Skip to content

Commit 8be3a44

Browse files
steipetesteipete
committed
fix(feishu): read webhook bodies through pre-auth guard
1 parent fa2fab7 commit 8be3a44

2 files changed

Lines changed: 17 additions & 22 deletions

File tree

extensions/feishu/src/monitor-transport-runtime-api.ts

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,7 @@
11
export type { RuntimeEnv } from "../runtime-api.js";
22
export { safeEqualSecret } from "openclaw/plugin-sdk/browser-security-runtime";
3+
export { applyBasicWebhookRequestGuards } from "openclaw/plugin-sdk/webhook-ingress";
34
export {
4-
applyBasicWebhookRequestGuards,
5-
isRequestBodyLimitError,
6-
readRequestBodyWithLimit,
7-
requestBodyErrorToText,
8-
} from "openclaw/plugin-sdk/webhook-ingress";
9-
export { installRequestBodyLimitGuard } from "openclaw/plugin-sdk/webhook-request-guards";
5+
installRequestBodyLimitGuard,
6+
readWebhookBodyOrReject,
7+
} from "openclaw/plugin-sdk/webhook-request-guards";

extensions/feishu/src/monitor.transport.ts

Lines changed: 13 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,9 @@ import * as Lark from "@larksuiteoapi/node-sdk";
44
import { createFeishuWSClient } from "./client.js";
55
import {
66
applyBasicWebhookRequestGuards,
7-
isRequestBodyLimitError,
87
type RuntimeEnv,
98
installRequestBodyLimitGuard,
10-
readRequestBodyWithLimit,
11-
requestBodyErrorToText,
9+
readWebhookBodyOrReject,
1210
safeEqualSecret,
1311
} from "./monitor-transport-runtime-api.js";
1412
import {
@@ -190,13 +188,20 @@ export async function monitorWebhook({
190188

191189
void (async () => {
192190
try {
193-
const rawBody = await readRequestBodyWithLimit(req, {
191+
const body = await readWebhookBodyOrReject({
192+
req,
193+
res,
194194
maxBytes: FEISHU_WEBHOOK_MAX_BODY_BYTES,
195195
timeoutMs: FEISHU_WEBHOOK_BODY_TIMEOUT_MS,
196+
profile: "pre-auth",
196197
});
197-
if (guard.isTripped() || res.writableEnded) {
198+
if (!body.ok || res.writableEnded) {
198199
return;
199200
}
201+
if (guard.isTripped()) {
202+
return;
203+
}
204+
const rawBody = body.value;
200205

201206
// Reject invalid signatures before any JSON parsing to keep the auth boundary strict.
202207
if (
@@ -235,17 +240,9 @@ export async function monitorWebhook({
235240
res.end(JSON.stringify(value));
236241
}
237242
} catch (err) {
238-
if (isRequestBodyLimitError(err)) {
239-
if (!res.headersSent) {
240-
respondText(res, err.statusCode, requestBodyErrorToText(err.code));
241-
}
242-
return;
243-
}
244-
if (!guard.isTripped()) {
245-
error(`feishu[${accountId}]: webhook handler error: ${String(err)}`);
246-
if (!res.headersSent) {
247-
respondText(res, 500, "Internal Server Error");
248-
}
243+
error(`feishu[${accountId}]: webhook handler error: ${String(err)}`);
244+
if (!res.headersSent) {
245+
respondText(res, 500, "Internal Server Error");
249246
}
250247
} finally {
251248
guard.dispose();

0 commit comments

Comments
 (0)