cclawd 1.0.7 → 1.0.8

package/extensions/cclawd-mfa-auth/src/polling-manager.ts

@@ -0,0 +1,232 @@
+/**
+ * Cclawd MFA Auth Plugin - Polling Manager
+ * 
+ * 管理认证状态轮询任务
+ */
+
+import type { OpenClawPluginApi } from 'openclaw/plugin-sdk';
+import { authManager } from './auth-manager.js';
+import { config } from './config.js';
+import { dabbyClient } from './dabby-client.js';
+import type { PollingTask, AuthTriggerType } from './types.js';
+
+/**
+ * 轮询管理器
+ */
+export class PollingManager {
+  private tasks = new Map<string, PollingTask>();
+  private config = config;
+
+  /**
+   * 启动轮询任务
+   */
+  startPolling(
+    api: OpenClawPluginApi,
+    userId: string,
+    sessionId: string,
+    context: {
+      triggerType: AuthTriggerType;
+      isReauth: boolean;
+      channel?: string;
+      accountId?: string;
+      to?: string;
+      sessionKey?: string;
+    },
+  ): string {
+    const taskId = `poll-${sessionId}-${Date.now()}`;
+
+    api.logger.info(
+      `[cclawd-mfa-auth] Starting polling for auth status: userId=${userId}, sessionId=${sessionId}`,
+    );
+
+    const interval = setInterval(async () => {
+      try {
+        await this.pollAuthStatus(api, userId, sessionId, context);
+      } catch (error) {
+        api.logger.error(
+          `[cclawd-mfa-auth] Polling error for session ${sessionId}: ${String(error)}`,
+        );
+      }
+    }, 2000);
+
+    const task: PollingTask = {
+      taskId,
+      sessionId,
+      userId,
+      triggerType: context.triggerType,
+      startTime: Date.now(),
+      interval,
+      context: {
+        channel: context.channel,
+        accountId: context.accountId,
+        to: context.to,
+        sessionKey: context.sessionKey,
+        isReauth: context.isReauth,
+      },
+    };
+
+    this.tasks.set(taskId, task);
+
+    // 设置超时自动清理
+    setTimeout(() => {
+      this.stopPolling(taskId);
+    }, config.timeout + 10000);
+
+    return taskId;
+  }
+
+  /**
+   * 停止轮询任务
+   */
+  stopPolling(taskId: string): void {
+    const task = this.tasks.get(taskId);
+    if (task) {
+      clearInterval(task.interval);
+      this.tasks.delete(taskId);
+      console.log(`[cclawd-mfa-auth] Stopped polling task: ${taskId}`);
+    }
+  }
+
+  /**
+   * 停止用户的所有轮询任务
+   */
+  stopPollingForUser(userId: string): void {
+    for (const [taskId, task] of this.tasks.entries()) {
+      if (task.userId === userId) {
+        this.stopPolling(taskId);
+      }
+    }
+  }
+
+  /**
+   * 轮询认证状态
+   */
+  private async pollAuthStatus(
+    api: OpenClawPluginApi,
+    userId: string,
+    sessionId: string,
+    context: {
+      triggerType: AuthTriggerType;
+      isReauth: boolean;
+      channel?: string;
+      accountId?: string;
+      to?: string;
+      sessionKey?: string;
+    },
+  ): Promise<void> {
+    // 检查是否已验证
+    let isVerified = false;
+    if (context.triggerType === 'first_message') {
+      isVerified = authManager.isUserVerifiedForFirstMessage(userId);
+    } else {
+      isVerified = authManager.isUserVerifiedForSensitiveOps(userId);
+    }
+
+    if (!isVerified) {
+      // 检查认证状态
+      const session = authManager.getSession(sessionId);
+      if (session && session.certToken) {
+        try {
+          const authResult = await dabbyClient.getAuthResult(session.certToken);
+
+          if (authResult.status === 'verified') {
+            api.logger.info(`[cclawd-mfa-auth] Auth verification successful for session ${sessionId}`);
+            authManager.markUserVerified(
+              userId,
+              context.triggerType === 'first_message' ? 'first_message' : 'sensitive_operation',
+              context.isReauth,
+            );
+            isVerified = true;
+          } else if (authResult.status === 'failed' || authResult.status === 'expired') {
+            api.logger.warn(
+              `[cclawd-mfa-auth] Auth failed or expired for session ${sessionId}: ${authResult.error}`,
+            );
+            // 停止该会话的轮询
+            this.stopPollingForUser(userId);
+            return;
+          }
+        } catch (error) {
+          api.logger.error(
+            `[cclawd-mfa-auth] Failed to check auth status for session ${sessionId}: ${String(error)}`,
+          );
+        }
+      }
+    }
+
+    // 如果已验证，发送通知并停止轮询
+    if (isVerified) {
+      this.stopPollingForUser(userId);
+
+      const notificationInfo = authManager.checkAndConsumeNotification(userId);
+      if (notificationInfo) {
+        api.logger.info(`[cclawd-mfa-auth] Polling detected verification for user ${userId}`);
+
+        const messageText = notificationInfo.isReauth
+          ? '✅ 重新认证成功，请继续对话。'
+          : notificationInfo.triggerType === 'first_message'
+            ? '✅ 首次认证成功，请继续对话。'
+            : '✅ 二次认证成功，请重新发送之前的命令（或回复"确认"）即可执行。';
+
+        // 使用 notification-service 发送消息
+        const { NotificationService } = await import('./notification-service.js');
+        const notificationService = NotificationService.getInstance();
+
+        const session = authManager.getSession(sessionId);
+        if (session) {
+          await notificationService.sendAuthNotification(session, messageText);
+        }
+      }
+      return;
+    }
+
+    // 检查会话是否还存在
+    const session = authManager.getSession(sessionId);
+    if (!session) {
+      this.stopPollingForUser(userId);
+      api.logger.info(
+        `[cclawd-mfa-auth] Polling stopped: session ${sessionId} not found and user not verified`,
+      );
+    }
+  }
+
+  /**
+   * 获取活跃的轮询任务数量
+   */
+  getActiveTaskCount(): number {
+    return this.tasks.size;
+  }
+
+  /**
+   * 清理所有轮询任务
+   */
+  cleanup(): void {
+    for (const [taskId] of this.tasks) {
+      this.stopPolling(taskId);
+    }
+  }
+}
+
+/**
+ * 轮询管理器工厂
+ */
+class PollingManagerFactory {
+  private static instance: PollingManager | null = null;
+
+  static getInstance(): PollingManager {
+    if (!this.instance) {
+      this.instance = new PollingManager();
+      console.log('[PollingManagerFactory] Created new PollingManager instance');
+    }
+    return this.instance;
+  }
+
+  static reset(): void {
+    if (this.instance) {
+      this.instance.cleanup();
+    }
+    this.instance = null;
+    console.log('[PollingManagerFactory] Reset PollingManager instance');
+  }
+}
+
+export const pollingManager = PollingManagerFactory.getInstance();

package/extensions/cclawd-mfa-auth/src/providers/base.ts

@@ -0,0 +1,25 @@
+/**
+ * Cclawd MFA Auth Plugin - Base Auth Provider
+ */
+
+import type { AuthMethodProvider, AuthSession, AuthResult } from '../types.js';
+
+/**
+ * 认证提供者基类
+ */
+export abstract class BaseAuthProvider implements AuthMethodProvider {
+  abstract readonly methodType: AuthSession['authMethod'];
+  abstract readonly name: string;
+  abstract readonly description: string;
+
+  abstract initialize(session: AuthSession): Promise<void>;
+  abstract verify(sessionId: string, userInput?: string): Promise<AuthResult>;
+
+  /**
+   * 清理会话资源
+   */
+  cleanup(sessionId: string): void {
+    // 子类可以重写此方法以清理资源
+    console.log(`[cclawd-mfa-auth] Cleanup called for session: ${sessionId}`);
+  }
+}

package/extensions/cclawd-mfa-auth/src/providers/qr-code.ts

@@ -0,0 +1,98 @@
+/**
+ * Cclawd MFA Auth Plugin - QR Code Auth Provider
+ */
+
+import { authManager } from '../auth-manager.js';
+import { dabbyClient } from '../dabby-client.js';
+import type { AuthSession, AuthResult } from '../types.js';
+import { BaseAuthProvider } from './base.js';
+
+/**
+ * QR 码认证提供者
+ */
+export class QrCodeAuthProvider extends BaseAuthProvider {
+  readonly methodType = 'qr-code' as const;
+  readonly name = 'QR Code Authentication';
+  readonly description = 'Scan QR code to authenticate';
+
+  /**
+   * 初始化二维码认证
+   */
+  async initialize(session: AuthSession): Promise<void> {
+    try {
+      const tokenInfo = await dabbyClient.getVerifyCode();
+
+      authManager.updateAuthStatus(session.sessionId, 'pending');
+      session.certToken = tokenInfo.certToken;
+      session.qrCodeUrl = tokenInfo.qrCodeUrl;
+      session.expireTimeMs = Date.now() + 5 * 60 * 1000; // 5 分钟有效期
+      session.authStatus = 'pending';
+
+      console.log(`[cclawd-mfa-auth] QR code initialized for session ${session.sessionId}`);
+    } catch (error) {
+      console.error(`[cclawd-mfa-auth] Failed to initialize QR code: ${error}`);
+      throw error;
+    }
+  }
+
+  /**
+   * 验证二维码扫描状态
+   */
+  async verify(sessionId: string, userInput?: string): Promise<AuthResult> {
+    const session = authManager.getSession(sessionId);
+    if (!session) {
+      return { success: false, error: 'Session not found', status: 'failed' };
+    }
+
+    if (!session.certToken) {
+      return { success: false, error: 'QR code not initialized', status: 'failed' };
+    }
+
+    // 检查是否过期
+    if (session.expireTimeMs && Date.now() > session.expireTimeMs) {
+      authManager.updateAuthStatus(sessionId, 'expired');
+      return { success: false, error: 'QR code expired', status: 'expired' };
+    }
+
+    try {
+      const result = await dabbyClient.getAuthResult(session.certToken);
+
+      if (result.status === 'verified') {
+        authManager.updateAuthStatus(sessionId, 'verified');
+        return { success: true, status: 'verified' };
+      }
+
+      if (result.status === 'failed') {
+        authManager.updateAuthStatus(sessionId, 'failed');
+        return { success: false, error: result.error || 'Authentication failed', status: 'failed' };
+      }
+
+      return { success: false, status: result.status };
+    } catch (error) {
+      console.error(`[cclawd-mfa-auth] Failed to verify QR code: ${error}`);
+      return { success: false, error: String(error), status: 'failed' };
+    }
+  }
+}
+
+/**
+ * QR 码认证提供者工厂
+ */
+class QrCodeAuthProviderFactory {
+  private static instance: QrCodeAuthProvider | null = null;
+
+  static getInstance(): QrCodeAuthProvider {
+    if (!this.instance) {
+      this.instance = new QrCodeAuthProvider();
+      console.log('[QrCodeAuthProviderFactory] Created new QrCodeAuthProvider instance');
+    }
+    return this.instance;
+  }
+
+  static reset(): void {
+    this.instance = null;
+    console.log('[QrCodeAuthProviderFactory] Reset QrCodeAuthProvider instance');
+  }
+}
+
+export const qrCodeAuthProvider = QrCodeAuthProviderFactory.getInstance();

package/extensions/cclawd-mfa-auth/src/sensitive-detector.ts

@@ -0,0 +1,159 @@
+/**
+ * Cclawd MFA Auth Plugin - Sensitive Operation Detector
+ * 
+ * 检测敏感操作
+ */
+
+import { config } from './config.js';
+import type { SensitiveCheckResult } from './types.js';
+
+/**
+ * 敏感操作检测器
+ */
+export class SensitiveDetector {
+  private config = config;
+
+  /**
+   * 检查文本是否包含敏感内容
+   */
+  check(text: string): SensitiveCheckResult {
+    const lowerText = text.toLowerCase();
+
+    if (this.config.debug) {
+      console.log(`[cclawd-mfa-auth] Checking sensitive keywords for: ${text}`);
+      console.log(
+        `[cclawd-mfa-auth] Sensitive keywords configured: ${JSON.stringify(this.config.sensitiveKeywords)}`,
+      );
+    }
+
+    const matchedKeywords: string[] = [];
+
+    for (const keyword of this.config.sensitiveKeywords) {
+      if (lowerText.includes(keyword.toLowerCase())) {
+        matchedKeywords.push(keyword);
+      }
+    }
+
+    if (matchedKeywords.length > 0) {
+      if (this.config.debug) {
+        console.log(`[cclawd-mfa-auth] Sensitive keywords matched: ${matchedKeywords.join(', ')}`);
+      }
+      return {
+        isSensitive: true,
+        preview: text,
+        matchedKeywords,
+      };
+    }
+
+    if (this.config.debug) {
+      console.log(`[cclawd-mfa-auth] No sensitive keyword matched`);
+    }
+
+    return {
+      isSensitive: false,
+      preview: '',
+      matchedKeywords: [],
+    };
+  }
+
+  /**
+   * 检查工具调用是否为敏感操作
+   */
+  checkToolCall(toolName: string, params: Record<string, unknown>): SensitiveCheckResult {
+    // 定义敏感工具列表
+    const sensitiveTools = ['bash', 'exec', 'runCommand', 'command', 'process'];
+
+    if (!sensitiveTools.includes(toolName)) {
+      if (this.config.debug) {
+        console.log(`[cclawd-mfa-auth] Tool ${toolName} is not in sensitive list, allowing`);
+      }
+      return {
+        isSensitive: false,
+        preview: '',
+        matchedKeywords: [],
+      };
+    }
+
+    // 提取命令内容
+    const command =
+      typeof params?.command === 'string'
+        ? params.command
+        : typeof params?.cmd === 'string'
+          ? params.cmd
+          : typeof params?.input === 'string'
+            ? params.input
+            : typeof params?.args === 'string'
+              ? params.args
+              : '';
+
+    if (this.config.debug) {
+      console.log(`[cclawd-mfa-auth] Extracted command from ${toolName}: ${command}`);
+    }
+
+    if (!command) {
+      if (this.config.debug) {
+        console.log(`[cclawd-mfa-auth] No command found in params, allowing`);
+      }
+      return {
+        isSensitive: false,
+        preview: '',
+        matchedKeywords: [],
+      };
+    }
+
+    // 检查命令内容
+    return this.check(command);
+  }
+
+  /**
+   * 添加自定义敏感关键词
+   */
+  addSensitiveKeyword(keyword: string): void {
+    const normalized = keyword.toLowerCase().trim();
+    if (normalized && !this.config.sensitiveKeywords.includes(normalized)) {
+      this.config.sensitiveKeywords.push(normalized);
+      console.log(`[cclawd-mfa-auth] Added sensitive keyword: ${normalized}`);
+    }
+  }
+
+  /**
+   * 移除敏感关键词
+   */
+  removeSensitiveKeyword(keyword: string): void {
+    const normalized = keyword.toLowerCase().trim();
+    const index = this.config.sensitiveKeywords.indexOf(normalized);
+    if (index !== -1) {
+      this.config.sensitiveKeywords.splice(index, 1);
+      console.log(`[cclawd-mfa-auth] Removed sensitive keyword: ${normalized}`);
+    }
+  }
+
+  /**
+   * 获取所有敏感关键词
+   */
+  getSensitiveKeywords(): string[] {
+    return [...this.config.sensitiveKeywords];
+  }
+}
+
+/**
+ * 敏感操作检测器工厂
+ */
+class SensitiveDetectorFactory {
+  private static instance: SensitiveDetector | null = null;
+
+  static getInstance(): SensitiveDetector {
+    if (!this.instance) {
+      this.instance = new SensitiveDetector();
+      console.log('[SensitiveDetectorFactory] Created new SensitiveDetector instance');
+    }
+    return this.instance;
+  }
+
+  static reset(): void {
+    this.instance = null;
+    console.log('[SensitiveDetectorFactory] Reset SensitiveDetector instance');
+  }
+}
+
+export const sensitiveDetector = SensitiveDetectorFactory.getInstance();

package/extensions/cclawd-mfa-auth/src/session-resolver.ts

@@ -0,0 +1,159 @@
+/**
+ * Cclawd MFA Auth Plugin - Session Resolver
+ * 
+ * 统一的会话解析器，处理不同渠道的 sessionKey 解析
+ */
+
+import type { ResolvedSession } from './types.js';
+
+/**
+ * 会话解析器
+ */
+export class SessionResolver {
+  /**
+   * 从 sessionKey 解析会话信息
+   */
+  static resolveFromSessionKey(sessionKey: string): ResolvedSession {
+    const parts = sessionKey.split(':').filter(Boolean);
+
+    // 格式 1: agent:main:<userId>
+    if (parts.length === 3 && parts[0] === 'agent' && parts[1] === 'main') {
+      return {
+        userId: parts[2],
+        channel: 'webchat',
+        sessionKey,
+      };
+    }
+
+    // 格式 2: webchat:<userId>
+    if (parts.length === 2 && parts[0] === 'webchat') {
+      return {
+        userId: parts[1],
+        channel: 'webchat',
+        sessionKey,
+      };
+    }
+
+    // 格式 3: <channel>:<accountId>:<userId>
+    if (parts.length === 3) {
+      return {
+        userId: parts[2],
+        channel: parts[0],
+        accountId: parts[1],
+        sessionKey,
+      };
+    }
+
+    // 格式 4: <channel>:<accountId>:<peerKind>:<userId>
+    if (parts.length === 4) {
+      return {
+        userId: parts[3],
+        channel: parts[0],
+        accountId: parts[1] === 'direct' || parts[1] === 'group' || parts[1] === 'dm' ? undefined : parts[1],
+        sessionKey,
+      };
+    }
+
+    // 格式 5: 单独的 userId
+    if (parts.length === 1) {
+      return {
+        userId: parts[0],
+        sessionKey,
+      };
+    }
+
+    // 默认返回原始 sessionKey 作为 userId
+    return {
+      userId: sessionKey,
+      sessionKey,
+    };
+  }
+
+  /**
+   * 从事件上下文解析会话信息
+   */
+  static resolveFromContext(params: {
+    sessionKey?: string;
+    channelId?: string;
+    conversationId?: string;
+    accountId?: string;
+    from?: string;
+    senderId?: string;
+  }): ResolvedSession {
+    // 优先使用 sessionKey
+    if (params.sessionKey) {
+      return this.resolveFromSessionKey(params.sessionKey);
+    }
+
+    // 使用 conversationId
+    if (params.conversationId) {
+      return {
+        userId: params.conversationId,
+        channel: params.channelId,
+        accountId: params.accountId,
+        sessionKey: params.conversationId,
+      };
+    }
+
+    // 使用 from 或 senderId
+    const userId = params.from || params.senderId || 'unknown';
+    const channel = params.channelId;
+
+    // 构建会话键
+    let sessionKey = userId;
+    if (channel && channel !== 'webchat' && channel !== 'web') {
+      const accountId = params.accountId || '';
+      sessionKey = `${channel}:${accountId}:${userId}`;
+    }
+
+    return {
+      userId,
+      channel,
+      accountId: params.accountId,
+      sessionKey,
+    };
+  }
+
+  /**
+   * 构建 sessionKey
+   */
+  static buildSessionKey(params: {
+    channel?: string;
+    accountId?: string;
+    userId: string;
+  }): string {
+    const { channel, accountId, userId } = params;
+
+    // Web/WebChat 直接使用 userId
+    if (channel === 'webchat' || channel === 'web') {
+      return userId;
+    }
+
+    // 其他渠道使用完整格式
+    if (channel && accountId) {
+      return `${channel}:${accountId}:${userId}`;
+    }
+
+    if (channel) {
+      return `${channel}::${userId}`;
+    }
+
+    return userId;
+  }
+
+  /**
+   * 判断是否为 Web/WebChat 渠道
+   */
+  static isWebChannel(channel?: string): boolean {
+    return channel === 'webchat' || channel === 'web';
+  }
+
+  /**
+   * 获取 Web/WebChat 标准化的会话键
+   */
+  static normalizeWebchatSessionKey(userId: string): string {
+    return userId;
+  }
+}
+
+export { SessionResolver };