fix(gateway): require strict preauth budget env

steipete · steipete · commit 6a2ccbc9294a · 2026-05-29T07:21:23.000-04:00
diff --git a/src/gateway/server/preauth-connection-budget.test.ts b/src/gateway/server/preauth-connection-budget.test.ts
@@ -1,7 +1,11 @@
-import { describe, expect, it } from "vitest";
+import { afterEach, describe, expect, it, vi } from "vitest";
 import { createPreauthConnectionBudget } from "./preauth-connection-budget.js";
 
 describe("createPreauthConnectionBudget", () => {
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });
+
   it("caps connections with a finite configured limit", () => {
     const budget = createPreauthConnectionBudget(2);
 
@@ -30,4 +34,23 @@ describe("createPreauthConnectionBudget", () => {
     }
     expect(budget.acquire(undefined)).toBe(false);
   });
+
+  it("accepts strict plus-signed env limits", () => {
+    vi.stubEnv("OPENCLAW_MAX_PREAUTH_CONNECTIONS_PER_IP", "+02");
+    const budget = createPreauthConnectionBudget();
+
+    expect(budget.acquire("127.0.0.1")).toBe(true);
+    expect(budget.acquire("127.0.0.1")).toBe(true);
+    expect(budget.acquire("127.0.0.1")).toBe(false);
+  });
+
+  it("ignores non-decimal env limits", () => {
+    vi.stubEnv("OPENCLAW_MAX_PREAUTH_CONNECTIONS_PER_IP", "0x2");
+    const budget = createPreauthConnectionBudget();
+
+    for (let i = 0; i < 32; i += 1) {
+      expect(budget.acquire("127.0.0.1")).toBe(true);
+    }
+    expect(budget.acquire("127.0.0.1")).toBe(false);
+  });
 });
diff --git a/src/gateway/server/preauth-connection-budget.ts b/src/gateway/server/preauth-connection-budget.ts
@@ -1,4 +1,4 @@
-import { resolveIntegerOption } from "../../shared/number-coercion.js";
+import { parseStrictPositiveInteger, resolveIntegerOption } from "../../shared/number-coercion.js";
 
 const DEFAULT_MAX_PREAUTH_CONNECTIONS_PER_IP = 32;
 const UNKNOWN_CLIENT_IP_BUDGET_KEY = "__openclaw_unknown_client_ip__";
@@ -10,11 +10,11 @@ function getMaxPreauthConnectionsPerIpFromEnv(env: NodeJS.ProcessEnv = process.e
   if (!configured) {
     return DEFAULT_MAX_PREAUTH_CONNECTIONS_PER_IP;
   }
-  const parsed = Number(configured);
-  if (!Number.isFinite(parsed) || parsed < 1) {
+  const parsed = parseStrictPositiveInteger(configured);
+  if (parsed === undefined) {
     return DEFAULT_MAX_PREAUTH_CONNECTIONS_PER_IP;
   }
-  return Math.max(1, Math.floor(parsed));
+  return parsed;
 }
 
 export type PreauthConnectionBudget = {

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-import { resolveIntegerOption } from "../../shared/number-coercion.js";`
	`1`	`+import { parseStrictPositiveInteger, resolveIntegerOption } from "../../shared/number-coercion.js";`
`2`	`2`
`3`	`3`	`const DEFAULT_MAX_PREAUTH_CONNECTIONS_PER_IP = 32;`
`4`	`4`	`const UNKNOWN_CLIENT_IP_BUDGET_KEY = "__openclaw_unknown_client_ip__";`
`@@ -10,11 +10,11 @@ function getMaxPreauthConnectionsPerIpFromEnv(env: NodeJS.ProcessEnv = process.e`
`10`	`10`	`if (!configured) {`
`11`	`11`	`return DEFAULT_MAX_PREAUTH_CONNECTIONS_PER_IP;`
`12`	`12`	`}`
`13`		`- const parsed = Number(configured);`
`14`		`- if (!Number.isFinite(parsed) \|\| parsed < 1) {`
	`13`	`+ const parsed = parseStrictPositiveInteger(configured);`
	`14`	`+ if (parsed === undefined) {`
`15`	`15`	`return DEFAULT_MAX_PREAUTH_CONNECTIONS_PER_IP;`
`16`	`16`	`}`
`17`		`- return Math.max(1, Math.floor(parsed));`
	`17`	`+ return parsed;`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`export type PreauthConnectionBudget = {`