openclaw-navigator 5.7.1 → 5.7.3

package/cli.mjs

@@ -375,6 +375,22 @@ function getChatSession(sessionKey = "main") {
   return chatSessions.get(sessionKey);
 }
 
+// ── Cookie jar for BFF auth ────────────────────────────────────────────
+// Captures session cookies from web UI /api/auth responses so the bridge
+// can make authenticated server-side requests to /api/chat (for sidepane relay).
+let bffCookieJar = "";
+
+function captureBFFCookies(setCookieHeaders) {
+  if (!setCookieHeaders) return;
+  const cookies = Array.isArray(setCookieHeaders) ? setCookieHeaders : [setCookieHeaders];
+  // Extract just the cookie name=value (strip attributes like path, domain, etc.)
+  const extracted = cookies.map((c) => c.split(";")[0].trim()).filter(Boolean);
+  if (extracted.length > 0) {
+    bffCookieJar = extracted.join("; ");
+    console.log(`  ${DIM}Captured BFF cookies: ${bffCookieJar.substring(0, 60)}...${RESET}`);
+  }
+}
+
 // ── WebSocket server for chat (minimal, no dependencies) ────────────────
 // Tracks connected WebSocket clients. When the OC agent pushes messages
 // via /api/sessions/respond or /api/sessions/stream, we broadcast to all
@@ -1048,6 +1064,8 @@ function handleRequest(req, res) {
         headers["set-cookie"] = cookies.map((c) =>
           c.replace(/;\s*domain=[^;]*/gi, "").replace(/;\s*secure/gi, ""),
         );
+        // Also capture these for server-side relay auth (sidepane chat)
+        captureBFFCookies(proxyRes.headers["set-cookie"]);
       }
 
       res.writeHead(proxyRes.statusCode ?? 502, headers);
@@ -1183,6 +1201,8 @@ function handleRequest(req, res) {
           messages: chatHistory,
           stream: true,
         });
+        // Build cookie header: prefer captured BFF cookies, fall back to browser's cookies
+        const relayCookie = bffCookieJar || req.headers.cookie || "";
         const proxyOpts = {
           hostname: "127.0.0.1",
           port: ocUIPort,
@@ -1192,12 +1212,68 @@ function handleRequest(req, res) {
           headers: {
             "content-type": "application/json",
             "content-length": Buffer.byteLength(proxyBody),
+            ...(relayCookie ? { cookie: relayCookie } : {}),
           },
         };
 
-        console.log(`  ${DIM}→ Relaying to BFF /api/chat (port ${ocUIPort}) with ${chatHistory.length} messages${RESET}`);
+        console.log(`  ${DIM}→ Relaying to BFF /api/chat (port ${ocUIPort}) with ${chatHistory.length} messages${relayCookie ? " +cookie" : " NO-COOKIE"}${RESET}`);
+
+        // Helper: send the relay request (with optional retry after login)
+        function sendBFFRelay(opts, body, retryCount = 0) {
+        const proxyReq = httpRequest(opts, (proxyRes) => {
+          // Capture any cookies the BFF sends (login session, etc.)
+          if (proxyRes.headers["set-cookie"]) {
+            captureBFFCookies(proxyRes.headers["set-cookie"]);
+          }
+
+          // If redirect (307/302 to /login) — follow it to seed cookies, then retry
+          if ((proxyRes.statusCode === 307 || proxyRes.statusCode === 302) && retryCount < 2) {
+            proxyRes.resume(); // drain
+            const loginPath = proxyRes.headers.location || "/login";
+            console.log(`  ${DIM}← BFF redirect → ${loginPath} — following to seed cookies...${RESET}`);
+
+            // Hit the login page to get session cookies
+            const loginReq = httpRequest(
+              {
+                hostname: "127.0.0.1",
+                port: ocUIPort,
+                path: loginPath,
+                method: "GET",
+                timeout: 5000,
+                headers: bffCookieJar ? { cookie: bffCookieJar } : {},
+              },
+              (loginRes) => {
+                if (loginRes.headers["set-cookie"]) {
+                  captureBFFCookies(loginRes.headers["set-cookie"]);
+                }
+                loginRes.resume(); // drain
+                console.log(`  ${DIM}← Login page: ${loginRes.statusCode} — cookies: ${bffCookieJar ? "yes" : "no"}${RESET}`);
+
+                // Retry the original request with new cookies
+                if (bffCookieJar) {
+                  opts.headers = { ...opts.headers, cookie: bffCookieJar };
+                  console.log(`  ${DIM}→ Retrying /api/chat with cookies...${RESET}`);
+                  sendBFFRelay(opts, body, retryCount + 1);
+                } else {
+                  console.log(`  ${DIM}No cookies from login — BFF may require real auth${RESET}`);
+                  broadcastToWS({
+                    type: "chat.final",
+                    text: "⚠️ Could not authenticate with OC — try opening the web UI first to log in.",
+                    content: "⚠️ Could not authenticate with OC — try opening the web UI first to log in.",
+                    sessionKey,
+                    role: "assistant",
+                    timestamp: Date.now(),
+                  });
+                }
+              },
+            );
+            loginReq.on("error", () => {
+              console.log(`  ${DIM}Login page unreachable${RESET}`);
+            });
+            loginReq.end();
+            return;
+          }
 
-        const proxyReq = httpRequest(proxyOpts, (proxyRes) => {
           const contentType = (proxyRes.headers["content-type"] || "").toLowerCase();
           const isSSE = contentType.includes("text/event-stream");
           console.log(`  ${DIM}← BFF response: ${proxyRes.statusCode} ${contentType || "no-content-type"}${RESET}`);
@@ -1299,8 +1375,11 @@ function handleRequest(req, res) {
           console.log(`  ${DIM}BFF relay failed: ${err.message}${RESET}`);
         });
 
-        proxyReq.write(proxyBody);
+        proxyReq.write(body);
         proxyReq.end();
+        } // end sendBFFRelay
+
+        sendBFFRelay(proxyOpts, proxyBody);
       })
       .catch(() => sendJSON(res, 400, { ok: false, error: "Bad request body" }));
     return;
@@ -1411,6 +1490,11 @@ function handleRequest(req, res) {
         console.log(`  ${DIM}← ${proxyRes.statusCode} ${ct} for ${path}${RESET}`);
       }
 
+      // Capture session cookies from BFF (for server-side relay auth)
+      if (proxyRes.headers["set-cookie"]) {
+        captureBFFCookies(proxyRes.headers["set-cookie"]);
+      }
+
       // CORS
       headers["access-control-allow-origin"] = "*";
       headers["access-control-allow-methods"] = "GET, POST, PUT, DELETE, OPTIONS";
@@ -2081,6 +2165,25 @@ module.exports = {
   console.log(`${BOLD}${GREEN}Bridge is running.${RESET} Waiting for Navigator to connect...`);
   console.log(`${DIM}Press Ctrl+C to stop.${RESET}\n`);
 
+  // ── Relay heartbeat — re-register every 5 minutes to prevent expiry ──
+  // Cloudflare KV entries may expire. This keeps our pairing code fresh
+  // so Navigator can always resolve it, even after long idle periods.
+  if (tunnelURL || gatewayURL) {
+    const relayHeartbeat = async () => {
+      const currentURL = tunnelURL || gatewayURL;
+      const ok = await registerWithRelay(pairingCode, currentURL, token, displayName);
+      if (ok) {
+        info(`  ${DIM}Relay heartbeat: code ${pairingCode} refreshed${RESET}`);
+      } else {
+        warn(`Relay heartbeat failed — Navigator may not be able to resolve code`);
+      }
+    };
+    // First heartbeat immediately (in case initial registration failed)
+    relayHeartbeat();
+    // Then every 5 minutes
+    setInterval(relayHeartbeat, 5 * 60 * 1000);
+  }
+
   // ── Step 6 (optional): Start MCP server + register with mcporter ────
   let mcpProcess = null;
   if (withMcp) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openclaw-navigator",
-  "version": "5.7.1",
+  "version": "5.7.3",
   "description": "One-command bridge + tunnel for the Navigator browser — works on any machine, any OS",
   "keywords": [
     "browser",