[WhatsApp] Gateway does not resolve LID to phone number for user authorization

[devyfriend]

Summary

The Hermes Gateway does not resolve WhatsApp LID (Linked Identity Device) format to phone numbers when checking user authorization, while the WhatsApp bridge does. This causes users to be rejected at the gateway level even when their phone number is correctly configured in WHATSAPP_ALLOWED_USERS.

Environment

• Hermes version: Latest (as of 2026-03-25)
• Platform: WhatsApp
• Mode: Bot

Problem Description

WhatsApp now uses LID (Linked Identity Device) format for user identification, e.g., 123456789012345@lid. The session stores mapping files between phone numbers and LIDs:

~/.hermes/whatsapp/session/lid-mapping-628123456789.json → "123456789012345"
~/.hermes/whatsapp/session/lid-mapping-123456789012345_reverse.json → "628123456789"

Current Behavior

There are two authorization layers with inconsistent handling:

1. WhatsApp Bridge (scripts/whatsapp-bridge/bridge.js, lines 192-194):

if (!msg.key.fromMe && ALLOWED_USERS.length > 0) {
  const resolvedNumber = lidToPhone[senderNumber] || senderNumber;
  if (!ALLOWED_USERS.includes(resolvedNumber)) continue;
}

The bridge correctly resolves LID to phone number using the lidToPhone mapping before checking ALLOWED_USERS.

2. Hermes Gateway (gateway/run.py):

if not self._is_user_authorized(source):
    logger.warning("Unauthorized user: %s (%s) on %s", source.user_id, source.user_name, source.platform.value)

The gateway does not resolve LID to phone number. It passes the raw source.user_id (e.g., 123456789012345@lid) to _is_user_authorized(), which checks against WHATSAPP_ALLOWED_USERS.

Result

When a user with phone number 628123456789 sends a message:

1. ✅ Bridge allows the message (resolves LID 123456789012345 → phone 628123456789, found in allowed list)
2. ❌ Gateway rejects the message (checks LID 123456789012345@lid against allowed list, not found)

Gateway logs:

WARNING gateway.run: Unauthorized user: 123456789012345@lid (username) on whatsapp
WARNING gateway.platforms.base: [Whatsapp] Handler returned empty/None response for 120363XXXXXXXXXXX@g.us

Workaround

Users must add both phone number and LID to WHATSAPP_ALLOWED_USERS:

WHATSAPP_ALLOWED_USERS=628123456789,123456789012345

This works but contradicts the documentation which states only phone numbers are needed:

WHATSAPP_ALLOWED_USERS=15551234567         # Comma-separated phone numbers (with country code, no +)

Expected Behavior

The gateway should resolve LID to phone number (using the same mapping the bridge uses) before checking authorization, so users only need to specify phone numbers in WHATSAPP_ALLOWED_USERS.

Suggested Fix

The gateway should:

1. Load LID-to-phone mappings from session files (~/.hermes/whatsapp/session/lid-mapping-*.json)
2. When checking _is_user_authorized(), if the user_id is in LID format (*@lid), resolve it to the phone number first
3. Then check the resolved phone number against WHATSAPP_ALLOWED_USERS

Alternatively, the bridge could send the resolved phone number in the message event instead of the raw LID.

Steps to Reproduce

1. Set up Hermes with WhatsApp bot mode
2. Pair WhatsApp account and note your phone number (e.g., 628123456789)
3. Set WHATSAPP_ALLOWED_USERS=628123456789 (phone number only)
4. Send a message to the bot from that WhatsApp account
5. Observe the gateway logs showing "Unauthorized user: XXXXXXXXX@lid"
6. Bot does not respond

Additional Context

• This affects both DM and group messages
• The LID mapping files are already available in the session directory
• This issue was discovered and verified through testing on a live system

Related Files

• gateway/platforms/whatsapp.py - WhatsApp platform adapter
• gateway/run.py - Gateway authorization logic
• scripts/whatsapp-bridge/bridge.js - Bridge with working LID resolution
• website/docs/user-guide/messaging/whatsapp.md - Documentation

[keiravoss94]

Additional finding (sanitized): this LID/phone alias gap also affects session continuity, not just allowlist auth.\n\nObserved behavior:\n- The same WhatsApp user can appear as on one message and on another.\n- DM session keys currently use raw , so those two identifiers create different session keys.\n- Result: the assistant appears to "forget" prior context because conversation state is split across two sessions.\n\nImpact:\n- Reproducible in direct messages (no group/listen-only features involved).\n- Looks like intermittent memory loss even though session reset policy is unchanged.\n\nRecommendation:\n- Reuse the same alias expansion used for auth when building WhatsApp DM session keys, so LID and phone-JID resolve to one canonical identity.

[keiravoss94]

Correction / formatting-safe re-post:

Additional finding (sanitized): this LID/phone alias gap also affects session continuity, not just allowlist auth.

Observed behavior:

• The same WhatsApp user can appear as @lid on one message and @s.whatsapp.net on another.
• DM session keys currently use raw chat_id, so those two identifiers create different session keys.
• Result: the assistant appears to "forget" prior context because conversation state is split across two sessions.

Impact:

• Reproducible in direct messages (no group/listen-only features involved).
• Looks like intermittent memory loss even though session reset policy is unchanged.

Recommendation:

• Reuse the same alias expansion used for auth when building WhatsApp DM session keys, so LID and phone-JID resolve to one canonical identity.

[alt-glitch]

Related: #3830 (merged, gateway-side LID resolution) and #3219 (open, bridge-side complement). Gateway-side was merged but this issue may still surface if the gateway auth layer was not fully patched. Also related to #17189 (JID normalization).

[alt-glitch]

Related: #3830 (merged, gateway-side LID resolution) and #3219 (open, bridge-side complement).

[teknium1]

This appears to be implemented on current main. Automated hermes-sweeper review found the gateway-side WhatsApp LID/phone authorization gap fixed, and the later session-continuity concern from the discussion is covered too.

Evidence:

• gateway/authz_mixin.py:316 expands WhatsApp allowlist entries and incoming sender IDs through the bridge LID/phone alias mapping before authorization comparison.
• gateway/whatsapp_identity.py:70 reads $HERMES_HOME/whatsapp/session/lid-mapping-*.json and *_reverse.json files and returns the resolved alias set.
• tests/gateway/test_unauthorized_dm_behavior.py:77 covers the reported repro: WHATSAPP_ALLOWED_USERS contains only the phone number, the incoming user_id is @lid, and _is_user_authorized() returns True.
• gateway/session.py:629 and gateway/session.py:658 canonicalize WhatsApp DM and group participant IDs for session keys, addressing the follow-up note about phone-JID/LID variants splitting conversation state.
• The main auth fix landed in 3e2c8c529bfeb6ac530bcff1884ce5dc11162e2d (fix(whatsapp): resolve LID↔phone aliases in allowlist matching (#3830)), which is contained in v2026.3.30.