fix: sign bootstrap pairing requests

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-26 21:02:19 -07:00 · 2026-04-26 21:02:19 -07:00 · 902e1ee2b6
commit 902e1ee2b6
parent 0bfa2efa4f
2 changed files with 19 additions and 1 deletions
--- a/src/OpenClaw.Shared/WindowsNodeClient.cs
+++ b/src/OpenClaw.Shared/WindowsNodeClient.cs
@ -550,7 +550,7 @@ public class WindowsNodeClient : WebSocketClientBase

        if (!string.IsNullOrEmpty(_bootstrapToken))
        {
-            return (new Dictionary<string, string> { ["bootstrapToken"] = _bootstrapToken }, string.Empty);
+            return (new Dictionary<string, string> { ["bootstrapToken"] = _bootstrapToken }, _bootstrapToken);
        }

        return (new Dictionary<string, string> { ["token"] = _gatewayToken }, _gatewayToken);
--- a/tests/OpenClaw.Shared.Tests/WindowsNodeClientTests.cs
+++ b/tests/OpenClaw.Shared.Tests/WindowsNodeClientTests.cs
@ -737,9 +737,11 @@ public class WindowsNodeClientTests
            var json = InvokeBuildNodeConnectMessage(client);
            using var doc = JsonDocument.Parse(json);
            var auth = doc.RootElement.GetProperty("params").GetProperty("auth");
+            var (_, tokenForSignature) = InvokeBuildConnectAuth(client);

            Assert.Equal("bootstrap-token-123", auth.GetProperty("bootstrapToken").GetString());
            Assert.False(auth.TryGetProperty("token", out _));
+            Assert.Equal("bootstrap-token-123", tokenForSignature);
        }
        finally
        {
@ -772,9 +774,11 @@ public class WindowsNodeClientTests
            var json = InvokeBuildNodeConnectMessage(client);
            using var doc = JsonDocument.Parse(json);
            var auth = doc.RootElement.GetProperty("params").GetProperty("auth");
+            var (_, tokenForSignature) = InvokeBuildConnectAuth(client);

            Assert.Equal("stored-device-token", auth.GetProperty("token").GetString());
            Assert.False(auth.TryGetProperty("bootstrapToken", out _));
+            Assert.Equal("stored-device-token", tokenForSignature);
        }
        finally
        {
@ -796,9 +800,11 @@ public class WindowsNodeClientTests
            var json = InvokeBuildNodeConnectMessage(client);
            using var doc = JsonDocument.Parse(json);
            var auth = doc.RootElement.GetProperty("params").GetProperty("auth");
+            var (_, tokenForSignature) = InvokeBuildConnectAuth(client);

            Assert.Equal("gateway-token", auth.GetProperty("token").GetString());
            Assert.False(auth.TryGetProperty("bootstrapToken", out _));
+            Assert.Equal("gateway-token", tokenForSignature);
        }
        finally
        {
@ -1119,6 +1125,18 @@ public class WindowsNodeClientTests
        return (string)method!.Invoke(client, ["nonce-123", 0L])!;
    }

+    private static (Dictionary<string, string> Auth, string TokenForSignature) InvokeBuildConnectAuth(
+        WindowsNodeClient client)
+    {
+        var method = typeof(WindowsNodeClient).GetMethod(
+            "BuildConnectAuth",
+            BindingFlags.NonPublic | BindingFlags.Instance);
+        Assert.NotNull(method);
+
+        var result = (ValueTuple<Dictionary<string, string>, string>)method!.Invoke(client, [])!;
+        return (result.Item1, result.Item2);
+    }
+
    // ─── Command dispatch map tests ────────────────────────────────────────────

    private sealed class MockCapability : INodeCapability