Skip to content

Commit bc8df50

Browse files
joshavantjoshavant
committed
Telegram: resolve env SecretRef tokens at runtime
1 parent 12d75bf commit bc8df50

2 files changed

Lines changed: 47 additions & 4 deletions

File tree

extensions/telegram/src/token.test.ts

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -229,7 +229,8 @@ describe("resolveTelegramToken", () => {
229229
expectNoTokenForUnknownAccount(createUnknownAccountConfig());
230230
});
231231

232-
it("throws when botToken is an unresolved SecretRef object", () => {
232+
it("resolves env-backed SecretRefs from process.env", () => {
233+
vi.stubEnv("TELEGRAM_BOT_TOKEN", "secretref-env-token");
233234
const cfg = {
234235
channels: {
235236
telegram: {
@@ -238,6 +239,21 @@ describe("resolveTelegramToken", () => {
238239
},
239240
} as unknown as OpenClawConfig;
240241

242+
expect(resolveTelegramToken(cfg)).toEqual({
243+
token: "secretref-env-token",
244+
source: "config",
245+
});
246+
});
247+
248+
it("keeps strict runtime behavior for unresolved non-env SecretRefs", () => {
249+
const cfg = {
250+
channels: {
251+
telegram: {
252+
botToken: { source: "file", provider: "vault", id: "/telegram/bot-token" },
253+
},
254+
},
255+
} as unknown as OpenClawConfig;
256+
241257
expect(() => resolveTelegramToken(cfg)).toThrow(
242258
/channels\.telegram\.botToken: unresolved SecretRef/i,
243259
);

extensions/telegram/src/token.ts

Lines changed: 30 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,14 +4,41 @@ import { tryReadSecretFileSync } from "openclaw/plugin-sdk/channel-core";
44
import type { OpenClawConfig } from "openclaw/plugin-sdk/config-runtime";
55
import type { TelegramAccountConfig } from "openclaw/plugin-sdk/config-runtime";
66
import { DEFAULT_ACCOUNT_ID, normalizeAccountId } from "openclaw/plugin-sdk/routing";
7-
import { normalizeResolvedSecretInputString } from "openclaw/plugin-sdk/secret-input";
7+
import {
8+
normalizeSecretInputString,
9+
resolveSecretInputString,
10+
} from "openclaw/plugin-sdk/secret-input";
811

912
export type TelegramTokenSource = "env" | "tokenFile" | "config" | "none";
1013

1114
export type TelegramTokenResolution = BaseTokenResolution & {
1215
source: TelegramTokenSource;
1316
};
1417

18+
function resolveRuntimeTokenValue(params: { value: unknown; path: string }): string | undefined {
19+
const resolved = resolveSecretInputString({
20+
value: params.value,
21+
path: params.path,
22+
mode: "inspect",
23+
});
24+
if (resolved.status === "available") {
25+
return resolved.value;
26+
}
27+
if (resolved.status !== "configured_unavailable") {
28+
return undefined;
29+
}
30+
if (resolved.ref.source === "env") {
31+
return normalizeSecretInputString(process.env[resolved.ref.id]);
32+
}
33+
// Runtime resolution stays strict for non-env SecretRefs.
34+
resolveSecretInputString({
35+
value: params.value,
36+
path: params.path,
37+
mode: "strict",
38+
});
39+
return undefined;
40+
}
41+
1542
type ResolveTelegramTokenOpts = {
1643
envToken?: string | null;
1744
accountId?: string | null;
@@ -79,7 +106,7 @@ export function resolveTelegramToken(
79106
return { token: "", source: "none" };
80107
}
81108

82-
const accountToken = normalizeResolvedSecretInputString({
109+
const accountToken = resolveRuntimeTokenValue({
83110
value: accountCfg?.botToken,
84111
path: `channels.telegram.accounts.${accountId}.botToken`,
85112
});
@@ -100,7 +127,7 @@ export function resolveTelegramToken(
100127
return { token: "", source: "none" };
101128
}
102129

103-
const configToken = normalizeResolvedSecretInputString({
130+
const configToken = resolveRuntimeTokenValue({
104131
value: telegramCfg?.botToken,
105132
path: "channels.telegram.botToken",
106133
});

0 commit comments

Comments
 (0)