@coclaw/openclaw-coclaw 0.2.3 → 0.2.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@coclaw/openclaw-coclaw",
-  "version": "0.2.3",
+  "version": "0.2.4",
   "type": "module",
   "license": "Apache-2.0",
   "description": "OpenClaw CoClaw channel plugin for remote chat",

package/src/device-identity.js

@@ -0,0 +1,190 @@
+import crypto from 'node:crypto';
+import fs from 'node:fs';
+import os from 'node:os';
+import nodePath from 'node:path';
+
+import { getRuntime } from './runtime.js';
+
+const CHANNEL_ID = 'coclaw';
+const IDENTITY_FILENAME = 'device-identity.json';
+
+// Ed25519 SPKI 前缀（固定 12 字节），公钥裸字节从 SPKI DER 中截取
+const ED25519_SPKI_PREFIX = Buffer.from('302a300506032b6570032100', 'hex');
+
+function base64UrlEncode(buf) {
+	return buf.toString('base64').replaceAll('+', '-').replaceAll('/', '_').replace(/=+$/g, '');
+}
+
+// 仅处理 ASCII 范围的大写→小写，保持跨运行时确定性
+function toLowerAscii(input) {
+	return input.replace(/[A-Z]/g, (ch) => String.fromCharCode(ch.charCodeAt(0) + 32));
+}
+
+function normalizeMetadataForAuth(value) {
+	if (typeof value !== 'string') return '';
+	const trimmed = value.trim();
+	return trimmed ? toLowerAscii(trimmed) : '';
+}
+
+function resolveStateDir() {
+	const rt = getRuntime();
+	if (rt?.state?.resolveStateDir) {
+		return rt.state.resolveStateDir();
+	}
+	return process.env.OPENCLAW_STATE_DIR
+		? nodePath.resolve(process.env.OPENCLAW_STATE_DIR)
+		: nodePath.join(os.homedir(), '.openclaw');
+}
+
+/**
+ * 获取身份文件路径
+ * @returns {string}
+ */
+export function getIdentityPath() {
+	return nodePath.join(resolveStateDir(), CHANNEL_ID, IDENTITY_FILENAME);
+}
+
+/**
+ * 从 PEM 公钥提取裸字节
+ * @param {string} publicKeyPem
+ * @returns {Buffer}
+ */
+function derivePublicKeyRaw(publicKeyPem) {
+	const key = crypto.createPublicKey(publicKeyPem);
+	const spki = key.export({ type: 'spki', format: 'der' });
+	if (
+		spki.length === ED25519_SPKI_PREFIX.length + 32
+		&& spki.subarray(0, ED25519_SPKI_PREFIX.length).equals(ED25519_SPKI_PREFIX)
+	) {
+		return spki.subarray(ED25519_SPKI_PREFIX.length);
+	}
+	/* c8 ignore next -- Ed25519 密钥 SPKI 格式固定，此分支仅防御未知密钥格式 */
+	return spki;
+}
+
+/**
+ * 公钥指纹 = SHA256(裸公钥字节) 的十六进制
+ * @param {string} publicKeyPem
+ * @returns {string}
+ */
+function fingerprintPublicKey(publicKeyPem) {
+	const raw = derivePublicKeyRaw(publicKeyPem);
+	return crypto.createHash('sha256').update(raw).digest('hex');
+}
+
+/**
+ * 生成新的 Ed25519 密钥对
+ * @returns {{ deviceId: string, publicKeyPem: string, privateKeyPem: string }}
+ */
+function generateIdentity() {
+	const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519');
+	const publicKeyPem = publicKey.export({ type: 'spki', format: 'pem' }).toString();
+	const privateKeyPem = privateKey.export({ type: 'pkcs8', format: 'pem' }).toString();
+	const deviceId = fingerprintPublicKey(publicKeyPem);
+	return { deviceId, publicKeyPem, privateKeyPem };
+}
+
+/**
+ * 加载或创建设备身份（Ed25519 密钥对）
+ *
+ * 存储格式与 OpenClaw device-identity.ts 保持一致。
+ * @param {string} [filePath] - 自定义路径，默认 ~/.openclaw/coclaw/device-identity.json
+ * @returns {{ deviceId: string, publicKeyPem: string, privateKeyPem: string }}
+ */
+export function loadOrCreateDeviceIdentity(filePath) {
+	const fp = filePath ?? getIdentityPath();
+	try {
+		if (fs.existsSync(fp)) {
+			const raw = fs.readFileSync(fp, 'utf8');
+			const parsed = JSON.parse(raw);
+			if (
+				parsed?.version === 1
+				&& typeof parsed.deviceId === 'string'
+				&& typeof parsed.publicKeyPem === 'string'
+				&& typeof parsed.privateKeyPem === 'string'
+			) {
+				// 校验 deviceId 一致性
+				const derivedId = fingerprintPublicKey(parsed.publicKeyPem);
+				if (derivedId && derivedId !== parsed.deviceId) {
+					const updated = { ...parsed, deviceId: derivedId };
+					fs.writeFileSync(fp, `${JSON.stringify(updated, null, 2)}\n`, { mode: 0o600 });
+					try { fs.chmodSync(fp, 0o600); } catch { /* best-effort */ }
+					return { deviceId: derivedId, publicKeyPem: parsed.publicKeyPem, privateKeyPem: parsed.privateKeyPem };
+				}
+				return { deviceId: parsed.deviceId, publicKeyPem: parsed.publicKeyPem, privateKeyPem: parsed.privateKeyPem };
+			}
+		}
+	}
+	catch {
+		// 读取/解析失败时重新生成
+	}
+
+	const identity = generateIdentity();
+	fs.mkdirSync(nodePath.dirname(fp), { recursive: true });
+	const stored = {
+		version: 1,
+		deviceId: identity.deviceId,
+		publicKeyPem: identity.publicKeyPem,
+		privateKeyPem: identity.privateKeyPem,
+		createdAtMs: Date.now(),
+	};
+	fs.writeFileSync(fp, `${JSON.stringify(stored, null, 2)}\n`, { mode: 0o600 });
+	try { fs.chmodSync(fp, 0o600); } catch { /* best-effort */ }
+	return identity;
+}
+
+/**
+ * 签名设备认证载荷
+ * @param {string} privateKeyPem
+ * @param {string} payload
+ * @returns {string} base64url 编码签名
+ */
+export function signDevicePayload(privateKeyPem, payload) {
+	const key = crypto.createPrivateKey(privateKeyPem);
+	const sig = crypto.sign(null, Buffer.from(payload, 'utf8'), key);
+	return base64UrlEncode(sig);
+}
+
+/**
+ * 公钥 PEM → base64url 裸字节
+ * @param {string} publicKeyPem
+ * @returns {string}
+ */
+export function publicKeyRawBase64Url(publicKeyPem) {
+	return base64UrlEncode(derivePublicKeyRaw(publicKeyPem));
+}
+
+/**
+ * 构建 v3 版本的设备认证载荷字符串
+ * @param {object} params
+ * @param {string} params.deviceId
+ * @param {string} params.clientId
+ * @param {string} params.clientMode
+ * @param {string} params.role
+ * @param {string[]} params.scopes
+ * @param {number} params.signedAtMs
+ * @param {string} [params.token]
+ * @param {string} params.nonce
+ * @param {string} [params.platform]
+ * @param {string} [params.deviceFamily]
+ * @returns {string}
+ */
+export function buildDeviceAuthPayloadV3(params) {
+	const scopes = params.scopes.join(',');
+	const token = params.token ?? '';
+	const platform = normalizeMetadataForAuth(params.platform);
+	const deviceFamily = normalizeMetadataForAuth(params.deviceFamily);
+	return [
+		'v3',
+		params.deviceId,
+		params.clientId,
+		params.clientMode,
+		params.role,
+		scopes,
+		String(params.signedAtMs),
+		token,
+		params.nonce,
+		platform,
+		deviceFamily,
+	].join('|');
+}

package/src/realtime-bridge.js

@@ -3,6 +3,12 @@ import os from 'node:os';
 import nodePath from 'node:path';
 
 import { clearConfig, getBindingsPath, readConfig } from './config.js';
+import {
+	loadOrCreateDeviceIdentity,
+	signDevicePayload,
+	publicKeyRawBase64Url,
+	buildDeviceAuthPayloadV3,
+} from './device-identity.js';
 import { getRuntime } from './runtime.js';
 
 const DEFAULT_GATEWAY_WS_URL = 'ws://127.0.0.1:18789';
@@ -65,12 +71,14 @@ export class RealtimeBridge {
 	 * @param {Function} [deps.clearConfig] - 清除绑定配置
 	 * @param {Function} [deps.getBindingsPath] - 获取绑定文件路径
 	 * @param {Function} [deps.resolveGatewayAuthToken] - 获取 gateway 认证 token
+	 * @param {Function} [deps.loadDeviceIdentity] - 加载设备身份
 	 */
 	constructor(deps = {}) {
 		this.__readConfig = deps.readConfig ?? readConfig;
 		this.__clearConfig = deps.clearConfig ?? clearConfig;
 		this.__getBindingsPath = deps.getBindingsPath ?? getBindingsPath;
 		this.__resolveGatewayAuthToken = deps.resolveGatewayAuthToken ?? defaultResolveGatewayAuthToken;
+		this.__loadDeviceIdentity = deps.loadDeviceIdentity ?? loadOrCreateDeviceIdentity;
 		this.__WebSocket = deps.WebSocket ?? null;
 
 		this.serverWs = null;
@@ -90,6 +98,7 @@ export class RealtimeBridge {
 		this.serverHbInterval = null;
 		this.serverHbTimer = null;
 		this.__serverHbMissCount = 0;
+		this.__deviceIdentity = null;
 	}
 
 	__resolveWebSocket() {
@@ -281,25 +290,63 @@ export class RealtimeBridge {
 		}
 	}
 
-	__sendGatewayConnectRequest(ws) {
+	__ensureDeviceIdentity() {
+		if (!this.__deviceIdentity) {
+			this.__deviceIdentity = this.__loadDeviceIdentity();
+		}
+		return this.__deviceIdentity;
+	}
+
+	__buildDeviceField(nonce, authToken) {
+		const identity = this.__ensureDeviceIdentity();
+		const clientId = 'gateway-client';
+		const clientMode = 'backend';
+		const role = 'operator';
+		const scopes = ['operator.admin'];
+		const signedAtMs = Date.now();
+		const payload = buildDeviceAuthPayloadV3({
+			deviceId: identity.deviceId,
+			clientId,
+			clientMode,
+			role,
+			scopes,
+			signedAtMs,
+			token: authToken ?? '',
+			nonce: nonce ?? '',
+			platform: process.platform,
+			deviceFamily: '',
+		});
+		const signature = signDevicePayload(identity.privateKeyPem, payload);
+		return {
+			id: identity.deviceId,
+			publicKey: publicKeyRawBase64Url(identity.publicKeyPem),
+			signature,
+			signedAt: signedAtMs,
+			nonce: nonce ?? '',
+		};
+	}
+
+	__sendGatewayConnectRequest(ws, nonce) {
 		this.gatewayConnectReqId = `coclaw-connect-${Date.now()}`;
 		this.__logDebug(`gateway connect request -> id=${this.gatewayConnectReqId}`);
-		const authToken = this.__resolveGatewayAuthToken();
-		const params = {
-			minProtocol: 3,
-			maxProtocol: 3,
-			client: {
-				id: 'gateway-client',
-				version: 'dev',
-				platform: process.platform,
-				mode: 'backend',
-			},
-			caps: [],
-			role: 'operator',
-			scopes: ['operator.admin'],
-			auth: authToken ? { token: authToken } : undefined,
-		};
 		try {
+			const authToken = this.__resolveGatewayAuthToken();
+			const device = this.__buildDeviceField(nonce, authToken);
+			const params = {
+				minProtocol: 3,
+				maxProtocol: 3,
+				client: {
+					id: 'gateway-client',
+					version: 'dev',
+					platform: process.platform,
+					mode: 'backend',
+				},
+				caps: [],
+				role: 'operator',
+				scopes: ['operator.admin'],
+				auth: authToken ? { token: authToken } : undefined,
+				device,
+			};
 			ws.send(JSON.stringify({
 				type: 'req',
 				id: this.gatewayConnectReqId,
@@ -338,8 +385,9 @@ export class RealtimeBridge {
 				return;
 			}
 			if (payload.type === 'event' && payload.event === 'connect.challenge') {
+				const nonce = payload?.payload?.nonce ?? '';
 				this.__logDebug('gateway event <- connect.challenge');
-				this.__sendGatewayConnectRequest(ws);
+				this.__sendGatewayConnectRequest(ws, nonce);
 				return;
 			}
 			if (payload.type === 'res' && this.gatewayConnectReqId && payload.id === this.gatewayConnectReqId) {