fix(pairing): restore qr bootstrap onboarding handoff (#58382) (thanks @ngutman)

* fix(pairing): restore qr bootstrap onboarding handoff * fix(pairing): tighten bootstrap handoff follow-ups * fix(pairing): migrate legacy gateway device auth * fix(pairing): narrow qr bootstrap handoff scope * fix(pairing): clear ios tls trust on onboarding reset * fix(pairing): restore qr bootstrap onboarding handoff (#58382) (thanks @ngutman)
2026-04-26 16:06:16 +00:00 · 2026-03-31 21:11:35 +03:00
parent 693d17c4a2
commit 69fe999373
15 changed files with 694 additions and 48 deletions
--- a/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayTLSPinning.swift
+++ b/apps/shared/OpenClawKit/Sources/OpenClawKit/GatewayTLSPinning.swift
@@ -35,6 +35,25 @@ public enum GatewayTLSStore {
        _ = GenericPasswordKeychainStore.saveString(value, service: self.keychainService, account: stableID)
    }

+    @discardableResult
+    public static func clearFingerprint(stableID: String) -> Bool {
+        let removedKeychain = GenericPasswordKeychainStore.delete(
+            service: self.keychainService,
+            account: stableID)
+        self.clearLegacyFingerprint(stableID: stableID)
+        return removedKeychain
+    }
+
+    @discardableResult
+    public static func clearAllFingerprints() -> Bool {
+        let removedKeychain = SecItemDelete([
+            kSecClass as String: kSecClassGenericPassword,
+            kSecAttrService as String: self.keychainService,
+        ] as CFDictionary)
+        self.clearAllLegacyFingerprints()
+        return removedKeychain == errSecSuccess || removedKeychain == errSecItemNotFound
+    }
+
    // MARK: - Migration

    /// On first Keychain read for a given stableID, move any legacy UserDefaults
@@ -53,6 +72,18 @@ public enum GatewayTLSStore {
        }
        defaults.removeObject(forKey: legacyKey)
    }
+
+    private static func clearLegacyFingerprint(stableID: String) {
+        guard let defaults = UserDefaults(suiteName: self.legacySuiteName) else { return }
+        defaults.removeObject(forKey: self.legacyKeyPrefix + stableID)
+    }
+
+    private static func clearAllLegacyFingerprints() {
+        guard let defaults = UserDefaults(suiteName: self.legacySuiteName) else { return }
+        for key in defaults.dictionaryRepresentation().keys where key.hasPrefix(self.legacyKeyPrefix) {
+            defaults.removeObject(forKey: key)
+        }
+    }
 }

 public final class GatewayTLSPinningSession: NSObject, WebSocketSessioning, URLSessionDelegate, @unchecked Sendable {