Extension Relay 安全加固：禁止无 token 建连并做回归验证

解决浏览器 relay `/extension` WebSocket 在缺少 token 时仍可连接的高风险问题：先升级修复版本，再做公网/内网双路径鉴权回归。

GITHUBDiscovered 2026-02-14Author ple4zeme

Prerequisites

OpenClaw browser extension relay is enabled in your environment.
You can inspect gateway logs and run authenticated/unauthenticated websocket tests.

Steps

Record baseline by attempting `/extension` websocket connect once without token and once with valid token.
Upgrade to a build that includes issue #16059 fix (or later stable release) and restart gateway.
Re-test from both trusted LAN path and public ingress path; unauthenticated connect should fail in both.
Add a periodic security canary check for `/extension` auth to catch regressions after future upgrades.

Commands

openclaw gateway status

openclaw gateway restart

openclaw logs --local-time

Verify

Connections without token are rejected consistently, while valid-token relay sessions still connect successfully.

Caveats

Reverse proxy or local test harness may cache old auth behavior; clear stale config before concluding（需验证）.
Do not expose relay endpoint to WAN without TLS + token even after this fix.

Source attribution

This tip is aggregated from community/public sources and preserved with attribution.