let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(whatsapp): normalize user JIDs for group allowlists (#838)

Browse Source 
Thanks @peschee.

Co-authored-by: Peter Siska <63866+peschee@users.noreply.github.com>
This commit is contained in:
Peter Steinberger
2026-01-14 23:24:21 +00:00
parent fd41000bc3
commit 57b4865ab3
6 changed files with 297 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@@ -15,6 +15,7 @@
- Slack: drop Socket Mode events with mismatched `api_app_id`/`team_id`. (#889) — thanks @roshanasingh4. - Slack: drop Socket Mode events with mismatched `api_app_id`/`team_id`. (#889) — thanks @roshanasingh4.
- Discord: isolate autoThread thread context. (#856) — thanks @davidguttman. - Discord: isolate autoThread thread context. (#856) — thanks @davidguttman.
- WhatsApp: fix context isolation using wrong ID (was bot's number, now conversation ID). (#911) — thanks @tristanmanchester. - WhatsApp: fix context isolation using wrong ID (was bot's number, now conversation ID). (#911) — thanks @tristanmanchester.
- WhatsApp: normalize user JIDs with device suffix for allowlist checks in groups. (#838) — thanks @peschee.
## 2026.1.13 ## 2026.1.13

27
src/auto-reply/command-auth.test.ts
View File

@@ -30,7 +30,7 @@ describe("resolveCommandAuthorization", () => {
it("falls back from whitespace SenderId to SenderE164", () => { it("falls back from whitespace SenderId to SenderE164", () => {
const cfg = { const cfg = {
whatsapp: { allowFrom: ["+123"] }, channels: { whatsapp: { allowFrom: ["+123"] } },
} as ClawdbotConfig; } as ClawdbotConfig;
const ctx = { const ctx = {
@@ -53,7 +53,7 @@ describe("resolveCommandAuthorization", () => {
it("falls back to From when SenderId and SenderE164 are whitespace", () => { it("falls back to From when SenderId and SenderE164 are whitespace", () => {
const cfg = { const cfg = {
whatsapp: { allowFrom: ["+999"] }, channels: { whatsapp: { allowFrom: ["+999"] } },
} as ClawdbotConfig; } as ClawdbotConfig;
const ctx = { const ctx = {
@@ -73,4 +73,27 @@ describe("resolveCommandAuthorization", () => {
expect(auth.senderId).toBe("+999"); expect(auth.senderId).toBe("+999");
expect(auth.isAuthorizedSender).toBe(true); expect(auth.isAuthorizedSender).toBe(true);
}); });
it("falls back from un-normalizable SenderId to SenderE164", () => {
const cfg = {
channels: { whatsapp: { allowFrom: ["+123"] } },
} as ClawdbotConfig;
const ctx = {
Provider: "whatsapp",
Surface: "whatsapp",
From: "whatsapp:+999",
SenderId: "wat",
SenderE164: "+123",
} as MsgContext;
const auth = resolveCommandAuthorization({
ctx,
cfg,
commandAuthorized: true,
});
expect(auth.senderId).toBe("+123");
expect(auth.isAuthorizedSender).toBe(true);
});
}); });

45
src/auto-reply/command-auth.ts
View File

@@ -14,6 +14,31 @@ export type CommandAuthorization = {
to?: string; to?: string;
}; };
function resolveSenderId(params: {
dock?: ChannelDock;
cfg: ClawdbotConfig;
accountId?: string | null;
ctx: MsgContext;
}): string | undefined {
const { dock, cfg, accountId, ctx } = params;
const senderCandidates = [ctx.SenderId, ctx.SenderE164, ctx.From]
.map((value) => (value ?? "").trim())
.filter(Boolean);
for (const sender of senderCandidates) {
const normalized = formatAllowFromList({
dock,
cfg,
accountId,
allowFrom: [sender],
})[0];
if (normalized) return normalized;
}
return undefined;
}
function resolveProviderFromContext(ctx: MsgContext, cfg: ClawdbotConfig): ChannelId | undefined { function resolveProviderFromContext(ctx: MsgContext, cfg: ClawdbotConfig): ChannelId | undefined {
const direct = const direct =
normalizeChannelId(ctx.Provider) ?? normalizeChannelId(ctx.Provider) ??
@@ -90,17 +115,15 @@ export function resolveCommandAuthorization(params: {
} }
const ownerList = ownerCandidates; const ownerList = ownerCandidates;
const senderIdCandidate = ctx.SenderId?.trim() ?? ""; const senderId = resolveSenderId({
const senderE164Candidate = ctx.SenderE164?.trim() ?? ""; dock,
const senderRaw = senderIdCandidate || senderE164Candidate || from; cfg,
const senderId = senderRaw accountId: ctx.AccountId,
? formatAllowFromList({ ctx: {
dock, ...ctx,
cfg, From: from,
accountId: ctx.AccountId, },
allowFrom: [senderRaw], });
})[0]
: undefined;
const enforceOwner = Boolean(dock?.commands?.enforceOwnerForCommands); const enforceOwner = Boolean(dock?.commands?.enforceOwnerForCommands);
const isOwner = const isOwner =

172
src/auto-reply/reply/session-reset-group.test.ts Normal file
View File

@@ -0,0 +1,172 @@
import fs from "node:fs/promises";
import os from "node:os";
import path from "node:path";
import { describe, expect, it } from "vitest";
import type { ClawdbotConfig } from "../../config/config.js";
import { initSessionState } from "./session.js";
describe("initSessionState reset triggers in WhatsApp groups", () => {
async function createStorePath(prefix: string): Promise<string> {
const root = await fs.mkdtemp(
path.join(os.tmpdir(), prefix),
);
return path.join(root, "sessions.json");
}
async function seedSessionStore(params: {
storePath: string;
sessionKey: string;
sessionId: string;
}): Promise<void> {
const { saveSessionStore } = await import("../../config/sessions.js");
await saveSessionStore(params.storePath, {
[params.sessionKey]: {
sessionId: params.sessionId,
updatedAt: Date.now(),
},
});
}
function makeCfg(params: { storePath: string; allowFrom: string[] }): ClawdbotConfig {
return {
session: { store: params.storePath, idleMinutes: 999 },
channels: {
whatsapp: {
allowFrom: params.allowFrom,
groupPolicy: "open",
},
},
} as ClawdbotConfig;
}
it("Reset trigger /new works for authorized sender in WhatsApp group", async () => {
const storePath = await createStorePath("clawdbot-group-reset-");
const sessionKey = "agent:main:whatsapp:group:120363406150318674@g.us";
const existingSessionId = "existing-session-123";
await seedSessionStore({
storePath,
sessionKey,
sessionId: existingSessionId,
});
const cfg = makeCfg({
storePath,
allowFrom: ["+41796666864"],
});
// Group message context matching what WhatsApp handler creates
const groupMessageCtx = {
Body: `[Chat messages since your last reply - for context]\\n[WhatsApp 120363406150318674@g.us 2026-01-13T07:45Z] Someone: hello\\n\\n[Current message - respond to this]\\n[WhatsApp 120363406150318674@g.us 2026-01-13T07:45Z] Peschiño: /new\\n[from: Peschiño (+41796666864)]`,
RawBody: "/new",
CommandBody: "/new",
From: "120363406150318674@g.us",
To: "+41779241027",
ChatType: "group",
SessionKey: sessionKey,
Provider: "whatsapp",
Surface: "whatsapp",
SenderName: "Peschiño",
SenderE164: "+41796666864",
SenderId: "41796666864:0@s.whatsapp.net",
};
const result = await initSessionState({
ctx: groupMessageCtx,
cfg,
commandAuthorized: true,
});
// The reset should be detected
expect(result.triggerBodyNormalized).toBe("/new");
expect(result.isNewSession).toBe(true);
expect(result.sessionId).not.toBe(existingSessionId);
expect(result.bodyStripped).toBe("");
});
it("Reset trigger /new blocked for unauthorized sender in existing session", async () => {
const storePath = await createStorePath("clawdbot-group-reset-unauth-");
const sessionKey = "agent:main:whatsapp:group:120363406150318674@g.us";
const existingSessionId = "existing-session-123";
await seedSessionStore({
storePath,
sessionKey,
sessionId: existingSessionId,
});
const cfg = makeCfg({
storePath,
allowFrom: ["+41796666864"],
});
// Group message from different sender (not in allowFrom)
const groupMessageCtx = {
Body: `[Context]\\n[WhatsApp ...] OtherPerson: /new\\n[from: OtherPerson (+1555123456)]`,
RawBody: "/new",
CommandBody: "/new",
From: "120363406150318674@g.us",
To: "+41779241027",
ChatType: "group",
SessionKey: sessionKey,
Provider: "whatsapp",
Surface: "whatsapp",
SenderName: "OtherPerson",
SenderE164: "+1555123456", // Different sender (not authorized)
SenderId: "1555123456:0@s.whatsapp.net",
};
const result = await initSessionState({
ctx: groupMessageCtx,
cfg,
commandAuthorized: true,
});
// Reset should NOT be triggered for unauthorized sender - session ID should stay the same
expect(result.triggerBodyNormalized).toBe("/new");
expect(result.sessionId).toBe(existingSessionId); // Session should NOT change
expect(result.isNewSession).toBe(false);
});
it("Reset trigger works when RawBody is clean but Body has wrapped context", async () => {
const storePath = await createStorePath("clawdbot-group-rawbody-");
const sessionKey = "agent:main:whatsapp:group:G1";
const existingSessionId = "existing-session-123";
await seedSessionStore({
storePath,
sessionKey,
sessionId: existingSessionId,
});
const cfg = makeCfg({
storePath,
allowFrom: ["*"],
});
const groupMessageCtx = {
// Body is wrapped with context prefixes
Body: `[WhatsApp 120363406150318674@g.us 2026-01-13T07:45Z] Jake: /new\n[from: Jake (+1222)]`,
// RawBody is clean
RawBody: "/new",
CommandBody: "/new",
From: "120363406150318674@g.us",
To: "+1111",
ChatType: "group",
SessionKey: sessionKey,
Provider: "whatsapp",
SenderE164: "+1222",
};
const result = await initSessionState({
ctx: groupMessageCtx,
cfg,
commandAuthorized: true,
});
expect(result.triggerBodyNormalized).toBe("/new");
expect(result.isNewSession).toBe(true);
expect(result.sessionId).not.toBe(existingSessionId);
expect(result.bodyStripped).toBe("");
});
});

35
src/whatsapp/normalize.test.ts
View File

@@ -1,6 +1,10 @@
import { describe, expect, it } from "vitest"; import { describe, expect, it } from "vitest";
import { isWhatsAppGroupJid, normalizeWhatsAppTarget } from "./normalize.js"; import {
isWhatsAppGroupJid,
isWhatsAppUserJid,
normalizeWhatsAppTarget,
} from "./normalize.js";
describe("normalizeWhatsAppTarget", () => { describe("normalizeWhatsAppTarget", () => {
it("preserves group JIDs", () => { it("preserves group JIDs", () => {
@@ -24,6 +28,25 @@ describe("normalizeWhatsAppTarget", () => {
expect(normalizeWhatsAppTarget("1555123@s.whatsapp.net")).toBe("+1555123"); expect(normalizeWhatsAppTarget("1555123@s.whatsapp.net")).toBe("+1555123");
}); });
it("normalizes user JIDs with device suffix to E.164", () => {
// This is the bug fix: JIDs like "41796666864:0@s.whatsapp.net" should
// normalize to "+41796666864", not "+417966668640" (extra digit from ":0")
expect(normalizeWhatsAppTarget("41796666864:0@s.whatsapp.net")).toBe(
"+41796666864",
);
expect(normalizeWhatsAppTarget("1234567890:123@s.whatsapp.net")).toBe(
"+1234567890",
);
// Without device suffix still works
expect(normalizeWhatsAppTarget("41796666864@s.whatsapp.net")).toBe(
"+41796666864",
);
});
it("normalizes LID JIDs to E.164", () => {
expect(normalizeWhatsAppTarget("123456789@lid")).toBe("+123456789");
});
it("rejects invalid targets", () => { it("rejects invalid targets", () => {
expect(normalizeWhatsAppTarget("wat")).toBeNull(); expect(normalizeWhatsAppTarget("wat")).toBeNull();
expect(normalizeWhatsAppTarget("whatsapp:")).toBeNull(); expect(normalizeWhatsAppTarget("whatsapp:")).toBeNull();
@@ -37,6 +60,16 @@ describe("normalizeWhatsAppTarget", () => {
}); });
}); });
describe("isWhatsAppUserJid", () => {
it("detects user JIDs with various formats", () => {
expect(isWhatsAppUserJid("41796666864:0@s.whatsapp.net")).toBe(true);
expect(isWhatsAppUserJid("1234567890@s.whatsapp.net")).toBe(true);
expect(isWhatsAppUserJid("123456789@lid")).toBe(true);
expect(isWhatsAppUserJid("123456789-987654321@g.us")).toBe(false);
expect(isWhatsAppUserJid("+1555123")).toBe(false);
});
});
describe("isWhatsAppGroupJid", () => { describe("isWhatsAppGroupJid", () => {
it("detects group JIDs with or without prefixes", () => { it("detects group JIDs with or without prefixes", () => {
expect(isWhatsAppGroupJid("120363401234567890@g.us")).toBe(true); expect(isWhatsAppGroupJid("120363401234567890@g.us")).toBe(true);

31
src/whatsapp/normalize.ts
View File

@@ -1,5 +1,8 @@
import { normalizeE164 } from "../utils.js"; import { normalizeE164 } from "../utils.js";
const WHATSAPP_USER_JID_RE = /^(\d+)(?::\d+)?@s\.whatsapp\.net$/i;
const WHATSAPP_LID_RE = /^(\d+)@lid$/i;
function stripWhatsAppTargetPrefixes(value: string): string { function stripWhatsAppTargetPrefixes(value: string): string {
let candidate = value.trim(); let candidate = value.trim();
for (;;) { for (;;) {
@@ -21,6 +24,27 @@ export function isWhatsAppGroupJid(value: string): boolean {
return /^[0-9]+(-[0-9]+)*$/.test(localPart); return /^[0-9]+(-[0-9]+)*$/.test(localPart);
} }
/**
* Check if value looks like a WhatsApp user JID (e.g. "41796666864:0@s.whatsapp.net" or "123@lid").
*/
export function isWhatsAppUserJid(value: string): boolean {
const candidate = stripWhatsAppTargetPrefixes(value);
return WHATSAPP_USER_JID_RE.test(candidate) || WHATSAPP_LID_RE.test(candidate);
}
/**
* Extract the phone number from a WhatsApp user JID.
* "41796666864:0@s.whatsapp.net" -> "41796666864"
* "123456@lid" -> "123456"
*/
function extractUserJidPhone(jid: string): string | null {
const userMatch = jid.match(WHATSAPP_USER_JID_RE);
if (userMatch) return userMatch[1];
const lidMatch = jid.match(WHATSAPP_LID_RE);
if (lidMatch) return lidMatch[1];
return null;
}
export function normalizeWhatsAppTarget(value: string): string | null { export function normalizeWhatsAppTarget(value: string): string | null {
const candidate = stripWhatsAppTargetPrefixes(value); const candidate = stripWhatsAppTargetPrefixes(value);
if (!candidate) return null; if (!candidate) return null;
@@ -28,6 +52,13 @@ export function normalizeWhatsAppTarget(value: string): string | null {
const localPart = candidate.slice(0, candidate.length - "@g.us".length); const localPart = candidate.slice(0, candidate.length - "@g.us".length);
return `${localPart}@g.us`; return `${localPart}@g.us`;
} }
// Handle user JIDs (e.g. "41796666864:0@s.whatsapp.net")
if (isWhatsAppUserJid(candidate)) {
const phone = extractUserJidPhone(candidate);
if (!phone) return null;
const normalized = normalizeE164(phone);
return normalized.length > 1 ? normalized : null;
}
const normalized = normalizeE164(candidate); const normalized = normalizeE164(candidate);
return normalized.length > 1 ? normalized : null; return normalized.length > 1 ? normalized : null;
} }