fix: use www.clawhub.ai as default registry to prevent auth header stripping on redirect #101
Conversation
…ripping on redirect (openclaw#100) clawhub.ai redirects to www.clawhub.ai via 307, which strips the Authorization header per standard cross-origin HTTP security rules. This causes all authenticated CLI commands to fail with 'Unauthorized'. Update DEFAULT_SITE and DEFAULT_REGISTRY to https://www.clawhub.ai and align .well-known/clawhub.json discovery endpoints accordingly. Also fixes openclaw#41, openclaw#72, openclaw#99.
|
@IISweetHeartII is attempting to deploy a commit to the Amantus Machina Team on Vercel. A member of the Team first needs to authorize it. |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Additional Comments (1)
This PR changes the CLI/site defaults to Also appears in: Prompt To Fix With AIThis is a comment left during a code review.
Path: convex/lib/webhooks.ts
Line: 19:21
Comment:
[P1] Default SITE_URL still points at non-www domain
This PR changes the CLI/site defaults to `https://www.clawhub.ai` to avoid the `clawhub.ai -> www` redirect, but `convex/lib/webhooks.ts` still defaults `SITE_URL` to `https://clawhub.ai`. Any Discord webhook payloads that rely on the default will keep generating links to the redirecting host, which is inconsistent with the new canonical URL.
Also appears in: `convex/lib/webhooks.test.ts:23,39,53,68,70,84`.
How can I resolve this? If you propose a fix, please make it concise. |
![vercel[bot]](https://avatars.githubusercontent.com/in/8329?s=60&v=4){kind=small}
There was a problem hiding this comment.
Additional Suggestion:
README documentation references old default site URL 'https://clawhub.ai' instead of the new default 'https://www.clawhub.ai'
| export const DEFAULT_SITE = 'https://clawhub.ai' | ||
| export const DEFAULT_REGISTRY = 'https://clawhub.ai' | ||
| export const DEFAULT_SITE = 'https://www.clawhub.ai' | ||
| export const DEFAULT_REGISTRY = 'https://www.clawhub.ai' |
There was a problem hiding this comment.
The LEGACY_REGISTRY_HOSTS set does not include 'clawhub.ai', causing users with the old cached URL to continue using it instead of upgrading to the new default.
1 participant
Summary
clawhub.aireturns a 307 redirect towww.clawhub.ai. Per standard HTTP security rules, theAuthorizationheader is stripped on cross-origin redirects. This causes all authenticated CLI commands (publish,whoami,sync,delete, etc.) to fail with "Unauthorized" unless the user manually passes--registry https://www.clawhub.ai.Root Cause
DEFAULT_SITEandDEFAULT_REGISTRYinpackages/clawdhub/src/cli/registry.tspoint tohttps://clawhub.ai(withoutwww).well-known/clawhub.jsondiscovery file also returns non-www URLshttps://clawhub.aihttps://www.clawhub.aiAuthorizationheader (cross-origin security)www.clawhub.aiwithout auth → "Unauthorized"Fix
DEFAULT_SITEandDEFAULT_REGISTRYtohttps://www.clawhub.aipublic/.well-known/clawhub.jsonto usewww.clawhub.aifor all endpointsTesting
Related Issues
Fixes #100
Also fixes #41, #72, #99
All of these report the same symptom: CLI returns "Unauthorized" after successful login, which is caused by the auth header being stripped during the non-www → www redirect.
Greptile Overview
Greptile Summary
This PR updates the CLI’s default
site/registryURLs and the.well-known/clawhub.jsondiscovery document to usehttps://www.clawhub.aiinstead ofhttps://clawhub.ai, avoiding a cross-origin 307 redirect that stripsAuthorizationheaders and breaks authenticated commands. Test fixtures and e2e defaults were updated accordingly.One inconsistency remains: the Convex Discord webhook helper still defaults
SITE_URLto the non-www domain, so webhook-generated links may continue pointing at the redirecting host instead of the new canonical URL.Confidence Score: 4/5
convex/lib/webhooks.tsthat still points to the redirecting non-www domain, which could lead to inconsistent links.(2/5) Greptile learns from your feedback when you react with thumbs up/down!
Context used:
dashboard- AGENTS.md (source)