@@ -86,6 +86,31 @@ async function createSubagentRuntime(): Promise<PluginRuntime["subagent"]> {
8686 return call . runtimeOptions . subagent ;
8787}
8888
89+ function createSecurePluginRouteHandler ( params : {
90+ exactPluginHandler : ( ) => boolean | Promise < boolean > ;
91+ prefixGatewayHandler : ( ) => boolean | Promise < boolean > ;
92+ } ) {
93+ return createGatewayPluginRequestHandler ( {
94+ registry : createTestRegistry ( {
95+ httpRoutes : [
96+ createRoute ( {
97+ path : "/plugin/secure/report" ,
98+ match : "exact" ,
99+ auth : "plugin" ,
100+ handler : params . exactPluginHandler ,
101+ } ) ,
102+ createRoute ( {
103+ path : "/plugin/secure" ,
104+ match : "prefix" ,
105+ auth : "gateway" ,
106+ handler : params . prefixGatewayHandler ,
107+ } ) ,
108+ ] ,
109+ } ) ,
110+ log : createPluginLog ( ) ,
111+ } ) ;
112+ }
113+
89114describe ( "createGatewayPluginRequestHandler" , ( ) => {
90115 it ( "caps unauthenticated plugin routes to non-admin subagent scopes" , async ( ) => {
91116 loadOpenClawPlugins . mockReset ( ) ;
@@ -209,24 +234,9 @@ describe("createGatewayPluginRequestHandler", () => {
209234 it ( "fails closed when a matched gateway route reaches dispatch without auth" , async ( ) => {
210235 const exactPluginHandler = vi . fn ( async ( ) => false ) ;
211236 const prefixGatewayHandler = vi . fn ( async ( ) => true ) ;
212- const handler = createGatewayPluginRequestHandler ( {
213- registry : createTestRegistry ( {
214- httpRoutes : [
215- createRoute ( {
216- path : "/plugin/secure/report" ,
217- match : "exact" ,
218- auth : "plugin" ,
219- handler : exactPluginHandler ,
220- } ) ,
221- createRoute ( {
222- path : "/plugin/secure" ,
223- match : "prefix" ,
224- auth : "gateway" ,
225- handler : prefixGatewayHandler ,
226- } ) ,
227- ] ,
228- } ) ,
229- log : createPluginLog ( ) ,
237+ const handler = createSecurePluginRouteHandler ( {
238+ exactPluginHandler,
239+ prefixGatewayHandler,
230240 } ) ;
231241
232242 const { res } = makeMockHttpResponse ( ) ;
@@ -246,24 +256,9 @@ describe("createGatewayPluginRequestHandler", () => {
246256 it ( "allows gateway route fallthrough only after gateway auth succeeds" , async ( ) => {
247257 const exactPluginHandler = vi . fn ( async ( ) => false ) ;
248258 const prefixGatewayHandler = vi . fn ( async ( ) => true ) ;
249- const handler = createGatewayPluginRequestHandler ( {
250- registry : createTestRegistry ( {
251- httpRoutes : [
252- createRoute ( {
253- path : "/plugin/secure/report" ,
254- match : "exact" ,
255- auth : "plugin" ,
256- handler : exactPluginHandler ,
257- } ) ,
258- createRoute ( {
259- path : "/plugin/secure" ,
260- match : "prefix" ,
261- auth : "gateway" ,
262- handler : prefixGatewayHandler ,
263- } ) ,
264- ] ,
265- } ) ,
266- log : createPluginLog ( ) ,
259+ const handler = createSecurePluginRouteHandler ( {
260+ exactPluginHandler,
261+ prefixGatewayHandler,
267262 } ) ;
268263
269264 const { res } = makeMockHttpResponse ( ) ;
0 commit comments