feat(googlechat): support Google Workspace Add-on event format

2026-01-24 01:12:48 +00:00
parent 0f6e39b9e8
commit 5991bed32e
4 changed files with 91 additions and 16 deletions
--- a/extensions/googlechat/src/auth.ts
+++ b/extensions/googlechat/src/auth.ts
@@ -4,6 +4,8 @@ import type { ResolvedGoogleChatAccount } from "./accounts.js";

 const CHAT_SCOPE = "https://www.googleapis.com/auth/chat.bot";
 const CHAT_ISSUER = "chat@system.gserviceaccount.com";
+// Google Workspace Add-ons use a different service account pattern
+const ADDON_ISSUER_PATTERN = /^service-\d+@gcp-sa-gsuiteaddons\.iam\.gserviceaccount\.com$/;
 const CHAT_CERTS_URL =
  "https://www.googleapis.com/service_accounts/v1/metadata/x509/chat@system.gserviceaccount.com";

@@ -87,8 +89,9 @@ export async function verifyGoogleChatRequest(params: {
        audience,
      });
      const payload = ticket.getPayload();
-      const ok = Boolean(payload?.email_verified) && payload?.email === CHAT_ISSUER;
-      return ok ? { ok: true } : { ok: false, reason: "invalid issuer" };
+      const email = payload?.email ?? "";
+      const ok = payload?.email_verified && (email === CHAT_ISSUER || ADDON_ISSUER_PATTERN.test(email));
+      return ok ? { ok: true } : { ok: false, reason: `invalid issuer: ${email}` };
    } catch (err) {
      return { ok: false, reason: err instanceof Error ? err.message : "invalid token" };
    }
--- a/extensions/googlechat/src/monitor.ts
+++ b/extensions/googlechat/src/monitor.ts
@@ -12,7 +12,14 @@ import {
 } from "./api.js";
 import { verifyGoogleChatRequest, type GoogleChatAudienceType } from "./auth.js";
 import { getGoogleChatRuntime } from "./runtime.js";
-import type { GoogleChatAnnotation, GoogleChatAttachment, GoogleChatEvent } from "./types.js";
+import type {
+  GoogleChatAnnotation,
+  GoogleChatAttachment,
+  GoogleChatEvent,
+  GoogleChatSpace,
+  GoogleChatMessage,
+  GoogleChatUser,
+} from "./types.js";

 export type GoogleChatRuntimeEnv = {
  log?: (message: string) => void;
@@ -168,44 +175,76 @@ export async function handleGoogleChatWebhookRequest(
    return true;
  }

-  const raw = body.value;
+  let raw = body.value;
  if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
    res.statusCode = 400;
    res.end("invalid payload");
    return true;
  }

-  const eventType = (raw as { type?: string; eventType?: string }).type ??
-    (raw as { type?: string; eventType?: string }).eventType;
+  // Transform Google Workspace Add-on format to standard Chat API format
+  const rawObj = raw as {
+    commonEventObject?: { hostApp?: string };
+    chat?: {
+      messagePayload?: { space?: GoogleChatSpace; message?: GoogleChatMessage };
+      user?: GoogleChatUser;
+      eventTime?: string;
+    };
+    authorizationEventObject?: { systemIdToken?: string };
+  };
+
+  if (rawObj.commonEventObject?.hostApp === "CHAT" && rawObj.chat?.messagePayload) {
+    const chat = rawObj.chat;
+    const messagePayload = chat.messagePayload;
+    raw = {
+      type: "MESSAGE",
+      space: messagePayload?.space,
+      message: messagePayload?.message,
+      user: chat.user,
+      eventTime: chat.eventTime,
+    };
+    
+    // For Add-ons, the bearer token may be in authorizationEventObject.systemIdToken
+    const systemIdToken = rawObj.authorizationEventObject?.systemIdToken;
+    if (!bearer && systemIdToken) {
+      Object.assign(req.headers, { authorization: `Bearer ${systemIdToken}` });
+    }
+  }
+
+  const event = raw as GoogleChatEvent;
+  const eventType = event.type ?? (raw as { eventType?: string }).eventType;
  if (typeof eventType !== "string") {
    res.statusCode = 400;
    res.end("invalid payload");
    return true;
  }

-  const rawObj = raw as Record<string, unknown>;
-  if (!rawObj.space || typeof rawObj.space !== "object" || Array.isArray(rawObj.space)) {
+  if (!event.space || typeof event.space !== "object" || Array.isArray(event.space)) {
    res.statusCode = 400;
    res.end("invalid payload");
    return true;
  }

  if (eventType === "MESSAGE") {
-    if (!rawObj.message || typeof rawObj.message !== "object" || Array.isArray(rawObj.message)) {
+    if (!event.message || typeof event.message !== "object" || Array.isArray(event.message)) {
      res.statusCode = 400;
      res.end("invalid payload");
      return true;
    }
  }

-  const event = raw as GoogleChatEvent;
+  // Re-extract bearer in case it was updated from Add-on format
+  const authHeaderNow = String(req.headers.authorization ?? "");
+  const effectiveBearer = authHeaderNow.toLowerCase().startsWith("bearer ")
+    ? authHeaderNow.slice("bearer ".length)
+    : bearer;

  let selected: WebhookTarget | undefined;
  for (const target of targets) {
    const audienceType = target.audienceType;
    const audience = target.audience;
    const verification = await verifyGoogleChatRequest({
-      bearer,
+      bearer: effectiveBearer,
      audienceType,
      audience,
    });