fix(ios): bind relay sends to registration origin

ngutman · ngutman · commit 4ac3d5db0d3a · 2026-05-29T21:31:16.000+03:00
diff --git a/apps/ios/Sources/Push/PushRegistrationManager.swift b/apps/ios/Sources/Push/PushRegistrationManager.swift
@@ -17,6 +17,7 @@ private struct RelayGatewayPushRegistrationPayload: Encodable {
     var topic: String
     var environment: String
     var distribution: String
+    var relayOrigin: String
     var tokenDebugSuffix: String?
 }
 
@@ -107,6 +108,7 @@ actor PushRegistrationManager {
                     topic: topic,
                     environment: self.buildConfig.apnsEnvironment.rawValue,
                     distribution: self.buildConfig.distribution.rawValue,
+                    relayOrigin: relayOrigin,
                     tokenDebugSuffix: stored.tokenDebugSuffix))
         }
 
@@ -138,6 +140,7 @@ actor PushRegistrationManager {
                 topic: topic,
                 environment: self.buildConfig.apnsEnvironment.rawValue,
                 distribution: self.buildConfig.distribution.rawValue,
+                relayOrigin: relayOrigin,
                 tokenDebugSuffix: registrationState.tokenDebugSuffix))
     }
 
diff --git a/src/gateway/exec-approval-ios-push.ts b/src/gateway/exec-approval-ios-push.ts
@@ -157,19 +157,30 @@ async function resolveDeliveryPlan(params: {
     }
   }
 
-  let relayConfig: ApnsRelayConfig | undefined;
+  const relayConfigByNodeId = new Map<string, ApnsRelayConfig>();
   if (needsRelay) {
-    const relay = resolveApnsRelayConfigFromEnv(process.env, getRuntimeConfig().gateway);
-    if (relay.ok) {
-      relayConfig = relay.value;
-    } else {
-      params.log.warn?.(`exec approvals: iOS relay APNs config unavailable: ${relay.error}`);
+    for (const target of targets) {
+      if (target.registration.transport !== "relay") {
+        continue;
+      }
+      const relay = resolveApnsRelayConfigFromEnv(process.env, getRuntimeConfig().gateway, {
+        registrationRelayOrigin: target.registration.relayOrigin,
+      });
+      if (relay.ok) {
+        relayConfigByNodeId.set(target.nodeId, relay.value);
+      } else {
+        params.log.warn?.(`exec approvals: iOS relay APNs config unavailable: ${relay.error}`);
+      }
     }
   }
+  const relayConfig = relayConfigByNodeId.values().next().value;
 
   return {
     targets: targets.filter((target) =>
-      target.registration.transport === "direct" ? Boolean(directAuth) : Boolean(relayConfig),
+      target.registration.transport === "direct"
+        ? Boolean(directAuth)
+        : relayConfigByNodeId.has(target.nodeId) &&
+          relayConfigByNodeId.get(target.nodeId)?.baseUrl === relayConfig?.baseUrl,
     ),
     directAuth,
     relayConfig,
diff --git a/src/gateway/server-methods/nodes.invoke-wake.test.ts b/src/gateway/server-methods/nodes.invoke-wake.test.ts
@@ -729,13 +729,17 @@ describe("node.invoke APNs wake path", () => {
       apnsReason: "Unregistered",
       apnsStatus: 410,
     });
-    expect(mocks.resolveApnsRelayConfigFromEnv).toHaveBeenCalledWith(process.env, {
-      push: {
-        apns: {
-          relay: DEFAULT_RELAY_CONFIG,
+    expect(mocks.resolveApnsRelayConfigFromEnv).toHaveBeenCalledWith(
+      process.env,
+      {
+        push: {
+          apns: {
+            relay: DEFAULT_RELAY_CONFIG,
+          },
         },
       },
-    });
+      { registrationRelayOrigin: undefined },
+    );
     expect(mocks.shouldClearStoredApnsRegistration).toHaveBeenCalledWith({
       registration,
       result: {
diff --git a/src/gateway/server-methods/nodes.ts b/src/gateway/server-methods/nodes.ts
@@ -199,8 +199,16 @@ async function resolveDirectNodePushConfig() {
     : { ok: false as const, error: auth.error };
 }
 
-function resolveRelayNodePushConfig(cfg: OpenClawConfig) {
-  const relay = resolveApnsRelayConfigFromEnv(process.env, cfg.gateway);
+function resolveRelayNodePushConfig(
+  cfg: OpenClawConfig,
+  registration: Extract<
+    NonNullable<Awaited<ReturnType<typeof loadApnsRegistration>>>,
+    { transport: "relay" }
+  >,
+) {
+  const relay = resolveApnsRelayConfigFromEnv(process.env, cfg.gateway, {
+    registrationRelayOrigin: registration.relayOrigin,
+  });
   return relay.ok
     ? { ok: true as const, relayConfig: relay.value }
     : { ok: false as const, error: relay.error };
@@ -493,7 +501,7 @@ export async function maybeWakeNodeWithApns(
 
       let wakeResult;
       if (registration.transport === "relay") {
-        const relay = resolveRelayNodePushConfig(opts?.cfg ?? getRuntimeConfig());
+        const relay = resolveRelayNodePushConfig(opts?.cfg ?? getRuntimeConfig(), registration);
         if (!relay.ok) {
           return withDuration({
             available: false,
@@ -595,7 +603,7 @@ export async function maybeSendNodeWakeNudge(
   try {
     let result;
     if (registration.transport === "relay") {
-      const relay = resolveRelayNodePushConfig(opts?.cfg ?? getRuntimeConfig());
+      const relay = resolveRelayNodePushConfig(opts?.cfg ?? getRuntimeConfig(), registration);
       if (!relay.ok) {
         return withDuration({
           sent: false,
diff --git a/src/gateway/server-methods/push.test.ts b/src/gateway/server-methods/push.test.ts
@@ -209,16 +209,20 @@ describe("push.test handler", () => {
 
     expect(resolveApnsAuthConfigFromEnv).not.toHaveBeenCalled();
     expect(resolveApnsRelayConfigFromEnv).toHaveBeenCalledTimes(1);
-    expect(resolveApnsRelayConfigFromEnv).toHaveBeenCalledWith(process.env, {
-      push: {
-        apns: {
-          relay: {
-            baseUrl: "https://relay.example.com",
-            timeoutMs: 1000,
+    expect(resolveApnsRelayConfigFromEnv).toHaveBeenCalledWith(
+      process.env,
+      {
+        push: {
+          apns: {
+            relay: {
+              baseUrl: "https://relay.example.com",
+              timeoutMs: 1000,
+            },
           },
         },
       },
-    });
+      { registrationRelayOrigin: undefined },
+    );
     expect(sendApnsAlert).toHaveBeenCalledTimes(1);
     const call = firstRespondCall(respond);
     expect(call?.[0]).toBe(true);
diff --git a/src/gateway/server-methods/push.ts b/src/gateway/server-methods/push.ts
@@ -85,6 +85,7 @@ export const pushHandlers: GatewayRequestHandlers = {
               const relay = resolveApnsRelayConfigFromEnv(
                 process.env,
                 context.getRuntimeConfig().gateway,
+                { registrationRelayOrigin: registration.relayOrigin },
               );
               if (!relay.ok) {
                 respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, relay.error));
diff --git a/src/gateway/server-node-events.ts b/src/gateway/server-node-events.ts
@@ -828,6 +828,7 @@ export const handleNodeEvent = async (
             topic,
             environment,
             distribution: obj.distribution,
+            relayOrigin: obj.relayOrigin,
             tokenDebugSuffix: obj.tokenDebugSuffix,
           });
         } else {
diff --git a/src/infra/push-apns.relay.test.ts b/src/infra/push-apns.relay.test.ts
@@ -64,11 +64,38 @@ function firstMockCall<T extends unknown[]>(mock: { mock: { calls: T[] } }): T |
 
 describe("push-apns.relay", () => {
   describe("resolveApnsRelayConfigFromEnv", () => {
-    it("defaults to the hosted relay when no relay base URL is configured", () => {
-      expectRelayConfig(resolveApnsRelayConfigFromEnv({} as NodeJS.ProcessEnv), {
-        baseUrl: DEFAULT_APNS_RELAY_BASE_URL,
-        timeoutMs: 10_000,
-      });
+    it("defaults to the hosted relay when the registration was minted by the hosted relay", () => {
+      expectRelayConfig(
+        resolveApnsRelayConfigFromEnv({} as NodeJS.ProcessEnv, undefined, {
+          registrationRelayOrigin: `${DEFAULT_APNS_RELAY_BASE_URL}/`,
+        }),
+        {
+          baseUrl: DEFAULT_APNS_RELAY_BASE_URL,
+          timeoutMs: 10_000,
+        },
+      );
+    });
+
+    it("fails closed when relay registration origin is unknown and no relay URL is configured", () => {
+      const resolved = resolveApnsRelayConfigFromEnv({} as NodeJS.ProcessEnv);
+
+      expect(resolved.ok).toBe(false);
+      if (!resolved.ok) {
+        expect(resolved.error).toContain("relay registrations without the hosted relay origin");
+      }
+    });
+
+    it("rejects config that does not match the registration relay origin", () => {
+      const resolved = resolveApnsRelayConfigFromEnv(
+        {} as NodeJS.ProcessEnv,
+        { push: { apns: { relay: { baseUrl: DEFAULT_APNS_RELAY_BASE_URL } } } },
+        { registrationRelayOrigin: "https://relay.example.com" },
+      );
+
+      expect(resolved.ok).toBe(false);
+      if (!resolved.ok) {
+        expect(resolved.error).toContain("origin mismatch");
+      }
     });
 
     it("lets env overrides win and clamps tiny timeout values", () => {
diff --git a/src/infra/push-apns.relay.ts b/src/infra/push-apns.relay.ts
@@ -23,6 +23,10 @@ type ApnsRelayConfigResolution =
   | { ok: true; value: ApnsRelayConfig }
   | { ok: false; error: string };
 
+type ApnsRelayConfigResolutionOptions = {
+  registrationRelayOrigin?: string;
+};
+
 export type ApnsRelayPushResponse = {
   ok: boolean;
   status: number;
@@ -94,6 +98,38 @@ function parseReason(value: unknown): string | undefined {
   return typeof value === "string" ? normalizeOptionalString(value) : undefined;
 }
 
+export function normalizeApnsRelayBaseUrl(
+  baseUrl: string,
+  env: NodeJS.ProcessEnv = process.env,
+): { ok: true; value: string } | { ok: false; error: string } {
+  try {
+    const parsed = new URL(baseUrl);
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+      throw new Error("unsupported protocol");
+    }
+    if (!parsed.hostname) {
+      throw new Error("host required");
+    }
+    if (parsed.protocol === "http:" && !readAllowHttp(env.OPENCLAW_APNS_RELAY_ALLOW_HTTP)) {
+      throw new Error(
+        "http relay URLs require OPENCLAW_APNS_RELAY_ALLOW_HTTP=true (development only)",
+      );
+    }
+    if (parsed.protocol === "http:" && !isLoopbackRelayHostname(parsed.hostname)) {
+      throw new Error("http relay URLs are limited to loopback hosts");
+    }
+    if (parsed.username || parsed.password) {
+      throw new Error("userinfo is not allowed");
+    }
+    if (parsed.search || parsed.hash) {
+      throw new Error("query and fragment are not allowed");
+    }
+    return { ok: true, value: parsed.toString().replace(/\/+$/, "") };
+  } catch (err) {
+    return { ok: false, error: formatErrorMessage(err) };
+  }
+}
+
 function buildRelayGatewaySignaturePayload(params: {
   gatewayDeviceId: string;
   signedAtMs: number;
@@ -110,55 +146,65 @@ function buildRelayGatewaySignaturePayload(params: {
 export function resolveApnsRelayConfigFromEnv(
   env: NodeJS.ProcessEnv = process.env,
   gatewayConfig?: GatewayConfig,
+  options: ApnsRelayConfigResolutionOptions = {},
 ): ApnsRelayConfigResolution {
   const configuredRelay = gatewayConfig?.push?.apns?.relay;
   const envBaseUrl = normalizeNonEmptyString(env.OPENCLAW_APNS_RELAY_BASE_URL);
   const configBaseUrl = normalizeNonEmptyString(configuredRelay?.baseUrl);
-  const baseUrl = envBaseUrl ?? configBaseUrl ?? DEFAULT_APNS_RELAY_BASE_URL;
+  const explicitBaseUrl = envBaseUrl ?? configBaseUrl;
+  const normalizedRegistrationOrigin = options.registrationRelayOrigin
+    ? normalizeApnsRelayBaseUrl(options.registrationRelayOrigin, env)
+    : undefined;
+  if (normalizedRegistrationOrigin && !normalizedRegistrationOrigin.ok) {
+    return {
+      ok: false,
+      error: `invalid relay registration origin (${options.registrationRelayOrigin}): ${normalizedRegistrationOrigin.error}`,
+    };
+  }
+
+  const baseUrl =
+    explicitBaseUrl ??
+    (normalizedRegistrationOrigin?.value === DEFAULT_APNS_RELAY_BASE_URL
+      ? DEFAULT_APNS_RELAY_BASE_URL
+      : undefined);
   const baseUrlSource = envBaseUrl
     ? "OPENCLAW_APNS_RELAY_BASE_URL"
     : configBaseUrl
       ? "gateway.push.apns.relay.baseUrl"
       : "default APNs relay base URL";
+  if (!baseUrl) {
+    return {
+      ok: false,
+      error:
+        "APNs relay config missing: set gateway.push.apns.relay.baseUrl or OPENCLAW_APNS_RELAY_BASE_URL for relay registrations without the hosted relay origin",
+    };
+  }
 
-  try {
-    const parsed = new URL(baseUrl);
-    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
-      throw new Error("unsupported protocol");
-    }
-    if (!parsed.hostname) {
-      throw new Error("host required");
-    }
-    if (parsed.protocol === "http:" && !readAllowHttp(env.OPENCLAW_APNS_RELAY_ALLOW_HTTP)) {
-      throw new Error(
-        "http relay URLs require OPENCLAW_APNS_RELAY_ALLOW_HTTP=true (development only)",
-      );
-    }
-    if (parsed.protocol === "http:" && !isLoopbackRelayHostname(parsed.hostname)) {
-      throw new Error("http relay URLs are limited to loopback hosts");
-    }
-    if (parsed.username || parsed.password) {
-      throw new Error("userinfo is not allowed");
-    }
-    if (parsed.search || parsed.hash) {
-      throw new Error("query and fragment are not allowed");
-    }
+  const normalizedBaseUrl = normalizeApnsRelayBaseUrl(baseUrl, env);
+  if (!normalizedBaseUrl.ok) {
     return {
-      ok: true,
-      value: {
-        baseUrl: parsed.toString().replace(/\/+$/, ""),
-        timeoutMs: normalizeTimeoutMs(
-          env.OPENCLAW_APNS_RELAY_TIMEOUT_MS ?? configuredRelay?.timeoutMs,
-        ),
-      },
+      ok: false,
+      error: `invalid ${baseUrlSource} (${baseUrl}): ${normalizedBaseUrl.error}`,
     };
-  } catch (err) {
-    const message = formatErrorMessage(err);
+  }
+  if (
+    normalizedRegistrationOrigin &&
+    normalizedRegistrationOrigin.value !== normalizedBaseUrl.value
+  ) {
     return {
       ok: false,
-      error: `invalid ${baseUrlSource} (${baseUrl}): ${message}`,
+      error: `APNs relay config origin mismatch: registration uses ${normalizedRegistrationOrigin.value} but ${baseUrlSource} is ${normalizedBaseUrl.value}`,
     };
   }
+  return {
+    ok: true,
+    value: {
+      baseUrl: normalizedBaseUrl.value,
+      timeoutMs: normalizeTimeoutMs(
+        env.OPENCLAW_APNS_RELAY_TIMEOUT_MS ?? configuredRelay?.timeoutMs,
+      ),
+    },
+  };
 }
 
 async function sendApnsRelayRequest(params: {
diff --git a/src/infra/push-apns.ts b/src/infra/push-apns.ts

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ private struct RelayGatewayPushRegistrationPayload: Encodable {`
`17`	`17`	`var topic: String`
`18`	`18`	`var environment: String`
`19`	`19`	`var distribution: String`
	`20`	`+ var relayOrigin: String`
`20`	`21`	`var tokenDebugSuffix: String?`
`21`	`22`	`}`
`22`	`23`
`@@ -107,6 +108,7 @@ actor PushRegistrationManager {`
`107`	`108`	`topic: topic,`
`108`	`109`	`environment: self.buildConfig.apnsEnvironment.rawValue,`
`109`	`110`	`distribution: self.buildConfig.distribution.rawValue,`
	`111`	`+ relayOrigin: relayOrigin,`
`110`	`112`	`tokenDebugSuffix: stored.tokenDebugSuffix))`
`111`	`113`	`}`
`112`	`114`
`@@ -138,6 +140,7 @@ actor PushRegistrationManager {`
`138`	`140`	`topic: topic,`
`139`	`141`	`environment: self.buildConfig.apnsEnvironment.rawValue,`
`140`	`142`	`distribution: self.buildConfig.distribution.rawValue,`
	`143`	`+ relayOrigin: relayOrigin,`
`141`	`144`	`tokenDebugSuffix: registrationState.tokenDebugSuffix))`
`142`	`145`	`}`
`143`	`146`