecretRefValues([ref], {
const resolvedToken = await resolveRequiredConfiguredSecretRefInputString({
config: params.daemonCfg,
env: params.mergedDaemonEnv as NodeJS.ProcessEnv,
value: configured,
path: "gateway.auth.token",
});
const token = trimToUndefined(resolved.get(secretRefKey(ref)));
if (!token) {
throw new Error("gateway.auth.token resolved to an empty or non-string value.");
if (resolvedToken) {
return resolvedToken;
}
return token;
return normalizeSecretInputString(configured);
}
async function resolveDaemonProbePassword(params: {
@@ -176,13 +168,6 @@ async function resolveDaemonProbePassword(params: {
}
const defaults = params.daemonCfg.secrets?.defaults;
const configured = params.daemonCfg.gateway?.auth?.password;
const { ref } = resolveSecretInputRef({
value: configured,
defaults,
});
if (!ref) {
return normalizeSecretInputString(configured);
}
const authMode = params.daemonCfg.gateway?.auth?.mode;
if (authMode === "token" || authMode === "none" || authMode === "trusted-proxy") {
return undefined;
@@ -198,15 +183,16 @@ async function resolveDaemonProbePassword(params: {
return undefined;
}
}
const resolved = await resolveSecretRefValues([ref], {
const resolvedPassword = await resolveRequiredConfiguredSecretRefInputString({
config: params.daemonCfg,
env: params.mergedDaemonEnv as NodeJS.ProcessEnv,
value: configured,
path: "gateway.auth.password",
});
const password = trimToUndefined(resolved.get(secretRefKey(ref)));
if (!password) {
throw new Error("gateway.auth.password resolved to an empty or non-string value.");
if (resolvedPassword) {
return resolvedPassword;
}
return password;
return normalizeSecretInputString(configured);
}
export async function gatherDaemonStatus(

24
src/cli/qr-cli.ts
View File

@@ -1,13 +1,12 @@
import type { Command } from "commander";
import qrcode from "qrcode-terminal";
import { loadConfig } from "../config/config.js";
import { hasConfiguredSecretInput, resolveSecretInputRef } from "../config/types.secrets.js";
import { hasConfiguredSecretInput } from "../config/types.secrets.js";
import { readGatewayPasswordEnv, readGatewayTokenEnv } from "../gateway/credentials.js";
import { resolveRequiredConfiguredSecretRefInputString } from "../gateway/resolve-configured-secret-input-string.js";
import { resolvePairingSetupFromConfig, encodePairingSetupCode } from "../pairing/setup-code.js";
import { runCommandWithTimeout } from "../process/exec.js";
import { defaultRuntime } from "../runtime.js";
import { secretRefKey } from "../secrets/ref-contract.js";
import { resolveSecretRefValues } from "../secrets/resolve.js";
import { formatDocsLink } from "../terminal/links.js";
import { theme } from "../terminal/theme.js";
import { resolveCommandSecretRefsViaGateway } from "./command-secret-gateway.js";
@@ -66,26 +65,19 @@ function shouldResolveLocalGatewayPasswordSecret(
async function resolveLocalGatewayPasswordSecretIfNeeded(
cfg: ReturnType<typeof loadConfig>,
): Promise<void> {
const authPassword = cfg.gateway?.auth?.password;
const { ref } = resolveSecretInputRef({
value: authPassword,
defaults: cfg.secrets?.defaults,
});
if (!ref) {
return;
}
const resolved = await resolveSecretRefValues([ref], {
const resolvedPassword = await resolveRequiredConfiguredSecretRefInputString({
config: cfg,
env: process.env,
value: cfg.gateway?.auth?.password,
path: "gateway.auth.password",
});
const value = resolved.get(secretRefKey(ref));
if (typeof value !== "string" || value.trim().length === 0) {
throw new Error("gateway.auth.password resolved to an empty or non-string value.");
if (!resolvedPassword) {
return;
}
if (!cfg.gateway?.auth) {
return;
}
cfg.gateway.auth.password = value.trim();
cfg.gateway.auth.password = resolvedPassword;
}
function emitQrSecretResolveDiagnostics(diagnostics: string[], opts: QrCliOptions): void {