fix: harden whatsapp command auth

2026-01-15 07:53:12 +00:00
parent 8c4b8f2c38
commit 8dacafce7f
7 changed files with 286 additions and 21 deletions
--- a/src/auto-reply/command-auth.test.ts
+++ b/src/auto-reply/command-auth.test.ts
@@ -96,4 +96,27 @@ describe("resolveCommandAuthorization", () => {
    expect(auth.senderId).toBe("+123");
    expect(auth.isAuthorizedSender).toBe(true);
  });
+
+  it("prefers SenderE164 when SenderId does not match allowFrom", () => {
+    const cfg = {
+      channels: { whatsapp: { allowFrom: ["+41796666864"] } },
+    } as ClawdbotConfig;
+
+    const ctx = {
+      Provider: "whatsapp",
+      Surface: "whatsapp",
+      From: "whatsapp:120363401234567890@g.us",
+      SenderId: "123@lid",
+      SenderE164: "+41796666864",
+    } as MsgContext;
+
+    const auth = resolveCommandAuthorization({
+      ctx,
+      cfg,
+      commandAuthorized: true,
+    });
+
+    expect(auth.senderId).toBe("+41796666864");
+    expect(auth.isAuthorizedSender).toBe(true);
+  });
 });
--- a/src/auto-reply/command-auth.ts
+++ b/src/auto-reply/command-auth.ts
@@ -61,35 +61,49 @@ function normalizeAllowFromEntry(params: {
  cfg: ClawdbotConfig;
  accountId?: string | null;
  value: string;
-}): string | undefined {
-  return formatAllowFromList({
+}): string[] {
+  const normalized = formatAllowFromList({
    dock: params.dock,
    cfg: params.cfg,
    accountId: params.accountId,
    allowFrom: [params.value],
-  })[0];
+  });
+  return normalized.filter((entry) => entry.trim().length > 0);
 }

-function resolveSenderId(params: {
+function resolveSenderCandidates(params: {
  dock?: ChannelDock;
+  providerId?: ChannelId;
  cfg: ClawdbotConfig;
  accountId?: string | null;
  senderId?: string | null;
  senderE164?: string | null;
  from?: string | null;
-}): string | undefined {
+}): string[] {
  const { dock, cfg, accountId } = params;
-
-  const senderCandidates = [params.senderId, params.senderE164, params.from]
-    .map((value) => (value ?? "").trim())
-    .filter(Boolean);
-
-  for (const sender of senderCandidates) {
-    const normalized = normalizeAllowFromEntry({ dock, cfg, accountId, value: sender });
-    if (normalized) return normalized;
+  const candidates: string[] = [];
+  const pushCandidate = (value?: string | null) => {
+    const trimmed = (value ?? "").trim();
+    if (!trimmed) return;
+    candidates.push(trimmed);
+  };
+  if (params.providerId === "whatsapp") {
+    pushCandidate(params.senderE164);
+    pushCandidate(params.senderId);
+  } else {
+    pushCandidate(params.senderId);
+    pushCandidate(params.senderE164);
  }
+  pushCandidate(params.from);

-  return undefined;
+  const normalized: string[] = [];
+  for (const sender of candidates) {
+    const entries = normalizeAllowFromEntry({ dock, cfg, accountId, value: sender });
+    for (const entry of entries) {
+      if (!normalized.includes(entry)) normalized.push(entry);
+    }
+  }
+  return normalized;
 }

 export function resolveCommandAuthorization(params: {
@@ -122,25 +136,30 @@ export function resolveCommandAuthorization(params: {
      accountId: ctx.AccountId,
      value: to,
    });
-    if (normalizedTo) ownerCandidates.push(normalizedTo);
+    if (normalizedTo.length > 0) ownerCandidates.push(...normalizedTo);
  }
-  const ownerList = ownerCandidates;
+  const ownerList = Array.from(new Set(ownerCandidates));

-  const senderId = resolveSenderId({
+  const senderCandidates = resolveSenderCandidates({
    dock,
+    providerId,
    cfg,
    accountId: ctx.AccountId,
    senderId: ctx.SenderId,
    senderE164: ctx.SenderE164,
    from,
  });
+  const matchedSender = ownerList.length
+    ? senderCandidates.find((candidate) => ownerList.includes(candidate))
+    : undefined;
+  const senderId = matchedSender ?? senderCandidates[0];

  const enforceOwner = Boolean(dock?.commands?.enforceOwnerForCommands);
  const isOwner =
    !enforceOwner ||
    allowAll ||
    ownerList.length === 0 ||
-    (senderId ? ownerList.includes(senderId) : false);
+    Boolean(matchedSender);
  const isAuthorizedSender = commandAuthorized && isOwner;

  return {
--- a/src/auto-reply/reply/session-reset-group.test.ts
+++ b/src/auto-reply/reply/session-reset-group.test.ts
@@ -167,4 +167,87 @@ describe("initSessionState reset triggers in WhatsApp groups", () => {
    expect(result.sessionId).not.toBe(existingSessionId);
    expect(result.bodyStripped).toBe("");
  });
+
+  it("Reset trigger /new works when SenderId is LID but SenderE164 is authorized", async () => {
+    const storePath = await createStorePath("clawdbot-group-reset-lid-");
+    const sessionKey = "agent:main:whatsapp:group:120363406150318674@g.us";
+    const existingSessionId = "existing-session-123";
+    await seedSessionStore({
+      storePath,
+      sessionKey,
+      sessionId: existingSessionId,
+    });
+
+    const cfg = makeCfg({
+      storePath,
+      allowFrom: ["+41796666864"],
+    });
+
+    const groupMessageCtx = {
+      Body: `[WhatsApp 120363406150318674@g.us 2026-01-13T07:45Z] Owner: /new\n[from: Owner (+41796666864)]`,
+      RawBody: "/new",
+      CommandBody: "/new",
+      From: "120363406150318674@g.us",
+      To: "+41779241027",
+      ChatType: "group",
+      SessionKey: sessionKey,
+      Provider: "whatsapp",
+      Surface: "whatsapp",
+      SenderName: "Owner",
+      SenderE164: "+41796666864",
+      SenderId: "123@lid",
+    };
+
+    const result = await initSessionState({
+      ctx: groupMessageCtx,
+      cfg,
+      commandAuthorized: true,
+    });
+
+    expect(result.triggerBodyNormalized).toBe("/new");
+    expect(result.isNewSession).toBe(true);
+    expect(result.sessionId).not.toBe(existingSessionId);
+    expect(result.bodyStripped).toBe("");
+  });
+
+  it("Reset trigger /new blocked when SenderId is LID but SenderE164 is unauthorized", async () => {
+    const storePath = await createStorePath("clawdbot-group-reset-lid-unauth-");
+    const sessionKey = "agent:main:whatsapp:group:120363406150318674@g.us";
+    const existingSessionId = "existing-session-123";
+    await seedSessionStore({
+      storePath,
+      sessionKey,
+      sessionId: existingSessionId,
+    });
+
+    const cfg = makeCfg({
+      storePath,
+      allowFrom: ["+41796666864"],
+    });
+
+    const groupMessageCtx = {
+      Body: `[WhatsApp 120363406150318674@g.us 2026-01-13T07:45Z] Other: /new\n[from: Other (+1555123456)]`,
+      RawBody: "/new",
+      CommandBody: "/new",
+      From: "120363406150318674@g.us",
+      To: "+41779241027",
+      ChatType: "group",
+      SessionKey: sessionKey,
+      Provider: "whatsapp",
+      Surface: "whatsapp",
+      SenderName: "Other",
+      SenderE164: "+1555123456",
+      SenderId: "123@lid",
+    };
+
+    const result = await initSessionState({
+      ctx: groupMessageCtx,
+      cfg,
+      commandAuthorized: true,
+    });
+
+    expect(result.triggerBodyNormalized).toBe("/new");
+    expect(result.sessionId).toBe(existingSessionId);
+    expect(result.isNewSession).toBe(false);
+  });
 });