Skip to content

feat: change allowedOrigin param for openclaw upgrade #12188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
f2c-ci-robot merged 1 commit into from
Mar 16, 2026
Merged

feat: change allowedOrigin param for openclaw upgrade #12188

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 70 additions & 21 deletions agent/app/service/agents.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,11 +80,12 @@
openclawCaddyPort = 8443
openclawCaddyDataPerm = 0777
openclawCaddyLoopbackAddress = "https://127.0.0.1:8443"
openclawAllowedOriginHost = "127.0.0.1"
openclawHTTPSVersion = "2026.3.13"
openclawTrustedProxyLoopback = "127.0.0.1/32"
)

func (a AgentService) Create(req dto.AgentCreateReq) (*dto.AgentItem, error) {

Check failure on line 88 in agent/app/service/agents.go

View check run for this annotation

SonarQubeCloud / SonarCloud Code Analysis

Refactor this method to reduce its Cognitive Complexity from 70 to the 15 allowed. 


See more on https://sonarcloud.io/project/issues?id=1Panel-dev_1Panel&issues=AZz2QytZACzsL9rDWB4L&open=AZz2QytZACzsL9rDWB4L&pullRequest=12188
agentType := normalizeAgentType(req.AgentType)
if !isSupportedAgentType(agentType) {
return nil, fmt.Errorf("agent type is invalid")
Expand Down Expand Up @@ -213,6 +214,9 @@
}
if agentType == constant.AppOpenclaw {
params["PANEL_APP_PORT_HTTPS"] = req.WebUIPort
if allowedOrigin := firstAllowedOrigin(allowedOrigins); allowedOrigin != "" {
params["ALLOWED_ORIGIN"] = allowedOrigin
}
params["PROVIDER"] = provider
params["MODEL"] = runtimeModel
params["API_TYPE"] = apiType
Expand Down Expand Up @@ -875,7 +879,7 @@
}

func (a AgentService) UpdateSecurityConfig(req dto.AgentSecurityConfigUpdateReq) error {
agent, _, err := a.loadAgentAndInstall(req.AgentID)
agent, install, err := a.loadAgentAndInstall(req.AgentID)
if err != nil {
return err
}
Expand All @@ -900,7 +904,10 @@
if err := writeOpenclawCaddyfile(agent.ConfigPath, allowedOrigins); err != nil {
return err
}
return nil
if err := syncOpenclawAllowedOriginEnv(install, allowedOrigins); err != nil {
return err
}
return appInstallRepo.Save(context.Background(), install)
}

func (a AgentService) GetOtherConfig(req dto.AgentOtherConfigReq) (*dto.AgentOtherConfig, error) {
Expand Down Expand Up @@ -1633,27 +1640,33 @@
return nil
}
migrateOpenclawInstallPorts(install)
if err := migrateOpenclawInstallEnv(install); err != nil {
return err
}
systemIP = strings.TrimSpace(systemIP)
if systemIP == "" || install.HttpsPort <= 0 {
return nil
}
allowedOrigin, err := buildOpenclawAllowedOrigin(systemIP, install.HttpsPort)
if err != nil {
return nil
}
configPath := path.Join(install.GetPath(), "data", "conf", "openclaw.json")
conf, err := readOpenclawConfig(configPath)
if err != nil {
return err
var allowedOrigins []string
if conf, err := readOpenclawConfig(configPath); err == nil {
allowedOrigins = extractSecurityConfig(conf).AllowedOrigins
}
setSecurityConfig(conf, dto.AgentSecurityConfig{AllowedOrigins: []string{allowedOrigin}})
if err := writeOpenclawConfigRaw(configPath, conf); err != nil {
return err
originHost := strings.TrimSpace(systemIP)
if originHost == "" {
originHost = openclawAllowedOriginHost
}
return writeOpenclawCaddyfile(configPath, []string{allowedOrigin})
if install.HttpsPort > 0 {
allowedOrigin, err := buildOpenclawAllowedOrigin(originHost, install.HttpsPort)
if err == nil {
conf, err := readOpenclawConfig(configPath)
if err != nil {
return err
}
allowedOrigins = []string{allowedOrigin}
setSecurityConfig(conf, dto.AgentSecurityConfig{AllowedOrigins: allowedOrigins})
if err := writeOpenclawConfigRaw(configPath, conf); err != nil {
return err
}
if err := writeOpenclawCaddyfile(configPath, allowedOrigins); err != nil {
return err
}
}
}
return migrateOpenclawInstallEnv(install, allowedOrigins)
}

func migrateOpenclawInstallPorts(install *model.AppInstall) {
Expand All @@ -1668,7 +1681,7 @@
}
}

func migrateOpenclawInstallEnv(install *model.AppInstall) error {
func migrateOpenclawInstallEnv(install *model.AppInstall, allowedOrigins []string) error {
if install == nil {
return nil
}
Expand All @@ -1681,6 +1694,9 @@
if install.HttpsPort > 0 {
envMap["PANEL_APP_PORT_HTTPS"] = install.HttpsPort
}
if allowedOrigin := firstAllowedOrigin(allowedOrigins); allowedOrigin != "" {
envMap["ALLOWED_ORIGIN"] = allowedOrigin
}
delete(envMap, "PANEL_APP_PORT_HTTP")
payload, err := json.Marshal(envMap)
if err != nil {
Expand All @@ -1690,6 +1706,39 @@
return nil
}

func syncOpenclawAllowedOriginEnv(install *model.AppInstall, allowedOrigins []string) error {
if install == nil {
return nil
}
envMap := make(map[string]interface{})
if strings.TrimSpace(install.Env) != "" {
if err := json.Unmarshal([]byte(install.Env), &envMap); err != nil {
return err
}
}
if allowedOrigin := firstAllowedOrigin(allowedOrigins); allowedOrigin != "" {
envMap["ALLOWED_ORIGIN"] = allowedOrigin
} else {
delete(envMap, "ALLOWED_ORIGIN")
}
payload, err := json.Marshal(envMap)
if err != nil {
return err
}
install.Env = string(payload)
return nil
}

func firstAllowedOrigin(allowedOrigins []string) string {
for _, origin := range allowedOrigins {
trimmed := strings.TrimSpace(origin)
if trimmed != "" {
return trimmed
}
}
return ""
}

func buildOpenclawAllowedOrigin(host string, port int) (string, error) {
host = strings.TrimSpace(host)
if host == "" || port <= 0 {
Expand Down
Loading