fix(bluebubbles): resolve SecretRef webhook password for auth (#76369)

neeravmakwana · cursoragent · neeravmakwana · commit c39a928d3ef5 · 2026-05-02T23:19:35.000-04:00
Webhook auth assumed string passwords and called .trim(); SecretRef objects crash the HTTP route handler. Normalize inline passwords and resolve refs via the gateway secret resolver, matching outbound BlueBubbles usage. Treat synchronous boolean webhook target matches without awaiting promises in resolveSingleWebhookTargetAsync; defer mock HTTP bodies with setImmediate in tests so async auth reliably attaches listeners. Fixes #76369. Co-authored-by: Cursor <cursoragent@cursor.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -13,6 +13,7 @@ Docs: https://docs.openclaw.ai
 
 ### Fixes
 
+- BlueBubbles: resolve `channels.bluebubbles` SecretRef-backed webhook passwords via the gateway secret pipeline instead of calling `.trim` on unresolved objects, restoring inbound webhook delivery. Fixes #76369.
 - Gateway: preserve stack diagnostics when `chat.send` or agent attachment parsing/staging fails, improving image-send failure triage. Refs #63432. (#75135) Thanks @keen0206.
 - Maintainer workflow: push prepared PR heads through GitHub's verified commit API by default and require an explicit override before git-protocol pushes can publish unsigned commits. Thanks @BunsDev.
 - Feishu: resolve setup/status probes through the selected/default account so multi-account configs with account-scoped app credentials show as configured and probeable. Fixes #72930. Thanks @brokemac79.
diff --git a/extensions/bluebubbles/src/monitor.ts b/extensions/bluebubbles/src/monitor.ts
@@ -1,5 +1,6 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
 import { formatErrorMessage } from "openclaw/plugin-sdk/error-runtime";
+import { resolveConfiguredSecretInputString } from "openclaw/plugin-sdk/secret-input-runtime";
 import { safeEqualSecret } from "openclaw/plugin-sdk/security-runtime";
 import { normalizeLowercaseStringOrEmpty } from "openclaw/plugin-sdk/string-coerce-runtime";
 import { resolveBlueBubblesEffectiveAllowPrivateNetwork } from "./accounts.js";
@@ -23,14 +24,15 @@ import {
 } from "./monitor-shared.js";
 import { fetchBlueBubblesServerInfo } from "./probe.js";
 import { getBlueBubblesRuntime } from "./runtime.js";
+import { normalizeSecretInputString } from "./secret-input.js";
 import {
   WEBHOOK_RATE_LIMIT_DEFAULTS,
   createFixedWindowRateLimiter,
   createWebhookInFlightLimiter,
   registerWebhookTargetWithPluginRoute,
   readWebhookBodyOrReject,
   resolveRequestClientIp,
-  resolveWebhookTargetWithAuthOrRejectSync,
+  resolveWebhookTargetWithAuthOrReject,
   withResolvedWebhookRequestPipeline,
 } from "./webhook-ingress.js";
 
@@ -189,12 +191,20 @@ export async function handleBlueBubblesWebhookRequest(
         req.headers["x-bluebubbles-guid"] ??
         req.headers["authorization"];
       const guid = (Array.isArray(headerToken) ? headerToken[0] : headerToken) ?? guidParam ?? "";
-      const target = resolveWebhookTargetWithAuthOrRejectSync({
+      const target = await resolveWebhookTargetWithAuthOrReject({
         targets,
         res,
-        isMatch: (target) => {
-          const token = target.account.config.password?.trim() ?? "";
-          return safeEqualAuthToken(guid, token);
+        isMatch: (target): boolean | Promise<boolean> => {
+          const direct = normalizeSecretInputString(target.account.config.password);
+          if (direct) {
+            return safeEqualAuthToken(guid, direct);
+          }
+          return resolveConfiguredSecretInputString({
+            config: target.config,
+            env: process.env,
+            value: target.account.config.password,
+            path: `channels.bluebubbles.accounts.${target.account.accountId}.password`,
+          }).then((resolved) => safeEqualAuthToken(guid, resolved.value ?? ""));
         },
       });
       if (!target) {
diff --git a/extensions/bluebubbles/src/monitor.webhook-auth.test.ts b/extensions/bluebubbles/src/monitor.webhook-auth.test.ts
@@ -1,3 +1,4 @@
+import * as secretInputRuntimeModule from "openclaw/plugin-sdk/secret-input-runtime";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import type { ResolvedBlueBubblesAccount } from "./accounts.js";
 import { fetchBlueBubblesHistory } from "./history.js";
@@ -411,7 +412,48 @@ describe("BlueBubbles webhook monitor", () => {
     });
 
     it("authenticates via password query parameter", async () => {
-      await expectProtectedWebhookRequestStatus(createProtectedPasswordQueryRequestParams(), 200);
+      const resolveSpy = vi.spyOn(secretInputRuntimeModule, "resolveConfiguredSecretInputString");
+      try {
+        await expectProtectedWebhookRequestStatus(createProtectedPasswordQueryRequestParams(), 200);
+        expect(resolveSpy).not.toHaveBeenCalled();
+      } finally {
+        resolveSpy.mockRestore();
+      }
+    });
+
+    describe("configured SecretRef password", () => {
+      it("authenticates inbound webhooks via runtime-resolved SecretRef password", async () => {
+        const resolveSpy = vi.spyOn(secretInputRuntimeModule, "resolveConfiguredSecretInputString");
+        resolveSpy.mockResolvedValue({ value: TEST_WEBHOOK_PASSWORD });
+        try {
+          setupWebhookTarget({
+            account: createMockAccount({
+              // @ts-expect-error SecretRef is accepted at runtime for gateway-merged account config.
+              password: { source: "exec", provider: "op-bb-password", id: "value" }, // pragma: allowlist secret
+            }),
+          });
+
+          await expectWebhookRequestStatusForTest(
+            createProtectedPasswordQueryRequestParams(TEST_WEBHOOK_PASSWORD),
+            200,
+            "ok",
+          );
+
+          expect(resolveSpy).toHaveBeenCalledTimes(1);
+          expect(resolveSpy.mock.calls[0]?.[0]).toMatchObject({
+            config: expect.any(Object),
+            env: expect.any(Object),
+            value: expect.objectContaining({
+              source: "exec",
+              provider: "op-bb-password",
+              id: "value",
+            }), // pragma: allowlist secret
+            path: "channels.bluebubbles.accounts.default.password",
+          });
+        } finally {
+          resolveSpy.mockRestore();
+        }
+      });
     });
 
     it("authenticates via x-password header", async () => {
diff --git a/extensions/bluebubbles/src/monitor.webhook.test-helpers.ts b/extensions/bluebubbles/src/monitor.webhook.test-helpers.ts
@@ -118,8 +118,9 @@ export function createMockRequest(
   req.headers = headers;
   (req as unknown as { socket: { remoteAddress: string } }).socket = { remoteAddress };
 
-  // Emit body data after a microtask.
-  void Promise.resolve().then(() => {
+  // Defer emission until after microtasks drain so webhook handlers that
+  // authenticate asynchronously can attach HTTP body listeners first.
+  setImmediate(() => {
     const bodyStr = typeof body === "string" ? body : JSON.stringify(body);
     req.emit("data", Buffer.from(bodyStr));
     req.emit("end");
diff --git a/extensions/bluebubbles/src/runtime-api.ts b/extensions/bluebubbles/src/runtime-api.ts
@@ -51,6 +51,7 @@ export {
   readWebhookBodyOrReject,
   registerWebhookTargetWithPluginRoute,
   resolveRequestClientIp,
+  resolveWebhookTargetWithAuthOrReject,
   resolveWebhookTargetWithAuthOrRejectSync,
   withResolvedWebhookRequestPipeline,
 } from "openclaw/plugin-sdk/webhook-ingress";
diff --git a/extensions/bluebubbles/src/webhook-ingress.ts b/extensions/bluebubbles/src/webhook-ingress.ts
@@ -5,6 +5,7 @@ export {
   registerWebhookTargetWithPluginRoute,
   readWebhookBodyOrReject,
   resolveRequestClientIp,
+  resolveWebhookTargetWithAuthOrReject,
   resolveWebhookTargetWithAuthOrRejectSync,
   withResolvedWebhookRequestPipeline,
 } from "openclaw/plugin-sdk/webhook-ingress";
diff --git a/src/plugin-sdk/webhook-targets.ts b/src/plugin-sdk/webhook-targets.ts
@@ -211,11 +211,13 @@ export function resolveSingleWebhookTarget<T>(
 /** Async variant of single-target resolution for auth checks that need I/O. */
 export async function resolveSingleWebhookTargetAsync<T>(
   targets: readonly T[],
-  isMatch: (target: T) => Promise<boolean>,
+  isMatch: (target: T) => boolean | Promise<boolean>,
 ): Promise<WebhookTargetMatchResult<T>> {
   let matched: T | undefined;
   for (const target of targets) {
-    if (!(await isMatch(target))) {
+    const verdict = isMatch(target);
+    const ok = typeof verdict === "boolean" ? verdict : await verdict;
+    if (!ok) {
       continue;
     }
     const updated = updateMatchedWebhookTarget(matched, target);
@@ -237,9 +239,7 @@ export async function resolveWebhookTargetWithAuthOrReject<T>(params: {
   ambiguousStatusCode?: number;
   ambiguousMessage?: string;
 }): Promise<T | null> {
-  const match = await resolveSingleWebhookTargetAsync(params.targets, async (target) =>
-    params.isMatch(target),
-  );
+  const match = await resolveSingleWebhookTargetAsync(params.targets, params.isMatch);
   return resolveWebhookTargetMatchOrReject(params, match);
 }
 
