fix(browser): land PR #26015 query-token auth for /json relay routes

steipete · SidQin-cyber · steipete · commit 42cf32c3869c · 2026-02-26T14:17:41.000Z
Align relay HTTP /json auth with websocket auth by accepting query-param tokens, add regression coverage, and update changelog. Landed from contributor @Sid-Qin (PR #26015). Co-authored-by: SidQin-cyber <sidqin0410@gmail.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,7 @@ Docs: https://docs.openclaw.ai
 ### Fixes
 
 - Browser/Extension relay CORS: handle `/json*` `OPTIONS` preflight before auth checks, allow Chrome extension origins, and return extension-origin CORS headers on relay HTTP responses so extension token validation no longer fails cross-origin. Landed from contributor PR #23962 by @miloudbelarebia. (#23842)
+- Browser/Extension relay auth: allow `?token=` query-param auth on relay `/json*` endpoints (consistent with relay WebSocket auth) so curl/devtools-style `/json/version` and `/json/list` probes work without requiring custom headers. Landed from contributor PR #26015 by @Sid-Qin. (#25928)
 - Auth/Auth profiles: normalize `auth-profiles.json` alias fields (`mode -> type`, `apiKey -> key`) before credential validation so entries copied from `openclaw.json` auth examples are no longer silently dropped. (#26950) thanks @byungsker.
 - Cron/Hooks isolated routing: preserve canonical `agent:*` session keys in isolated runs so already-qualified keys are not double-prefixed (for example `agent:main:main` no longer becomes `agent:main:agent:main:main`). Landed from contributor PR #27333 by @MaheshBhushan. (#27289, #27282)
 - iOS/Talk mode: stop injecting the voice directive hint into iOS Talk prompts and remove the Voice Directive Hint setting, reducing model bias toward tool-style TTS directives and keeping relay responses text-first by default. (#27543) thanks @ngutman.
diff --git a/src/browser/extension-relay.test.ts b/src/browser/extension-relay.test.ts
@@ -332,6 +332,19 @@ describe("chrome extension relay server", () => {
     ext.close();
   });
 
+  it("accepts /json endpoints with relay token query param", async () => {
+    const port = await getFreePort();
+    cdpUrl = `http://127.0.0.1:${port}`;
+    await ensureChromeExtensionRelayServer({ cdpUrl });
+
+    const token = relayAuthHeaders(cdpUrl)["x-openclaw-relay-token"];
+    expect(token).toBeTruthy();
+    const versionRes = await fetch(
+      `${cdpUrl}/json/version?token=${encodeURIComponent(String(token))}`,
+    );
+    expect(versionRes.status).toBe(200);
+  });
+
   it("accepts raw gateway token for relay auth compatibility", async () => {
     const port = await getFreePort();
     cdpUrl = `http://127.0.0.1:${port}`;
diff --git a/src/browser/extension-relay.ts b/src/browser/extension-relay.ts
@@ -399,7 +399,7 @@ export async function ensureChromeExtensionRelayServer(opts: {
     }
 
     if (path.startsWith("/json")) {
-      const token = getHeader(req, RELAY_AUTH_HEADER)?.trim();
+      const token = getRelayAuthTokenFromRequest(req, url);
       if (!token || !relayAuthTokens.has(token)) {
         res.writeHead(401);
         res.end("Unauthorized");

Original file line number	Diff line number	Diff line change
`@@ -399,7 +399,7 @@ export async function ensureChromeExtensionRelayServer(opts: {`
`399`	`399`	`}`
`400`	`400`
`401`	`401`	`if (path.startsWith("/json")) {`
`402`		`- const token = getHeader(req, RELAY_AUTH_HEADER)?.trim();`
	`402`	`+ const token = getRelayAuthTokenFromRequest(req, url);`
`403`	`403`	`if (!token \|\| !relayAuthTokens.has(token)) {`
`404`	`404`	`res.writeHead(401);`
`405`	`405`	`res.end("Unauthorized");`