fix(kiloclaw): stop leaking /i/{instanceId} prefix in access gateway redirect#2150
Merged
pandemicsyn merged 5 commits intomainfrom Apr 8, 2026
Merged
fix(kiloclaw): stop leaking /i/{instanceId} prefix in access gateway redirect#2150pandemicsyn merged 5 commits intomainfrom
pandemicsyn merged 5 commits intomainfrom
Conversation
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
Contributor
Code Review SummaryStatus: No Issues Found | Recommendation: Merge Files Reviewed (1 files)
Reviewed by gpt-5.4-20260305 · 112,065 tokens |
…redirect
buildRedirectUrl included /i/{instanceId}/ in the redirect path for
instance-keyed instances. This leaked the proxy prefix to the OpenClaw
SPA, which derived its WebSocket URL from window.location and persisted
it to localStorage — bypassing cookie-based instance routing entirely.
Always redirect to /#token={token} and let the kiloclaw-active-instance
cookie (set before the redirect) handle catch-all proxy routing.
pandemicsyn
changed the title
The assertions for stripping these headers were passing trivially because the incoming request never set them. Add them to the fixture so the test actually exercises the delete logic. Fix indentation.
RSO
approved these changes
Apr 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
buildRedirectUrlin the access gateway included/i/{instanceId}/in the redirect path for instance-keyed instances. The OpenClaw SPA (which we don't control) derived its WebSocket URL fromwindow.location, persisted it to localStorage, and reused it across instance switches — bypassing the cookie-based instance routing added in #1815.When a user switched between personal and org instances, the SPA would connect its WebSocket to the stale
/i/{old-instance-id}path, routing traffic to the wrong machine.Fix:
buildRedirectUrlnow always redirects to/#token={token}. Thekiloclaw-active-instancecookie (set before the redirect) handles catch-all proxy routing to the correct instance. The/i/{instanceId}prefix never appears in the redirect URL.Also strips additional proxy headers (
forwarded,x-forwarded-proto) in the controller WebSocket proxy so the gateway'sisLocalDirectRequestcheck works reliably on 3.28 and beyond.Verification
/#token=..., cookie-routed correctly/#token=..., cookie-routed to org machine94fa6201)~/projects/openclaw) to confirm localStorage scoping and WebSocket URL derivation behaviorVisual Changes
N/A
Reviewer Notes
fbd62cfadded the/i/{instanceId}/redirect path, and commit7751f77added cookie routing but never updated the redirect to stop including the prefix.claw.kilosessions.ai(or the dev host) once. New sessions will work immediately.