@chrysb/alphaclaw 0.8.1-beta.0 → 0.8.1-beta.2

package/lib/server/oauth-callback-middleware.js

@@ -0,0 +1,34 @@
+const createOauthCallbackMiddleware = ({
+  getOauthCallbackById,
+  markOauthCallbackUsed = () => {},
+  webhookMiddleware,
+}) => {
+  return (req, res) => {
+    const callbackId = String(req.params?.id || "").trim();
+    if (!callbackId) {
+      return res.status(404).json({ error: "Not found" });
+    }
+    const callback = getOauthCallbackById(callbackId);
+    if (!callback?.hookName) {
+      return res.status(404).json({ error: "Not found" });
+    }
+    try {
+      markOauthCallbackUsed(callbackId);
+    } catch {}
+    const originalUrl = String(req.originalUrl || req.url || "");
+    const queryIndex = originalUrl.indexOf("?");
+    const querySuffix = queryIndex >= 0 ? originalUrl.slice(queryIndex) : "";
+    const rewrittenUrl = `/hooks/${callback.hookName}${querySuffix}`;
+    req.url = rewrittenUrl;
+    req.originalUrl = rewrittenUrl;
+    const webhookToken = String(process.env.WEBHOOK_TOKEN || "").trim();
+    if (webhookToken) {
+      req.headers.authorization = `Bearer ${webhookToken}`;
+    }
+    return webhookMiddleware(req, res);
+  };
+};
+
+module.exports = {
+  createOauthCallbackMiddleware,
+};

package/lib/server/routes/proxy.js

@@ -4,6 +4,7 @@ const registerProxyRoutes = ({
   getGatewayUrl,
   SETUP_API_PREFIXES,
   requireAuth,
+  oauthCallbackMiddleware,
   webhookMiddleware,
 }) => {
   const kOpenClawPathPattern = /^\/openclaw\/.+/;
@@ -24,6 +25,7 @@ const registerProxyRoutes = ({
     proxy.web(req, res, { target: getGatewayUrl() }),
   );
 
+  app.all("/oauth/:id", oauthCallbackMiddleware);
   app.all(kHooksPathPattern, webhookMiddleware);
   app.all(kWebhookPathPattern, webhookMiddleware);
 

package/lib/server/routes/webhooks.js

@@ -46,7 +46,7 @@ const normalizeStatusFilter = (rawStatus) => {
   return "all";
 };
 
-const buildWebhookUrls = ({ baseUrl, name }) => {
+const buildWebhookUrls = ({ baseUrl, name, oauthCallback = null }) => {
   const fullUrl = `${baseUrl}/hooks/${name}`;
   const token = String(process.env.WEBHOOK_TOKEN || "").trim();
   const queryStringUrl = token
@@ -55,7 +55,18 @@ const buildWebhookUrls = ({ baseUrl, name }) => {
   const authHeaderValue = token
     ? `Authorization: Bearer ${token}`
     : "Authorization: Bearer <WEBHOOK_TOKEN>";
-  return { fullUrl, queryStringUrl, authHeaderValue, hasRuntimeToken: !!token };
+  const callbackId = String(oauthCallback?.callbackId || "").trim();
+  return {
+    fullUrl,
+    queryStringUrl,
+    authHeaderValue,
+    hasRuntimeToken: !!token,
+    oauthCallbackId: callbackId || "",
+    oauthCallbackUrl: callbackId ? `${baseUrl}/oauth/${callbackId}` : "",
+    oauthCallbackCreatedAt: oauthCallback?.createdAt || null,
+    oauthCallbackRotatedAt: oauthCallback?.rotatedAt || null,
+    oauthCallbackLastUsedAt: oauthCallback?.lastUsedAt || null,
+  };
 };
 
 const registerWebhookRoutes = ({
@@ -67,6 +78,16 @@ const registerWebhookRoutes = ({
   shellCmd,
   restartRequiredState,
 }) => {
+  const {
+    getRequests = () => [],
+    getRequestById = () => null,
+    getHookSummaries = () => [],
+    deleteRequestsByHook = () => 0,
+    createOauthCallback: createOauthCallbackEntry = () => null,
+    getOauthCallbackByHook: getOauthCallbackByHookEntry = () => null,
+    rotateOauthCallback: rotateOauthCallbackEntry = () => null,
+    deleteOauthCallback: deleteOauthCallbackEntry = () => 0,
+  } = webhooksDb || {};
   const fallbackRestartState = {
     markRequired: () => {},
     getSnapshot: async () => ({ restartRequired: false }),
@@ -91,14 +112,18 @@ const registerWebhookRoutes = ({
   app.get("/api/webhooks", (req, res) => {
     try {
       const hooks = listWebhooks({ fs, constants });
-      const summaries = webhooksDb.getHookSummaries();
+      const summaries = getHookSummaries();
       const summaryByHook = mapSummaryByHook(summaries);
-      const webhooks = hooks.map((webhook) =>
-        mergeWebhookAndSummary({
-          webhook,
-          summary: summaryByHook.get(webhook.name),
-        }),
-      );
+      const webhooks = hooks.map((webhook) => {
+        const oauthCallback = getOauthCallbackByHookEntry(webhook.name);
+        return {
+          ...mergeWebhookAndSummary({
+            webhook,
+            summary: summaryByHook.get(webhook.name),
+          }),
+          oauthCallbackEnabled: !!String(oauthCallback?.callbackId || "").trim(),
+        };
+      });
       res.json({ ok: true, webhooks });
     } catch (err) {
       res.status(500).json({ ok: false, error: err.message });
@@ -111,12 +136,11 @@ const registerWebhookRoutes = ({
       const detail = getWebhookDetail({ fs, constants, name });
       if (!detail)
         return res.status(404).json({ ok: false, error: "Webhook not found" });
-      const summary = webhooksDb
-        .getHookSummaries()
-        .find((item) => item.hookName === name);
+      const summary = getHookSummaries().find((item) => item.hookName === name);
+      const oauthCallback = getOauthCallbackByHookEntry(name);
       const merged = mergeWebhookAndSummary({ webhook: detail, summary });
       const baseUrl = getBaseUrl(req);
-      const urls = buildWebhookUrls({ baseUrl, name });
+      const urls = buildWebhookUrls({ baseUrl, name, oauthCallback });
       return res.json({
         ok: true,
         webhook: {
@@ -125,6 +149,11 @@ const registerWebhookRoutes = ({
           queryStringUrl: urls.queryStringUrl,
           authHeaderValue: urls.authHeaderValue,
           hasRuntimeToken: urls.hasRuntimeToken,
+          oauthCallbackId: urls.oauthCallbackId,
+          oauthCallbackUrl: urls.oauthCallbackUrl,
+          oauthCallbackCreatedAt: urls.oauthCallbackCreatedAt,
+          oauthCallbackRotatedAt: urls.oauthCallbackRotatedAt,
+          oauthCallbackLastUsedAt: urls.oauthCallbackLastUsedAt,
           authNote:
             "All hooks use WEBHOOK_TOKEN. Use Authorization: Bearer <token> or x-openclaw-token header.",
         },
@@ -136,11 +165,22 @@ const registerWebhookRoutes = ({
 
   app.post("/api/webhooks", async (req, res) => {
     try {
-      const { name: rawName, destination = null } = req.body || {};
+      const {
+        name: rawName,
+        destination = null,
+        oauthCallback = false,
+      } = req.body || {};
       const name = validateWebhookName(rawName);
       const webhook = createWebhook({ fs, constants, name, destination });
+      const oauthCallbackRecord = oauthCallback
+        ? createOauthCallbackEntry({ hookName: name })
+        : null;
       const baseUrl = getBaseUrl(req);
-      const urls = buildWebhookUrls({ baseUrl, name });
+      const urls = buildWebhookUrls({
+        baseUrl,
+        name,
+        oauthCallback: oauthCallbackRecord,
+      });
       const syncWarning = await runWebhookGitSync("create", name);
       markRestartRequired("webhooks");
       const snapshot = await getRestartSnapshot();
@@ -152,6 +192,11 @@ const registerWebhookRoutes = ({
           queryStringUrl: urls.queryStringUrl,
           authHeaderValue: urls.authHeaderValue,
           hasRuntimeToken: urls.hasRuntimeToken,
+          oauthCallbackId: urls.oauthCallbackId,
+          oauthCallbackUrl: urls.oauthCallbackUrl,
+          oauthCallbackCreatedAt: urls.oauthCallbackCreatedAt,
+          oauthCallbackRotatedAt: urls.oauthCallbackRotatedAt,
+          oauthCallbackLastUsedAt: urls.oauthCallbackLastUsedAt,
         },
         restartRequired: snapshot.restartRequired,
         syncWarning,
@@ -164,6 +209,68 @@ const registerWebhookRoutes = ({
     }
   });
 
+  app.post("/api/webhooks/:name/oauth-callback", (req, res) => {
+    try {
+      const name = validateWebhookName(req.params.name);
+      const detail = getWebhookDetail({ fs, constants, name });
+      if (!detail)
+        return res.status(404).json({ ok: false, error: "Webhook not found" });
+      const existing = getOauthCallbackByHookEntry(name);
+      if (existing?.callbackId) {
+        return res.status(409).json({
+          ok: false,
+          error: "OAuth callback alias already exists",
+        });
+      }
+      const oauthCallback = createOauthCallbackEntry({ hookName: name });
+      const baseUrl = getBaseUrl(req);
+      const urls = buildWebhookUrls({ baseUrl, name, oauthCallback });
+      return res.status(201).json({
+        ok: true,
+        oauthCallbackId: urls.oauthCallbackId,
+        oauthCallbackUrl: urls.oauthCallbackUrl,
+        oauthCallbackCreatedAt: urls.oauthCallbackCreatedAt,
+        oauthCallbackRotatedAt: urls.oauthCallbackRotatedAt,
+        oauthCallbackLastUsedAt: urls.oauthCallbackLastUsedAt,
+      });
+    } catch (err) {
+      return res.status(400).json({ ok: false, error: err.message });
+    }
+  });
+
+  app.post("/api/webhooks/:name/oauth-callback/rotate", (req, res) => {
+    try {
+      const name = validateWebhookName(req.params.name);
+      const detail = getWebhookDetail({ fs, constants, name });
+      if (!detail)
+        return res.status(404).json({ ok: false, error: "Webhook not found" });
+      const oauthCallback = rotateOauthCallbackEntry(name);
+      const baseUrl = getBaseUrl(req);
+      const urls = buildWebhookUrls({ baseUrl, name, oauthCallback });
+      return res.json({
+        ok: true,
+        oauthCallbackId: urls.oauthCallbackId,
+        oauthCallbackUrl: urls.oauthCallbackUrl,
+        oauthCallbackCreatedAt: urls.oauthCallbackCreatedAt,
+        oauthCallbackRotatedAt: urls.oauthCallbackRotatedAt,
+        oauthCallbackLastUsedAt: urls.oauthCallbackLastUsedAt,
+      });
+    } catch (err) {
+      const status = String(err?.message || "").includes("not found") ? 404 : 400;
+      return res.status(status).json({ ok: false, error: err.message });
+    }
+  });
+
+  app.delete("/api/webhooks/:name/oauth-callback", (req, res) => {
+    try {
+      const name = validateWebhookName(req.params.name);
+      const deletedCount = deleteOauthCallbackEntry(name);
+      return res.json({ ok: true, deleted: deletedCount > 0 });
+    } catch (err) {
+      return res.status(400).json({ ok: false, error: err.message });
+    }
+  });
+
   app.delete("/api/webhooks/:name", async (req, res) => {
     try {
       const name = validateWebhookName(req.params.name);
@@ -184,7 +291,8 @@ const registerWebhookRoutes = ({
       }
       if (!deletion?.removed)
         return res.status(404).json({ ok: false, error: "Webhook not found" });
-      const deletedRequestCount = webhooksDb.deleteRequestsByHook(name);
+      deleteOauthCallbackEntry(name);
+      const deletedRequestCount = deleteRequestsByHook(name);
       const syncWarning = await runWebhookGitSync("delete", name);
       markRestartRequired("webhooks");
       const snapshot = await getRestartSnapshot();
@@ -216,7 +324,7 @@ const registerWebhookRoutes = ({
           .status(400)
           .json({ ok: false, error: "Invalid limit/offset" });
       }
-      const requests = webhooksDb.getRequests(name, { limit, offset, status });
+      const requests = getRequests(name, { limit, offset, status });
       return res.json({ ok: true, requests });
     } catch (err) {
       return res.status(400).json({ ok: false, error: err.message });
@@ -230,7 +338,7 @@ const registerWebhookRoutes = ({
       if (!isFiniteInteger(requestId) || requestId <= 0) {
         return res.status(400).json({ ok: false, error: "Invalid request id" });
       }
-      const request = webhooksDb.getRequestById(name, requestId);
+      const request = getRequestById(name, requestId);
       if (!request)
         return res.status(404).json({ ok: false, error: "Request not found" });
       return res.json({ ok: true, request });

package/lib/server/webhook-middleware.js

@@ -114,6 +114,11 @@ const resolveGatewayPath = ({ pathname, search }) => {
   return `${pathname}${search || ""}`;
 };
 
+const resolveForwardMethod = (method) => {
+  if (String(method || "").toUpperCase() === "GET") return "POST";
+  return method;
+};
+
 const parseJsonSafe = (rawValue) => {
   try {
     return JSON.parse(String(rawValue || "").trim() || "{}");
@@ -297,7 +302,7 @@ const createWebhookMiddleware = ({
       protocol: gateway.protocol,
       hostname: gateway.hostname,
       port: gateway.port,
-      method: req.method,
+      method: resolveForwardMethod(req.method),
       path: resolveGatewayPath({
         pathname: inboundUrl.pathname,
         search: inboundUrl.search,

package/lib/server.js

@@ -30,6 +30,12 @@ const {
   getRequestById,
   getHookSummaries,
   deleteRequestsByHook,
+  createOauthCallback,
+  getOauthCallbackByHook,
+  getOauthCallbackById,
+  rotateOauthCallback,
+  deleteOauthCallback,
+  markOauthCallbackUsed,
 } = require("./server/db/webhooks");
 const {
   initWatchdogDb,
@@ -294,6 +300,12 @@ const { isAuthorizedRequest, gmailWatchService } = registerServerRoutes({
   getRequestById,
   getHookSummaries,
   deleteRequestsByHook,
+  createOauthCallback,
+  getOauthCallbackByHook,
+  getOauthCallbackById,
+  rotateOauthCallback,
+  deleteOauthCallback,
+  markOauthCallbackUsed,
   watchdog,
   getRecentEvents,
   readLogTail,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chrysb/alphaclaw",
-  "version": "0.8.1-beta.0",
+  "version": "0.8.1-beta.2",
   "publishConfig": {
     "access": "public"
   },