@soyeht/soyeht 0.2.11 → 0.2.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/openclaw.plugin.json +1 -1
- package/package.json +1 -1
- package/src/http.ts +54 -3
- package/src/version.ts +1 -1
package/openclaw.plugin.json
CHANGED
package/package.json
CHANGED
package/src/http.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import { randomBytes } from "node:crypto";
|
|
1
|
+
import { createHash, randomBytes } from "node:crypto";
|
|
2
2
|
import type { IncomingMessage, ServerResponse } from "node:http";
|
|
3
3
|
import type { OpenClawPluginApi, PluginRuntimeChannel } from "openclaw/plugin-sdk";
|
|
4
4
|
import { normalizeAccountId, resolveSoyehtAccount } from "./config.js";
|
|
@@ -78,6 +78,11 @@ export type ProcessInboundResult =
|
|
|
78
78
|
| { ok: true; plaintext: string; accountId: string; envelope: EnvelopeV2 }
|
|
79
79
|
| { ok: false; status: number; error: string };
|
|
80
80
|
|
|
81
|
+
// Short hash for safe diagnostic logging (no key material leaked)
|
|
82
|
+
function diagHash(buf: Buffer): string {
|
|
83
|
+
return createHash("sha256").update(buf).digest("hex").slice(0, 8);
|
|
84
|
+
}
|
|
85
|
+
|
|
81
86
|
export function processInboundEnvelope(
|
|
82
87
|
api: OpenClawPluginApi,
|
|
83
88
|
v2deps: SecurityV2Deps,
|
|
@@ -92,6 +97,7 @@ export function processInboundEnvelope(
|
|
|
92
97
|
const accountId = hintedAccountId ?? envelopeAccountId;
|
|
93
98
|
const session = v2deps.sessions.get(accountId);
|
|
94
99
|
if (!session) {
|
|
100
|
+
api.logger.warn("[soyeht] DIAG: no session for account", { accountId, knownAccounts: [...v2deps.sessions.keys()] });
|
|
95
101
|
return { ok: false, status: 401, error: "session_required" };
|
|
96
102
|
}
|
|
97
103
|
|
|
@@ -103,9 +109,41 @@ export function processInboundEnvelope(
|
|
|
103
109
|
return { ok: false, status: 401, error: "account_mismatch" };
|
|
104
110
|
}
|
|
105
111
|
|
|
112
|
+
// --- Diagnostic logging: envelope + session state before decrypt ---
|
|
113
|
+
let ivLen = 0, ctLen = 0, tagLen = 0;
|
|
114
|
+
let b64DecodeError: string | undefined;
|
|
115
|
+
try {
|
|
116
|
+
ivLen = base64UrlDecode(envelope.iv).length;
|
|
117
|
+
ctLen = base64UrlDecode(envelope.ciphertext).length;
|
|
118
|
+
tagLen = base64UrlDecode(envelope.tag).length;
|
|
119
|
+
} catch (e) {
|
|
120
|
+
b64DecodeError = e instanceof Error ? e.message : String(e);
|
|
121
|
+
}
|
|
122
|
+
|
|
123
|
+
api.logger.info("[soyeht] DIAG inbound", {
|
|
124
|
+
accountId,
|
|
125
|
+
peerExists: v2deps.peers.has(accountId),
|
|
126
|
+
rootKeyHash: diagHash(session.rootKey),
|
|
127
|
+
recvChainKeyHash: diagHash(session.receiving.chainKey),
|
|
128
|
+
sendChainKeyHash: diagHash(session.sending.chainKey),
|
|
129
|
+
sessionRecvCounter: session.receiving.counter,
|
|
130
|
+
sessionSendCounter: session.sending.counter,
|
|
131
|
+
envelopeVersion: envelope.v,
|
|
132
|
+
envelopeDirection: envelope.direction,
|
|
133
|
+
envelopeCounter: envelope.counter,
|
|
134
|
+
envelopeTimestamp: envelope.timestamp,
|
|
135
|
+
hasDhRatchetKey: Boolean(envelope.dhRatchetKey),
|
|
136
|
+
ivLen,
|
|
137
|
+
ctLen,
|
|
138
|
+
tagLen,
|
|
139
|
+
b64DecodeError: b64DecodeError ?? "none",
|
|
140
|
+
aad: `${envelope.v}|${envelope.accountId}|${envelope.direction}|${envelope.counter}|${envelope.timestamp}`,
|
|
141
|
+
});
|
|
142
|
+
// --- End diagnostic logging ---
|
|
143
|
+
|
|
106
144
|
const validation = validateEnvelopeV2(envelope, session);
|
|
107
145
|
if (!validation.valid) {
|
|
108
|
-
api.logger.warn("[soyeht]
|
|
146
|
+
api.logger.warn("[soyeht] DIAG validation failed", { error: validation.error, accountId });
|
|
109
147
|
return { ok: false, status: 401, error: validation.error };
|
|
110
148
|
}
|
|
111
149
|
|
|
@@ -121,10 +159,23 @@ export function processInboundEnvelope(
|
|
|
121
159
|
updatedSession = result.updatedSession;
|
|
122
160
|
} catch (err) {
|
|
123
161
|
const msg = err instanceof Error ? err.message : "decryption_failed";
|
|
124
|
-
|
|
162
|
+
const isAuthFailure = msg.includes("authenticate data") || msg.includes("auth");
|
|
163
|
+
api.logger.error("[soyeht] DIAG decrypt FAILED", {
|
|
164
|
+
accountId,
|
|
165
|
+
error: msg,
|
|
166
|
+
isGcmAuthFailure: isAuthFailure,
|
|
167
|
+
envelopeCounter: envelope.counter,
|
|
168
|
+
sessionRecvCounter: session.receiving.counter,
|
|
169
|
+
hasDhRatchetKey: Boolean(envelope.dhRatchetKey),
|
|
170
|
+
ivLen,
|
|
171
|
+
ctLen,
|
|
172
|
+
tagLen,
|
|
173
|
+
});
|
|
125
174
|
return { ok: false, status: 401, error: msg };
|
|
126
175
|
}
|
|
127
176
|
|
|
177
|
+
api.logger.info("[soyeht] DIAG decrypt OK", { accountId, plaintextLen: plaintext.length });
|
|
178
|
+
|
|
128
179
|
// Update session
|
|
129
180
|
v2deps.sessions.set(accountId, updatedSession);
|
|
130
181
|
|
package/src/version.ts
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
export const PLUGIN_VERSION = "0.2.
|
|
1
|
+
export const PLUGIN_VERSION = "0.2.12";
|