feat: implement auth failure cooldowns, add loopback trusted proxies, and enhance health server status reporting

README.md

@@ -289,6 +289,7 @@ HuggingClaw keeps the Space awake without external cron tools:
 - **Backup restore failing:** Make sure `HF_USERNAME` and `HF_TOKEN` are correct (token needs write access to your Dataset).
 - **Space keeps sleeping:** Check logs for `Keep-alive` messages. Ensure `KEEP_ALIVE_INTERVAL` isn’t set to `0`.
 - **Auth errors / proxy:** If you see reverse-proxy auth errors, add the logged IPs under `TRUSTED_PROXIES` (from logs `remote=x.x.x.x`).
+- **Control UI says too many failed authentication attempts:** Wait for the retry window to expire, then open the Space in an incognito window or clear site storage for your Space before entering the current `GATEWAY_TOKEN` again.
 - **UI blocked (CORS):** Set `ALLOWED_ORIGINS=https://your-space-name.hf.space`.
 - **Version mismatches:** Pin a specific OpenClaw build with the `OPENCLAW_VERSION` Variable in HF Spaces, or `--build-arg OPENCLAW_VERSION=...` locally.
 

health-server.js

@@ -2,19 +2,30 @@
 const http = require("http");
 const fs = require("fs");
 const net = require("net");
+const { randomUUID } = require("node:crypto");
 
 const PORT = 7861;
 const GATEWAY_PORT = 7860;
 const GATEWAY_HOST = "127.0.0.1";
 const startTime = Date.now();
 const LLM_MODEL = process.env.LLM_MODEL || "Not Set";
+const GATEWAY_TOKEN = process.env.GATEWAY_TOKEN || "";
 const TELEGRAM_ENABLED = !!process.env.TELEGRAM_BOT_TOKEN;
+const GATEWAY_STATUS_CACHE_MS = 5000;
 
-function getPathname(url) {
+let gatewayStatusCache = {
+  expiresAt: 0,
+  value: {
+    whatsapp: { configured: true, connected: false },
+    telegram: { configured: TELEGRAM_ENABLED, connected: false },
+  },
+};
+
+function parseRequestUrl(url) {
   try {
-    return new URL(url, "http://localhost").pathname;
+    return new URL(url, "http://localhost");
   } catch {
-    return "/";
+    return new URL("http://localhost/");
   }
 }
 
@@ -22,11 +33,16 @@ function isDashboardRoute(pathname) {
   return pathname === "/dashboard" || pathname === "/dashboard/";
 }
 
+function isControlRoute(pathname) {
+  return pathname === "/control" || pathname === "/control/";
+}
+
 function isLocalRoute(pathname) {
   return (
     pathname === "/health" ||
     pathname === "/status" ||
-    isDashboardRoute(pathname)
+    isDashboardRoute(pathname) ||
+    isControlRoute(pathname)
   );
 }
 
@@ -60,6 +76,117 @@ function readSyncStatus() {
   return { status: "unknown", message: "No sync data yet" };
 }
 
+function normalizeChannelStatus(channel, configured) {
+  return {
+    configured: configured || !!channel,
+    connected: !!(channel && channel.connected),
+  };
+}
+
+function extractErrorMessage(msg) {
+  if (!msg || typeof msg !== "object") return "Unknown error";
+  if (typeof msg.error === "string") return msg.error;
+  if (msg.error && typeof msg.error.message === "string") return msg.error.message;
+  if (typeof msg.message === "string") return msg.message;
+  return "Unknown error";
+}
+
+function createGatewayConnection() {
+  return new Promise((resolve, reject) => {
+    const { WebSocket } = require("/home/node/.openclaw/openclaw-app/node_modules/ws");
+    const ws = new WebSocket(`ws://${GATEWAY_HOST}:${GATEWAY_PORT}`);
+    let resolved = false;
+
+    ws.on("message", (data) => {
+      const msg = JSON.parse(data.toString());
+
+      if (msg.type === "event" && msg.event === "connect.challenge") {
+        ws.send(JSON.stringify({
+          type: "req",
+          id: randomUUID(),
+          method: "connect",
+          params: {
+            auth: { token: GATEWAY_TOKEN },
+            client: { id: "health-server", platform: "linux", mode: "backend", version: "1.0.0" },
+            scopes: ["operator.read"],
+          },
+        }));
+        return;
+      }
+
+      if (!resolved && msg.type === "res" && msg.ok === false) {
+        resolved = true;
+        ws.close();
+        reject(new Error(extractErrorMessage(msg)));
+        return;
+      }
+
+      if (!resolved && msg.type === "res" && msg.ok) {
+        resolved = true;
+        resolve(ws);
+      }
+    });
+
+    ws.on("error", (error) => {
+      if (!resolved) reject(error);
+    });
+
+    setTimeout(() => {
+      if (!resolved) {
+        ws.close();
+        reject(new Error("Timeout"));
+      }
+    }, 10000);
+  });
+}
+
+function callGatewayRpc(ws, method, params) {
+  return new Promise((resolve, reject) => {
+    const id = randomUUID();
+    const handler = (data) => {
+      const msg = JSON.parse(data.toString());
+      if (msg.id === id) {
+        ws.removeListener("message", handler);
+        resolve(msg);
+      }
+    };
+
+    ws.on("message", handler);
+    ws.send(JSON.stringify({ type: "req", id, method, params }));
+
+    setTimeout(() => {
+      ws.removeListener("message", handler);
+      reject(new Error("RPC Timeout"));
+    }, 15000);
+  });
+}
+
+async function getGatewayChannelStatus() {
+  if (Date.now() < gatewayStatusCache.expiresAt) {
+    return gatewayStatusCache.value;
+  }
+
+  let ws;
+  try {
+    ws = await createGatewayConnection();
+    const statusRes = await callGatewayRpc(ws, "channels.status", {});
+    const channels = (statusRes.payload || statusRes.result)?.channels || {};
+    const value = {
+      whatsapp: normalizeChannelStatus(channels.whatsapp, true),
+      telegram: normalizeChannelStatus(channels.telegram, TELEGRAM_ENABLED),
+    };
+    gatewayStatusCache = {
+      expiresAt: Date.now() + GATEWAY_STATUS_CACHE_MS,
+      value,
+    };
+    return value;
+  } catch {
+    return gatewayStatusCache.value;
+  } finally {
+    if (ws) ws.close();
+  }
+}
+
 function renderDashboard() {
   return `
 <!DOCTYPE html>
@@ -260,7 +387,7 @@ function renderDashboard() {
                 <span class="stat-label">Telegram</span>
                 <span id="tg-status">Loading...</span>
             </div>
-            <a href="/" class="stat-btn">Open Control UI</a>
+            <a href="/control" class="stat-btn">Open Control UI</a>
         </div>
 
         <div class="stat-card" style="width: 100%;">
@@ -286,13 +413,18 @@ function renderDashboard() {
                 document.getElementById('model-id').textContent = data.model;
                 document.getElementById('uptime').textContent = data.uptime;
 
-                document.getElementById('wa-status').innerHTML = data.whatsapp
-                    ? '<div class="status-badge status-online"><div class="pulse"></div>Active</div>'
-                    : '<div class="status-badge status-offline">Disabled</div>';
+                function renderChannelStatus(channel, configuredLabel) {
+                    if (channel && channel.connected) {
+                        return '<div class="status-badge status-online"><div class="pulse"></div>Active</div>';
+                    }
+                    if (channel && channel.configured) {
+                        return '<div class="status-badge status-syncing">' + configuredLabel + '</div>';
+                    }
+                    return '<div class="status-badge status-offline">Disabled</div>';
+                }
 
-                document.getElementById('tg-status').innerHTML = data.telegram
-                    ? '<div class="status-badge status-online"><div class="pulse"></div>Active</div>'
-                    : '<div class="status-badge status-offline">Disabled</div>';
+                document.getElementById('wa-status').innerHTML = renderChannelStatus(data.whatsapp, 'Ready to pair');
+                document.getElementById('tg-status').innerHTML = renderChannelStatus(data.telegram, 'Configured');
 
                 const syncData = data.sync;
                 let badgeClass = 'status-offline';
@@ -418,7 +550,8 @@ function proxyUpgrade(req, socket, head) {
 }
 
 const server = http.createServer((req, res) => {
-  const pathname = getPathname(req.url || "/");
+  const parsedUrl = parseRequestUrl(req.url || "/");
+  const pathname = parsedUrl.pathname;
   const uptime = Math.floor((Date.now() - startTime) / 1000);
   const uptimeHuman = `${Math.floor(uptime / 3600)}h ${Math.floor((uptime % 3600) / 60)}m`;
 
@@ -436,16 +569,19 @@ const server = http.createServer((req, res) => {
   }
 
   if (pathname === "/status") {
-    res.writeHead(200, { "Content-Type": "application/json" });
-    res.end(
-      JSON.stringify({
-        model: LLM_MODEL,
-        whatsapp: true,
-        telegram: TELEGRAM_ENABLED,
-        sync: readSyncStatus(),
-        uptime: uptimeHuman,
-      }),
-    );
+    void (async () => {
+      const channelStatus = await getGatewayChannelStatus();
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          model: LLM_MODEL,
+          whatsapp: channelStatus.whatsapp,
+          telegram: channelStatus.telegram,
+          sync: readSyncStatus(),
+          uptime: uptimeHuman,
+        }),
+      );
+    })();
     return;
   }
 
@@ -455,11 +591,20 @@ const server = http.createServer((req, res) => {
     return;
   }
 
+  if ((pathname === "/" || isControlRoute(pathname)) && req.method === "GET" && !parsedUrl.searchParams.get("token") && GATEWAY_TOKEN) {
+    res.writeHead(302, {
+      Location: `/?token=${encodeURIComponent(GATEWAY_TOKEN)}`,
+      "Cache-Control": "no-store",
+    });
+    res.end();
+    return;
+  }
+
   proxyHttp(req, res);
 });
 
 server.on("upgrade", (req, socket, head) => {
-  const pathname = getPathname(req.url || "/");
+  const pathname = parseRequestUrl(req.url || "/").pathname;
   if (isLocalRoute(pathname)) {
     socket.destroy();
     return;

start.sh

@@ -176,7 +176,7 @@ CONFIG_JSON=$(cat <<'CONFIGEOF'
     "controlUi": {
       "allowInsecureAuth": true
     },
-    "trustedProxies": ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+    "trustedProxies": ["127.0.0.1/8", "::1/128", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
   },
   "channels": {},
   "plugins": {
@@ -206,10 +206,11 @@ if [ -n "$OPENCLAW_PASSWORD" ]; then
 fi
 
 # Trusted proxies (optional — fixes "Proxy headers detected from untrusted address" on HF Spaces)
-# Set TRUSTED_PROXIES as comma-separated IPs, e.g. "10.20.31.87,10.20.26.157"
+# Set TRUSTED_PROXIES as comma-separated IPs/CIDRs, e.g. "10.20.31.87,10.20.26.157"
+# Loopback proxies stay trusted by default so the local dashboard reverse proxy works correctly.
 if [ -n "$TRUSTED_PROXIES" ]; then
   PROXIES_JSON=$(echo "$TRUSTED_PROXIES" | tr ',' '\n' | sed 's/^ *//;s/ *$//' | jq -R . | jq -s .)
-  CONFIG_JSON=$(echo "$CONFIG_JSON" | jq ".gateway.trustedProxies = $PROXIES_JSON")
+  CONFIG_JSON=$(echo "$CONFIG_JSON" | jq ".gateway.trustedProxies += $PROXIES_JSON | .gateway.trustedProxies |= unique")
 fi
 
 # Allowed origins (optional — lock down Control UI to specific URLs)

wa-guardian.js

@@ -14,9 +14,20 @@ const GATEWAY_URL = "ws://127.0.0.1:7860";
 const GATEWAY_TOKEN = process.env.GATEWAY_TOKEN || "huggingclaw";
 const CHECK_INTERVAL = 5000;
 const WAIT_TIMEOUT = 120000;
+const AUTH_FAILURE_COOLDOWN = 5 * 60 * 1000;
 
 let isWaiting = false;
 let hasShownWaitMessage = false;
+let authFailureUntil = 0;
+let authFailureLogged = false;
+
+function extractErrorMessage(msg) {
+  if (!msg || typeof msg !== "object") return "Unknown error";
+  if (typeof msg.error === "string") return msg.error;
+  if (msg.error && typeof msg.error.message === "string") return msg.error.message;
+  if (typeof msg.message === "string") return msg.message;
+  return "Unknown error";
+}
 
 async function createConnection() {
   return new Promise((resolve, reject) => {
@@ -40,6 +51,13 @@ async function createConnection() {
         return;
       }
 
+      if (!resolved && msg.type === "res" && msg.ok === false) {
+        resolved = true;
+        ws.close();
+        reject(new Error(extractErrorMessage(msg)));
+        return;
+      }
+
       if (!resolved && msg.type === "res" && msg.ok) {
         resolved = true;
         resolve(ws);
@@ -69,10 +87,13 @@ async function callRpc(ws, method, params) {
 
 async function checkStatus() {
   if (isWaiting) return;
+  if (Date.now() < authFailureUntil) return;
 
   let ws;
   try {
     ws = await createConnection();
+    authFailureUntil = 0;
+    authFailureLogged = false;
 
     // Check if WhatsApp channel exists and its status
     const statusRes = await callRpc(ws, "channels.status", {});
@@ -114,6 +135,14 @@ async function checkStatus() {
     }
 
   } catch (e) {
+    const message = e && e.message ? e.message : "";
+    if (/unauthorized|authentication|too many failed/i.test(message)) {
+      authFailureUntil = Date.now() + AUTH_FAILURE_COOLDOWN;
+      if (!authFailureLogged) {
+        console.log(`[guardian] Authentication failed (${message}). Pausing guardian retries for ${AUTH_FAILURE_COOLDOWN / 60000} minutes.`);
+        authFailureLogged = true;
+      }
+    }
     // Normal timeout or gateway starting up
   } finally {
     isWaiting = false;