fix(gateway): skip gateway auth for LINE webhook routes with noGatewayAuth

haosenwang1018 · claude · haosenwang1018 · commit d2dd7742b4cf · 2026-03-03T01:48:17.000+08:00
The shouldEnforceGatewayAuthForPluginPath function was enforcing gateway- level auth on all registered plugin HTTP routes, including the LINE webhook which implements its own signature-based auth. This caused POST /line/webhook to receive 401/405 responses after the auth gate was introduced. Add a noGatewayAuth flag to PluginHttpRouteRegistration so webhook routes can opt out of gateway auth enforcement. LINE monitor now sets this flag when registering its webhook route. Fixes #31599 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/src/gateway/server.plugin-http-auth.test.ts b/src/gateway/server.plugin-http-auth.test.ts
@@ -477,6 +477,40 @@ describe("gateway plugin HTTP auth boundary", () => {
     });
   });
 
+  test("allows POST to webhook routes with noGatewayAuth without auth token", async () => {
+    const handlePluginRequest = vi.fn(async (req: IncomingMessage, res: ServerResponse) => {
+      const pathname = new URL(req.url ?? "/", "http://localhost").pathname;
+      if (pathname === "/line/webhook") {
+        res.statusCode = 200;
+        res.setHeader("Content-Type", "application/json; charset=utf-8");
+        res.end(JSON.stringify({ ok: true, route: "line-webhook" }));
+        return true;
+      }
+      return false;
+    });
+
+    await withGatewayServer({
+      prefix: "openclaw-plugin-http-auth-webhook-noauth-test-",
+      resolvedAuth: AUTH_TOKEN,
+      overrides: {
+        handlePluginRequest,
+        // Simulate a predicate that exempts noGatewayAuth routes (like the real one)
+        shouldEnforcePluginGatewayAuth: (requestPath) =>
+          requestPath.startsWith("/api/channels") || requestPath === "/managed/route",
+      },
+      run: async (server) => {
+        // POST to /line/webhook without auth should reach the plugin handler
+        const postResponse = await sendRequest(server, {
+          path: "/line/webhook",
+          method: "POST",
+        });
+        expect(postResponse.res.statusCode).toBe(200);
+        expect(postResponse.getBody()).toContain('"route":"line-webhook"');
+        expect(handlePluginRequest).toHaveBeenCalledTimes(1);
+      },
+    });
+  });
+
   test("uses /api/channels auth by default while keeping wildcard handlers ungated with no predicate", async () => {
     const handlePluginRequest = vi.fn(async (req: IncomingMessage, res: ServerResponse) => {
       const pathname = new URL(req.url ?? "/", "http://localhost").pathname;
diff --git a/src/gateway/server/plugins-http.test.ts b/src/gateway/server/plugins-http.test.ts
@@ -152,4 +152,17 @@ describe("plugin HTTP registry helpers", () => {
     expect(shouldEnforceGatewayAuthForPluginPath(registry, "/api/channels/status")).toBe(true);
     expect(shouldEnforceGatewayAuthForPluginPath(registry, "/not-plugin")).toBe(false);
   });
+
+  it("skips auth enforcement for routes with noGatewayAuth", () => {
+    const registry = createTestRegistry({
+      httpRoutes: [
+        { ...createRoute({ path: "/line/webhook" }), noGatewayAuth: true },
+        createRoute({ path: "/api/managed" }),
+      ],
+    });
+    expect(shouldEnforceGatewayAuthForPluginPath(registry, "/line/webhook")).toBe(false);
+    expect(shouldEnforceGatewayAuthForPluginPath(registry, "/api/managed")).toBe(true);
+    // Protected prefix routes are always gated regardless of noGatewayAuth
+    expect(shouldEnforceGatewayAuthForPluginPath(registry, "/api/channels/status")).toBe(true);
+  });
 });
diff --git a/src/gateway/server/plugins-http.ts b/src/gateway/server/plugins-http.ts
@@ -36,9 +36,15 @@ export function shouldEnforceGatewayAuthForPluginPath(
   registry: PluginRegistry,
   pathname: string,
 ): boolean {
-  return (
-    isProtectedPluginRoutePath(pathname) || isRegisteredPluginHttpRoutePath(registry, pathname)
-  );
+  if (isProtectedPluginRoutePath(pathname)) {
+    return true;
+  }
+  // Only enforce gateway auth on registered plugin routes that have NOT
+  // opted out via noGatewayAuth.  Channel webhook routes (e.g. LINE)
+  // implement their own signature-based auth and must remain reachable
+  // without a gateway token.
+  const route = findRegisteredPluginHttpRoute(registry, pathname);
+  return route !== undefined && !route.noGatewayAuth;
 }
 
 export function createGatewayPluginRequestHandler(params: {
diff --git a/src/line/monitor.ts b/src/line/monitor.ts
@@ -292,6 +292,7 @@ export async function monitorLineProvider(
     accountId: resolvedAccountId,
     log: (msg) => logVerbose(msg),
     handler: createLineNodeWebhookHandler({ channelSecret: secret, bot, runtime }),
+    noGatewayAuth: true,
   });
 
   logVerbose(`line: registered webhook handler at ${normalizedPath}`);
diff --git a/src/plugins/http-registry.ts b/src/plugins/http-registry.ts
@@ -17,6 +17,8 @@ export function registerPluginHttpRoute(params: {
   accountId?: string;
   log?: (message: string) => void;
   registry?: PluginRegistry;
+  /** When true, skip gateway-level auth enforcement for this route. */
+  noGatewayAuth?: boolean;
 }): () => void {
   const registry = params.registry ?? requireActivePluginRegistry();
   const routes = registry.httpRoutes ?? [];
@@ -41,6 +43,7 @@ export function registerPluginHttpRoute(params: {
     handler: params.handler,
     pluginId: params.pluginId,
     source: params.source,
+    noGatewayAuth: params.noGatewayAuth,
   };
   routes.push(entry);
 
diff --git a/src/plugins/registry.ts b/src/plugins/registry.ts
@@ -60,6 +60,10 @@ export type PluginHttpRouteRegistration = {
   path: string;
   handler: OpenClawPluginHttpRouteHandler;
   source?: string;
+  /** When true, skip gateway-level auth enforcement for this route.
+   *  Webhook routes that implement their own signature-based auth
+   *  (e.g., LINE webhook) should set this to true. */
+  noGatewayAuth?: boolean;
 };
 
 export type PluginChannelRegistration = {
