feat(discord-control): align auth with token/allowlist/action-gate and add dryRun
This commit is contained in:
@@ -2,9 +2,29 @@ import http from "node:http";
|
||||
|
||||
const port = Number(process.env.PORT || 8790);
|
||||
const authToken = process.env.AUTH_TOKEN || "";
|
||||
const requireAuthToken = String(process.env.REQUIRE_AUTH_TOKEN || "false").toLowerCase() === "true";
|
||||
const discordToken = process.env.DISCORD_BOT_TOKEN || "";
|
||||
const discordBase = "https://discord.com/api/v10";
|
||||
|
||||
const enabledActions = {
|
||||
channelPrivateCreate: String(process.env.ENABLE_CHANNEL_PRIVATE_CREATE || "true").toLowerCase() !== "false",
|
||||
memberList: String(process.env.ENABLE_MEMBER_LIST || "true").toLowerCase() !== "false",
|
||||
};
|
||||
|
||||
const allowedGuildIds = new Set(
|
||||
String(process.env.ALLOWED_GUILD_IDS || "")
|
||||
.split(",")
|
||||
.map((s) => s.trim())
|
||||
.filter(Boolean),
|
||||
);
|
||||
|
||||
const allowedCallerIds = new Set(
|
||||
String(process.env.ALLOWED_CALLER_IDS || "")
|
||||
.split(",")
|
||||
.map((s) => s.trim())
|
||||
.filter(Boolean),
|
||||
);
|
||||
|
||||
const BIT_VIEW_CHANNEL = 1024n;
|
||||
const BIT_SEND_MESSAGES = 2048n;
|
||||
const BIT_READ_MESSAGE_HISTORY = 65536n;
|
||||
@@ -14,17 +34,52 @@ function sendJson(res, status, payload) {
|
||||
res.end(JSON.stringify(payload));
|
||||
}
|
||||
|
||||
function isAuthorized(req) {
|
||||
if (!authToken) return true;
|
||||
function fail(status, code, message, details) {
|
||||
return { status, code, message, details };
|
||||
}
|
||||
|
||||
function readCallerId(req) {
|
||||
const v = req.headers["x-openclaw-caller-id"] || req.headers["x-caller-id"];
|
||||
return typeof v === "string" ? v.trim() : "";
|
||||
}
|
||||
|
||||
function ensureControlAuth(req) {
|
||||
if (requireAuthToken && !authToken) {
|
||||
throw fail(500, "auth_misconfigured", "REQUIRE_AUTH_TOKEN=true but AUTH_TOKEN is empty");
|
||||
}
|
||||
if (!authToken) return;
|
||||
const header = req.headers.authorization || "";
|
||||
return header === `Bearer ${authToken}`;
|
||||
if (header !== `Bearer ${authToken}`) {
|
||||
throw fail(401, "unauthorized", "invalid or missing bearer token");
|
||||
}
|
||||
|
||||
if (allowedCallerIds.size > 0) {
|
||||
const callerId = readCallerId(req);
|
||||
if (!callerId || !allowedCallerIds.has(callerId)) {
|
||||
throw fail(403, "caller_forbidden", "caller is not in ALLOWED_CALLER_IDS", { callerId: callerId || null });
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function ensureDiscordToken() {
|
||||
if (!discordToken) {
|
||||
const e = new Error("missing DISCORD_BOT_TOKEN");
|
||||
e.status = 500;
|
||||
throw e;
|
||||
throw fail(500, "discord_token_missing", "missing DISCORD_BOT_TOKEN");
|
||||
}
|
||||
}
|
||||
|
||||
function ensureGuildAllowed(guildId) {
|
||||
if (allowedGuildIds.size === 0) return;
|
||||
if (!allowedGuildIds.has(guildId)) {
|
||||
throw fail(403, "guild_forbidden", "guild is not in ALLOWED_GUILD_IDS", { guildId });
|
||||
}
|
||||
}
|
||||
|
||||
function ensureActionEnabled(action) {
|
||||
if (action === "channel-private-create" && !enabledActions.channelPrivateCreate) {
|
||||
throw fail(403, "action_disabled", "channel-private-create is disabled");
|
||||
}
|
||||
if (action === "member-list" && !enabledActions.memberList) {
|
||||
throw fail(403, "action_disabled", "member-list is disabled");
|
||||
}
|
||||
}
|
||||
|
||||
@@ -44,10 +99,7 @@ async function discordRequest(path, init = {}) {
|
||||
} catch {}
|
||||
|
||||
if (!r.ok) {
|
||||
const e = new Error(`discord_api_error ${r.status}`);
|
||||
e.status = r.status;
|
||||
e.details = data;
|
||||
throw e;
|
||||
throw fail(r.status, "discord_api_error", `discord api returned ${r.status}`, data);
|
||||
}
|
||||
return data;
|
||||
}
|
||||
@@ -57,7 +109,7 @@ function toStringMask(v, fallback) {
|
||||
if (typeof v === "string") return v;
|
||||
if (typeof v === "number") return String(Math.floor(v));
|
||||
if (typeof v === "bigint") return String(v);
|
||||
throw new Error("invalid mask");
|
||||
throw fail(400, "invalid_mask", "invalid permission bit mask");
|
||||
}
|
||||
|
||||
function buildPrivateOverwrites({ guildId, allowedUserIds = [], allowedRoleIds = [], allowMask, denyEveryoneMask }) {
|
||||
@@ -89,8 +141,9 @@ function buildPrivateOverwrites({ guildId, allowedUserIds = [], allowedRoleIds =
|
||||
async function actionChannelPrivateCreate(body) {
|
||||
const guildId = String(body.guildId || "").trim();
|
||||
const name = String(body.name || "").trim();
|
||||
if (!guildId) throw Object.assign(new Error("guildId is required"), { status: 400 });
|
||||
if (!name) throw Object.assign(new Error("name is required"), { status: 400 });
|
||||
if (!guildId) throw fail(400, "bad_request", "guildId is required");
|
||||
if (!name) throw fail(400, "bad_request", "name is required");
|
||||
ensureGuildAllowed(guildId);
|
||||
|
||||
const payload = {
|
||||
name,
|
||||
@@ -108,6 +161,10 @@ async function actionChannelPrivateCreate(body) {
|
||||
}),
|
||||
};
|
||||
|
||||
if (body.dryRun === true) {
|
||||
return { ok: true, action: "channel-private-create", dryRun: true, payload };
|
||||
}
|
||||
|
||||
const channel = await discordRequest(`/guilds/${guildId}/channels`, {
|
||||
method: "POST",
|
||||
body: JSON.stringify(payload),
|
||||
@@ -118,7 +175,8 @@ async function actionChannelPrivateCreate(body) {
|
||||
|
||||
async function actionMemberList(body) {
|
||||
const guildId = String(body.guildId || "").trim();
|
||||
if (!guildId) throw Object.assign(new Error("guildId is required"), { status: 400 });
|
||||
if (!guildId) throw fail(400, "bad_request", "guildId is required");
|
||||
ensureGuildAllowed(guildId);
|
||||
|
||||
const limitRaw = Number(body.limit ?? 100);
|
||||
const limit = Number.isFinite(limitRaw) ? Math.max(1, Math.min(1000, Math.floor(limitRaw))) : 100;
|
||||
@@ -134,25 +192,30 @@ async function actionMemberList(body) {
|
||||
|
||||
async function handleAction(body) {
|
||||
const action = String(body.action || "").trim();
|
||||
if (!action) throw Object.assign(new Error("action is required"), { status: 400 });
|
||||
if (!action) throw fail(400, "bad_request", "action is required");
|
||||
ensureActionEnabled(action);
|
||||
|
||||
if (action === "channel-private-create") return await actionChannelPrivateCreate(body);
|
||||
if (action === "member-list") return await actionMemberList(body);
|
||||
|
||||
throw Object.assign(new Error(`unsupported action: ${action}`), { status: 400 });
|
||||
throw fail(400, "unsupported_action", `unsupported action: ${action}`);
|
||||
}
|
||||
|
||||
const server = http.createServer((req, res) => {
|
||||
if (req.method === "GET" && req.url === "/health") {
|
||||
return sendJson(res, 200, { ok: true, service: "discord-control-api" });
|
||||
return sendJson(res, 200, {
|
||||
ok: true,
|
||||
service: "discord-control-api",
|
||||
authRequired: !!authToken || requireAuthToken,
|
||||
actionGates: enabledActions,
|
||||
guildAllowlistEnabled: allowedGuildIds.size > 0,
|
||||
});
|
||||
}
|
||||
|
||||
if (req.method !== "POST" || req.url !== "/v1/discord/action") {
|
||||
return sendJson(res, 404, { error: "not_found" });
|
||||
}
|
||||
|
||||
if (!isAuthorized(req)) return sendJson(res, 401, { error: "unauthorized" });
|
||||
|
||||
let body = "";
|
||||
req.on("data", (chunk) => {
|
||||
body += chunk;
|
||||
@@ -161,12 +224,13 @@ const server = http.createServer((req, res) => {
|
||||
|
||||
req.on("end", async () => {
|
||||
try {
|
||||
ensureControlAuth(req);
|
||||
const parsed = body ? JSON.parse(body) : {};
|
||||
const result = await handleAction(parsed);
|
||||
return sendJson(res, 200, result);
|
||||
} catch (err) {
|
||||
return sendJson(res, err?.status || 500, {
|
||||
error: "request_failed",
|
||||
error: err?.code || "request_failed",
|
||||
message: String(err?.message || err),
|
||||
details: err?.details,
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user