Upload 2 files

src/gateway/control-ui.ts

@@ -1,4 +1,5 @@
 import type { IncomingMessage, ServerResponse } from "node:http";
+import crypto from "node:crypto";
 import fs from "node:fs";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
@@ -173,6 +174,631 @@ function serveFile(res: ServerResponse, filePath: string) {
   res.end(fs.readFileSync(filePath));
 }
 
+type ControlUiOauthProvider = "google" | "github";
+
+type ControlUiOauthConfig = {
+  sessionSecret: string;
+  sessionTtlSeconds: number;
+  allowedEmails: Set<string> | null;
+  allowedGoogleEmails: Set<string> | null;
+  allowedGithubLogins: Set<string> | null;
+  google: { clientId: string; clientSecret: string } | null;
+  github: { clientId: string; clientSecret: string } | null;
+};
+
+type ControlUiSessionPayload = {
+  v: 1;
+  exp: number;
+  provider: ControlUiOauthProvider;
+  sub: string;
+  email?: string;
+  login?: string;
+  name?: string;
+  picture?: string;
+};
+
+const CONTROL_UI_SESSION_COOKIE = "openclaw_ui_session";
+const CONTROL_UI_OAUTH_STATE_COOKIE = "openclaw_ui_oauth_state";
+const DEFAULT_SESSION_TTL_SECONDS = 60 * 60 * 24;
+
+const fallbackSessionSecret = crypto.randomBytes(32).toString("hex");
+
+function normalizeIdentifier(value: string) {
+  return value.trim().toLowerCase();
+}
+
+function parseCsvSet(value: string | undefined): Set<string> | null {
+  const raw = value?.trim();
+  if (!raw) return null;
+  const items = raw
+    .split(/[,\n]/g)
+    .map((item) => normalizeIdentifier(item))
+    .filter(Boolean);
+  return items.length ? new Set(items) : null;
+}
+
+function resolveControlUiOauthConfig(): ControlUiOauthConfig {
+  const googleClientId = process.env.OPENCLAW_CONTROL_UI_GOOGLE_CLIENT_ID?.trim() ?? "";
+  const googleClientSecret = process.env.OPENCLAW_CONTROL_UI_GOOGLE_CLIENT_SECRET?.trim() ?? "";
+  const githubClientId = process.env.OPENCLAW_CONTROL_UI_GITHUB_CLIENT_ID?.trim() ?? "";
+  const githubClientSecret = process.env.OPENCLAW_CONTROL_UI_GITHUB_CLIENT_SECRET?.trim() ?? "";
+
+  const sessionSecret =
+    process.env.OPENCLAW_CONTROL_UI_SESSION_SECRET?.trim() ??
+    process.env.OPENCLAW_GATEWAY_TOKEN?.trim() ??
+    fallbackSessionSecret;
+
+  const ttlRaw = process.env.OPENCLAW_CONTROL_UI_SESSION_TTL_SECONDS?.trim();
+  const sessionTtlSeconds =
+    ttlRaw && Number.isFinite(Number(ttlRaw)) && Number(ttlRaw) > 0
+      ? Math.floor(Number(ttlRaw))
+      : DEFAULT_SESSION_TTL_SECONDS;
+
+  return {
+    sessionSecret,
+    sessionTtlSeconds,
+    allowedEmails: parseCsvSet(process.env.OPENCLAW_CONTROL_UI_ALLOWED_EMAILS),
+    allowedGoogleEmails: parseCsvSet(process.env.OPENCLAW_CONTROL_UI_ALLOWED_GOOGLE_EMAILS),
+    allowedGithubLogins: parseCsvSet(process.env.OPENCLAW_CONTROL_UI_ALLOWED_GITHUB_LOGINS),
+    google: googleClientId && googleClientSecret ? { clientId: googleClientId, clientSecret: googleClientSecret } : null,
+    github: githubClientId && githubClientSecret ? { clientId: githubClientId, clientSecret: githubClientSecret } : null,
+  };
+}
+
+function isControlUiOauthEnabled(cfg: ControlUiOauthConfig) {
+  return Boolean(cfg.google || cfg.github);
+}
+
+function base64UrlEncode(value: string) {
+  return Buffer.from(value, "utf8").toString("base64url");
+}
+
+function base64UrlDecode(value: string) {
+  return Buffer.from(value, "base64url").toString("utf8");
+}
+
+function signToken(secret: string, payload: unknown) {
+  const body = base64UrlEncode(JSON.stringify(payload));
+  const sig = crypto.createHmac("sha256", secret).update(body).digest("base64url");
+  return `${body}.${sig}`;
+}
+
+function verifyToken<T>(secret: string, token: string): { ok: true; value: T } | { ok: false } {
+  const parts = token.split(".");
+  if (parts.length !== 2) return { ok: false };
+  const [body, sig] = parts;
+  const expected = crypto.createHmac("sha256", secret).update(body).digest("base64url");
+  try {
+    const a = Buffer.from(sig);
+    const b = Buffer.from(expected);
+    if (a.length !== b.length) return { ok: false };
+    if (!crypto.timingSafeEqual(a, b)) return { ok: false };
+  } catch {
+    return { ok: false };
+  }
+  try {
+    const parsed = JSON.parse(base64UrlDecode(body)) as T;
+    return { ok: true, value: parsed };
+  } catch {
+    return { ok: false };
+  }
+}
+
+function parseCookies(header: string | undefined): Record<string, string> {
+  if (!header) return {};
+  const out: Record<string, string> = {};
+  for (const part of header.split(";")) {
+    const idx = part.indexOf("=");
+    if (idx === -1) continue;
+    const k = part.slice(0, idx).trim();
+    const v = part.slice(idx + 1).trim();
+    if (!k) continue;
+    out[k] = decodeURIComponent(v);
+  }
+  return out;
+}
+
+function appendSetCookie(res: ServerResponse, value: string) {
+  const prev = res.getHeader("Set-Cookie");
+  if (!prev) {
+    res.setHeader("Set-Cookie", value);
+    return;
+  }
+  if (Array.isArray(prev)) {
+    res.setHeader("Set-Cookie", [...prev, value]);
+    return;
+  }
+  res.setHeader("Set-Cookie", [String(prev), value]);
+}
+
+function isSecureRequest(req: IncomingMessage) {
+  const xfProto = req.headers["x-forwarded-proto"];
+  const proto = Array.isArray(xfProto) ? xfProto[0] : xfProto;
+  if (proto && proto.toLowerCase().includes("https")) return true;
+  return Boolean((req.socket as { encrypted?: boolean }).encrypted);
+}
+
+function getRequestOrigin(req: IncomingMessage) {
+  const proto = isSecureRequest(req) ? "https" : "http";
+  const xfHost = req.headers["x-forwarded-host"];
+  const hostRaw = (Array.isArray(xfHost) ? xfHost[0] : xfHost) ?? req.headers.host ?? "localhost";
+  const host = String(hostRaw).split(",")[0]?.trim() || "localhost";
+  return `${proto}://${host}`;
+}
+
+function controlUiCookiePath(basePath: string) {
+  return basePath || "/";
+}
+
+function buildBaseUrlPath(basePath: string, suffix: string) {
+  return basePath ? `${basePath}${suffix}` : suffix;
+}
+
+function setCookie(
+  res: ServerResponse,
+  opts: { name: string; value: string; basePath: string; maxAgeSeconds?: number; secure: boolean },
+) {
+  const parts = [
+    `${opts.name}=${encodeURIComponent(opts.value)}`,
+    `Path=${controlUiCookiePath(opts.basePath)}`,
+    "HttpOnly",
+    "SameSite=Lax",
+  ];
+  if (typeof opts.maxAgeSeconds === "number") {
+    parts.push(`Max-Age=${Math.max(0, Math.floor(opts.maxAgeSeconds))}`);
+  }
+  if (opts.secure) parts.push("Secure");
+  appendSetCookie(res, parts.join("; "));
+}
+
+function clearCookie(res: ServerResponse, opts: { name: string; basePath: string; secure: boolean }) {
+  setCookie(res, { name: opts.name, value: "", basePath: opts.basePath, maxAgeSeconds: 0, secure: opts.secure });
+}
+
+function sendHtml(res: ServerResponse, status: number, html: string) {
+  res.statusCode = status;
+  res.setHeader("Content-Type", "text/html; charset=utf-8");
+  res.setHeader("Cache-Control", "no-cache");
+  res.end(html);
+}
+
+function sendRedirect(res: ServerResponse, location: string) {
+  res.statusCode = 302;
+  res.setHeader("Location", location);
+  res.end();
+}
+
+function isAllowedAccount(cfg: ControlUiOauthConfig, payload: ControlUiSessionPayload) {
+  const email = payload.email ? normalizeIdentifier(payload.email) : null;
+  const login = payload.login ? normalizeIdentifier(payload.login) : null;
+
+  const hasAnyAllowList = Boolean(
+    cfg.allowedEmails || cfg.allowedGoogleEmails || cfg.allowedGithubLogins,
+  );
+  if (!hasAnyAllowList) {
+    return false;
+  }
+
+  if (cfg.allowedEmails) {
+    if (!email || !cfg.allowedEmails.has(email)) return false;
+  }
+
+  if (payload.provider === "google" && cfg.allowedGoogleEmails) {
+    if (!email || !cfg.allowedGoogleEmails.has(email)) return false;
+  }
+
+  if (payload.provider === "github" && cfg.allowedGithubLogins) {
+    if (!login || !cfg.allowedGithubLogins.has(login)) return false;
+  }
+
+  return true;
+}
+
+function readSessionFromRequest(req: IncomingMessage, cfg: ControlUiOauthConfig): ControlUiSessionPayload | null {
+  const cookies = parseCookies(req.headers.cookie);
+  const raw = cookies[CONTROL_UI_SESSION_COOKIE];
+  if (!raw) return null;
+  const verified = verifyToken<ControlUiSessionPayload>(cfg.sessionSecret, raw);
+  if (!verified.ok) return null;
+  const value = verified.value;
+  if (!value || value.v !== 1) return null;
+  if (typeof value.exp !== "number" || value.exp <= Math.floor(Date.now() / 1000)) return null;
+  if (value.provider !== "google" && value.provider !== "github") return null;
+  if (typeof value.sub !== "string" || !value.sub) return null;
+  if (!isAllowedAccount(cfg, value)) return null;
+  return value;
+}
+
+type OAuthStatePayload = { v: 1; exp: number; nonce: string; provider: ControlUiOauthProvider };
+
+function issueOAuthState(res: ServerResponse, cfg: ControlUiOauthConfig, basePath: string, secure: boolean, provider: ControlUiOauthProvider) {
+  const exp = Math.floor(Date.now() / 1000) + 60 * 10;
+  const statePayload: OAuthStatePayload = { v: 1, exp, nonce: crypto.randomBytes(16).toString("hex"), provider };
+  const token = signToken(cfg.sessionSecret, statePayload);
+  setCookie(res, { name: CONTROL_UI_OAUTH_STATE_COOKIE, value: token, basePath, maxAgeSeconds: 60 * 10, secure });
+  return token;
+}
+
+function consumeOAuthState(req: IncomingMessage, res: ServerResponse, cfg: ControlUiOauthConfig, basePath: string, secure: boolean) {
+  const cookies = parseCookies(req.headers.cookie);
+  const raw = cookies[CONTROL_UI_OAUTH_STATE_COOKIE];
+  if (!raw) return null;
+  const verified = verifyToken<OAuthStatePayload>(cfg.sessionSecret, raw);
+  clearCookie(res, { name: CONTROL_UI_OAUTH_STATE_COOKIE, basePath, secure });
+  if (!verified.ok) return null;
+  const value = verified.value;
+  if (!value || value.v !== 1) return null;
+  if (typeof value.exp !== "number" || value.exp <= Math.floor(Date.now() / 1000)) return null;
+  if (value.provider !== "google" && value.provider !== "github") return null;
+  if (typeof value.nonce !== "string" || !value.nonce) return null;
+  return { token: raw, payload: value };
+}
+
+function renderLoginPage(opts: { basePath: string; hasGoogle: boolean; hasGithub: boolean }) {
+  const loginPath = buildBaseUrlPath(opts.basePath, "/auth/login");
+  const googlePath = buildBaseUrlPath(opts.basePath, "/auth/google");
+  const githubPath = buildBaseUrlPath(opts.basePath, "/auth/github");
+
+  const buttons = [
+    opts.hasGoogle
+      ? `<a class="btn google" href="${googlePath}">Continue with Google</a>`
+      : `<div class="btn disabled">Google login not configured</div>`,
+    opts.hasGithub
+      ? `<a class="btn github" href="${githubPath}">Continue with GitHub</a>`
+      : `<div class="btn disabled">GitHub login not configured</div>`,
+  ].join("");
+
+  return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>OpenClaw Control UI Login</title>
+    <style>
+      :root { color-scheme: light dark; }
+      body { margin: 0; font-family: ui-sans-serif, system-ui, -apple-system, Segoe UI, Roboto, Helvetica, Arial; }
+      .wrap { min-height: 100vh; display: flex; align-items: center; justify-content: center; padding: 24px; }
+      .card { width: 100%; max-width: 420px; border: 1px solid rgba(127,127,127,.35); border-radius: 14px; padding: 18px; }
+      h1 { font-size: 18px; margin: 0 0 10px; }
+      p { margin: 0 0 16px; opacity: .85; font-size: 13px; line-height: 1.45; }
+      .btn { display: block; text-decoration: none; padding: 10px 12px; border-radius: 10px; border: 1px solid rgba(127,127,127,.35); margin: 10px 0; text-align: center; font-weight: 600; }
+      .btn.google { background: rgba(66,133,244,.12); }
+      .btn.github { background: rgba(36,41,46,.12); }
+      .btn.disabled { opacity: .55; cursor: not-allowed; }
+      .small { font-size: 12px; opacity: .75; margin-top: 12px; }
+      .small a { color: inherit; }
+    </style>
+  </head>
+  <body>
+    <div class="wrap">
+      <div class="card">
+        <h1>Sign in to OpenClaw Control UI</h1>
+        <p>Only accounts allowed by environment variables can access the console.</p>
+        ${buttons}
+        <div class="small">This page is served from <a href="${loginPath}">${loginPath}</a>.</div>
+      </div>
+    </div>
+  </body>
+</html>`;
+}
+
+async function exchangeGoogleUser(opts: {
+  code: string;
+  redirectUri: string;
+  clientId: string;
+  clientSecret: string;
+}) {
+  const tokenRes = await fetch("https://oauth2.googleapis.com/token", {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      code: opts.code,
+      client_id: opts.clientId,
+      client_secret: opts.clientSecret,
+      redirect_uri: opts.redirectUri,
+      grant_type: "authorization_code",
+    }),
+  });
+  if (!tokenRes.ok) {
+    throw new Error(`google token exchange failed: ${tokenRes.status}`);
+  }
+  const tokenJson = (await tokenRes.json()) as { access_token?: unknown };
+  const accessToken = typeof tokenJson.access_token === "string" ? tokenJson.access_token : null;
+  if (!accessToken) throw new Error("google access token missing");
+
+  const userRes = await fetch("https://www.googleapis.com/oauth2/v3/userinfo", {
+    headers: { Authorization: `Bearer ${accessToken}` },
+  });
+  if (!userRes.ok) {
+    throw new Error(`google userinfo failed: ${userRes.status}`);
+  }
+  const userJson = (await userRes.json()) as {
+    sub?: unknown;
+    email?: unknown;
+    email_verified?: unknown;
+    name?: unknown;
+    picture?: unknown;
+  };
+  const sub = typeof userJson.sub === "string" ? userJson.sub : null;
+  const email = typeof userJson.email === "string" ? userJson.email : null;
+  const emailVerified = userJson.email_verified === true;
+  const name = typeof userJson.name === "string" ? userJson.name : null;
+  const picture = typeof userJson.picture === "string" ? userJson.picture : null;
+  if (!sub) throw new Error("google subject missing");
+  if (email && !emailVerified) throw new Error("google email not verified");
+  return { sub, email, name, picture };
+}
+
+async function exchangeGithubUser(opts: { code: string; redirectUri: string; clientId: string; clientSecret: string }) {
+  const tokenRes = await fetch("https://github.com/login/oauth/access_token", {
+    method: "POST",
+    headers: { Accept: "application/json", "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      code: opts.code,
+      client_id: opts.clientId,
+      client_secret: opts.clientSecret,
+      redirect_uri: opts.redirectUri,
+    }),
+  });
+  if (!tokenRes.ok) {
+    throw new Error(`github token exchange failed: ${tokenRes.status}`);
+  }
+  const tokenJson = (await tokenRes.json()) as { access_token?: unknown; token_type?: unknown };
+  const accessToken = typeof tokenJson.access_token === "string" ? tokenJson.access_token : null;
+  if (!accessToken) throw new Error("github access token missing");
+
+  const userRes = await fetch("https://api.github.com/user", {
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      Accept: "application/vnd.github+json",
+      "User-Agent": "openclaw-control-ui",
+    },
+  });
+  if (!userRes.ok) throw new Error(`github user fetch failed: ${userRes.status}`);
+  const userJson = (await userRes.json()) as { id?: unknown; login?: unknown; name?: unknown; avatar_url?: unknown };
+  const sub = typeof userJson.id === "number" ? String(userJson.id) : typeof userJson.id === "string" ? userJson.id : null;
+  const login = typeof userJson.login === "string" ? userJson.login : null;
+  const name = typeof userJson.name === "string" ? userJson.name : null;
+  const picture = typeof userJson.avatar_url === "string" ? userJson.avatar_url : null;
+  if (!sub || !login) throw new Error("github user identity missing");
+
+  const emailsRes = await fetch("https://api.github.com/user/emails", {
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      Accept: "application/vnd.github+json",
+      "User-Agent": "openclaw-control-ui",
+    },
+  });
+  let email: string | null = null;
+  if (emailsRes.ok) {
+    const emailsJson = (await emailsRes.json()) as Array<{
+      email?: unknown;
+      verified?: unknown;
+      primary?: unknown;
+    }>;
+    const verified = emailsJson
+      .map((item) => ({
+        email: typeof item.email === "string" ? item.email : null,
+        verified: item.verified === true,
+        primary: item.primary === true,
+      }))
+      .filter((item) => item.email && item.verified);
+    const primary = verified.find((item) => item.primary);
+    email = primary?.email ?? verified[0]?.email ?? null;
+  }
+
+  return { sub, login, name, picture, email };
+}
+
+export async function handleControlUiAuthRequest(
+  req: IncomingMessage,
+  res: ServerResponse,
+  opts?: ControlUiRequestOptions,
+): Promise<boolean> {
+  const urlRaw = req.url;
+  if (!urlRaw) return false;
+  if (req.method !== "GET" && req.method !== "HEAD") return false;
+
+  const cfg = resolveControlUiOauthConfig();
+  if (!isControlUiOauthEnabled(cfg)) return false;
+
+  const url = new URL(urlRaw, "http://localhost");
+  const basePath = normalizeControlUiBasePath(opts?.basePath);
+  const pathname = url.pathname;
+
+  if (basePath) {
+    if (pathname === basePath) {
+      const loginUrl = buildBaseUrlPath(basePath, "/auth/login");
+      sendRedirect(res, `${loginUrl}${url.search}`);
+      return true;
+    }
+    if (!pathname.startsWith(`${basePath}/`)) {
+      return false;
+    }
+  }
+
+  const uiPath = basePath && pathname.startsWith(`${basePath}/`) ? pathname.slice(basePath.length) : pathname;
+  const secure = isSecureRequest(req);
+  const session = readSessionFromRequest(req, cfg);
+
+  if (uiPath === "/auth/login") {
+    sendHtml(
+      res,
+      200,
+      renderLoginPage({ basePath, hasGoogle: Boolean(cfg.google), hasGithub: Boolean(cfg.github) }),
+    );
+    return true;
+  }
+
+  if (uiPath === "/auth/logout") {
+    clearCookie(res, { name: CONTROL_UI_SESSION_COOKIE, basePath, secure });
+    sendRedirect(res, buildBaseUrlPath(basePath, "/auth/login"));
+    return true;
+  }
+
+  if (uiPath === "/auth/google") {
+    if (!cfg.google) {
+      respondNotFound(res);
+      return true;
+    }
+    const state = issueOAuthState(res, cfg, basePath, secure, "google");
+    const origin = getRequestOrigin(req);
+    const redirectUri = `${origin}${buildBaseUrlPath(basePath, "/auth/google/callback")}`;
+    const authorize = new URL("https://accounts.google.com/o/oauth2/v2/auth");
+    authorize.searchParams.set("client_id", cfg.google.clientId);
+    authorize.searchParams.set("redirect_uri", redirectUri);
+    authorize.searchParams.set("response_type", "code");
+    authorize.searchParams.set("scope", "openid email profile");
+    authorize.searchParams.set("state", state);
+    authorize.searchParams.set("access_type", "online");
+    authorize.searchParams.set("prompt", "select_account");
+    sendRedirect(res, authorize.toString());
+    return true;
+  }
+
+  if (uiPath === "/auth/google/callback") {
+    if (!cfg.google) {
+      respondNotFound(res);
+      return true;
+    }
+    const code = url.searchParams.get("code")?.trim() ?? "";
+    const state = url.searchParams.get("state")?.trim() ?? "";
+    const consumed = consumeOAuthState(req, res, cfg, basePath, secure);
+    if (!code || !state || !consumed || state !== consumed.token || consumed.payload.provider !== "google") {
+      res.statusCode = 400;
+      res.setHeader("Content-Type", "text/plain; charset=utf-8");
+      res.end("Invalid OAuth callback");
+      return true;
+    }
+    try {
+      const origin = getRequestOrigin(req);
+      const redirectUri = `${origin}${buildBaseUrlPath(basePath, "/auth/google/callback")}`;
+      const user = await exchangeGoogleUser({
+        code,
+        redirectUri,
+        clientId: cfg.google.clientId,
+        clientSecret: cfg.google.clientSecret,
+      });
+      const exp = Math.floor(Date.now() / 1000) + cfg.sessionTtlSeconds;
+      const payload: ControlUiSessionPayload = {
+        v: 1,
+        exp,
+        provider: "google",
+        sub: user.sub,
+        email: user.email ?? undefined,
+        name: user.name ?? undefined,
+        picture: user.picture ?? undefined,
+      };
+      if (!isAllowedAccount(cfg, payload)) {
+        res.statusCode = 403;
+        res.setHeader("Content-Type", "text/plain; charset=utf-8");
+        res.end("Forbidden");
+        return true;
+      }
+      setCookie(res, {
+        name: CONTROL_UI_SESSION_COOKIE,
+        value: signToken(cfg.sessionSecret, payload),
+        basePath,
+        maxAgeSeconds: cfg.sessionTtlSeconds,
+        secure,
+      });
+      sendRedirect(res, basePath ? `${basePath}/` : "/");
+      return true;
+    } catch {
+      res.statusCode = 502;
+      res.setHeader("Content-Type", "text/plain; charset=utf-8");
+      res.end("OAuth provider error");
+      return true;
+    }
+  }
+
+  if (uiPath === "/auth/github") {
+    if (!cfg.github) {
+      respondNotFound(res);
+      return true;
+    }
+    const state = issueOAuthState(res, cfg, basePath, secure, "github");
+    const origin = getRequestOrigin(req);
+    const redirectUri = `${origin}${buildBaseUrlPath(basePath, "/auth/github/callback")}`;
+    const authorize = new URL("https://github.com/login/oauth/authorize");
+    authorize.searchParams.set("client_id", cfg.github.clientId);
+    authorize.searchParams.set("redirect_uri", redirectUri);
+    authorize.searchParams.set("scope", "read:user user:email");
+    authorize.searchParams.set("state", state);
+    sendRedirect(res, authorize.toString());
+    return true;
+  }
+
+  if (uiPath === "/auth/github/callback") {
+    if (!cfg.github) {
+      respondNotFound(res);
+      return true;
+    }
+    const code = url.searchParams.get("code")?.trim() ?? "";
+    const state = url.searchParams.get("state")?.trim() ?? "";
+    const consumed = consumeOAuthState(req, res, cfg, basePath, secure);
+    if (!code || !state || !consumed || state !== consumed.token || consumed.payload.provider !== "github") {
+      res.statusCode = 400;
+      res.setHeader("Content-Type", "text/plain; charset=utf-8");
+      res.end("Invalid OAuth callback");
+      return true;
+    }
+    try {
+      const origin = getRequestOrigin(req);
+      const redirectUri = `${origin}${buildBaseUrlPath(basePath, "/auth/github/callback")}`;
+      const user = await exchangeGithubUser({
+        code,
+        redirectUri,
+        clientId: cfg.github.clientId,
+        clientSecret: cfg.github.clientSecret,
+      });
+      const exp = Math.floor(Date.now() / 1000) + cfg.sessionTtlSeconds;
+      const payload: ControlUiSessionPayload = {
+        v: 1,
+        exp,
+        provider: "github",
+        sub: user.sub,
+        email: user.email ?? undefined,
+        login: user.login ?? undefined,
+        name: user.name ?? undefined,
+        picture: user.picture ?? undefined,
+      };
+      if (!isAllowedAccount(cfg, payload)) {
+        res.statusCode = 403;
+        res.setHeader("Content-Type", "text/plain; charset=utf-8");
+        res.end("Forbidden");
+        return true;
+      }
+      setCookie(res, {
+        name: CONTROL_UI_SESSION_COOKIE,
+        value: signToken(cfg.sessionSecret, payload),
+        basePath,
+        maxAgeSeconds: cfg.sessionTtlSeconds,
+        secure,
+      });
+      sendRedirect(res, basePath ? `${basePath}/` : "/");
+      return true;
+    } catch {
+      res.statusCode = 502;
+      res.setHeader("Content-Type", "text/plain; charset=utf-8");
+      res.end("OAuth provider error");
+      return true;
+    }
+  }
+
+  if (session) {
+    return false;
+  }
+
+  if (uiPath.startsWith("/auth/")) {
+    respondNotFound(res);
+    return true;
+  }
+
+  sendRedirect(res, buildBaseUrlPath(basePath, "/auth/login"));
+  return true;
+}
+
 interface ControlUiInjectionOpts {
   basePath: string;
   assistantName?: string;

src/gateway/server-http.ts

@@ -13,7 +13,7 @@ import { resolveAgentAvatar } from "../agents/identity-avatar.js";
 import { handleA2uiHttpRequest } from "../canvas-host/a2ui.js";
 import { loadConfig } from "../config/config.js";
 import { handleSlackHttpRequest } from "../slack/http/index.js";
-import { handleControlUiAvatarRequest, handleControlUiHttpRequest } from "./control-ui.js";
+import { handleControlUiAuthRequest, handleControlUiAvatarRequest, handleControlUiHttpRequest } from "./control-ui.js";
 import { applyHookMappings } from "./hooks-mapping.js";
 import {
   extractHookToken,
@@ -289,6 +289,14 @@ export function createGatewayHttpServer(opts: {
         }
       }
       if (controlUiEnabled) {
+        if (
+          await handleControlUiAuthRequest(req, res, {
+            basePath: controlUiBasePath,
+            config: configSnapshot,
+          })
+        ) {
+          return;
+        }
         if (
           handleControlUiAvatarRequest(req, res, {
             basePath: controlUiBasePath,