refactor(whatsapp): use async fs-safe credential checks

steipete · steipete · commit 9ec9fbf58d86 · 2026-05-21T07:38:51.000+01:00
diff --git a/extensions/whatsapp/src/auth-store.ts b/extensions/whatsapp/src/auth-store.ts
@@ -7,8 +7,8 @@ import { getChildLogger } from "openclaw/plugin-sdk/runtime-env";
 import { defaultRuntime, type RuntimeEnv } from "openclaw/plugin-sdk/runtime-env";
 import { resolveOAuthDir } from "./auth-store.runtime.js";
 import {
+  assertWebCredsPathRegularFileOrMissing,
   hasWebCredsSync,
-  isWebCredsPathRegularFileOrMissing,
   readWebCredsJsonRaw,
   readWebCredsJsonRawSync,
   resolveWebCredsBackupPath,
@@ -71,7 +71,9 @@ export async function restoreCredsFromBackupIfNeeded(authDir: string): Promise<b
   try {
     const credsPath = resolveWebCredsPath(authDir);
     const backupPath = resolveWebCredsBackupPath(authDir);
-    if (!isWebCredsPathRegularFileOrMissing(credsPath)) {
+    try {
+      await assertWebCredsPathRegularFileOrMissing(credsPath);
+    } catch {
       return false;
     }
     const raw = readCredsJsonRaw(credsPath);
diff --git a/extensions/whatsapp/src/creds-files.ts b/extensions/whatsapp/src/creds-files.ts
@@ -1,8 +1,10 @@
 import path from "node:path";
 import {
+  assertNoSymlinkParents,
   assertNoSymlinkParentsSync,
   readRegularFile,
   readRegularFileSync,
+  statRegularFile,
   statRegularFileSync,
 } from "openclaw/plugin-sdk/security-runtime";
 
@@ -14,22 +16,30 @@ export function resolveWebCredsBackupPath(authDir: string): string {
   return path.join(authDir, "creds.json.bak");
 }
 
-function assertWebCredsParentPathSafe(filePath: string): void {
+function resolveWebCredsParentCheck(filePath: string) {
   const dir = path.resolve(path.dirname(filePath));
-  assertNoSymlinkParentsSync({
+  return {
     rootDir: path.parse(dir).root,
     targetPath: dir,
     allowMissing: true,
     allowRootChildSymlink: true,
     requireDirectories: true,
     messagePrefix: "WhatsApp credential file path",
-  });
+  } as const;
 }
 
-export function assertWebCredsPathRegularFileOrMissing(filePath: string): void {
+async function assertWebCredsParentPathSafe(filePath: string): Promise<void> {
+  await assertNoSymlinkParents(resolveWebCredsParentCheck(filePath));
+}
+
+function assertWebCredsParentPathSafeSync(filePath: string): void {
+  assertNoSymlinkParentsSync(resolveWebCredsParentCheck(filePath));
+}
+
+export async function assertWebCredsPathRegularFileOrMissing(filePath: string): Promise<void> {
   try {
-    assertWebCredsParentPathSafe(filePath);
-    statRegularFileSync(filePath);
+    await assertWebCredsParentPathSafe(filePath);
+    await statRegularFile(filePath);
   } catch (error) {
     throw new Error(
       `WhatsApp credential file path is unsafe; creds.json must be a regular file or missing: ${filePath}`,
@@ -38,18 +48,9 @@ export function assertWebCredsPathRegularFileOrMissing(filePath: string): void {
   }
 }
 
-export function isWebCredsPathRegularFileOrMissing(filePath: string): boolean {
-  try {
-    assertWebCredsPathRegularFileOrMissing(filePath);
-    return true;
-  } catch {
-    return false;
-  }
-}
-
 export function readWebCredsJsonRawSync(filePath: string): string | null {
   try {
-    assertWebCredsParentPathSafe(filePath);
+    assertWebCredsParentPathSafeSync(filePath);
     const { buffer, stat } = readRegularFileSync({
       filePath,
     });
@@ -61,7 +62,7 @@ export function readWebCredsJsonRawSync(filePath: string): string | null {
 
 export async function readWebCredsJsonRaw(filePath: string): Promise<string | null> {
   try {
-    assertWebCredsParentPathSafe(filePath);
+    await assertWebCredsParentPathSafe(filePath);
     const { buffer, stat } = await readRegularFile({
       filePath,
     });
@@ -73,7 +74,7 @@ export async function readWebCredsJsonRaw(filePath: string): Promise<string | nu
 
 export function statWebCredsFileSync(filePath: string): { mtimeMs: number; size: number } | null {
   try {
-    assertWebCredsParentPathSafe(filePath);
+    assertWebCredsParentPathSafeSync(filePath);
     const result = statRegularFileSync(filePath);
     if (result.missing || result.stat.size <= 1) {
       return null;
@@ -90,7 +91,7 @@ export function statWebCredsFileSync(filePath: string): { mtimeMs: number; size:
 export function hasWebCredsRegularFileSync(authDir: string): boolean {
   try {
     const credsPath = resolveWebCredsPath(authDir);
-    assertWebCredsParentPathSafe(credsPath);
+    assertWebCredsParentPathSafeSync(credsPath);
     return !statRegularFileSync(credsPath).missing;
   } catch {
     return false;
diff --git a/extensions/whatsapp/src/creds-persistence.ts b/extensions/whatsapp/src/creds-persistence.ts
@@ -18,7 +18,7 @@ export async function writeWebCredsRawAtomically(params: {
   content: string;
   tempPrefix: string;
 }): Promise<void> {
-  assertWebCredsPathRegularFileOrMissing(params.filePath);
+  await assertWebCredsPathRegularFileOrMissing(params.filePath);
   await replaceFileAtomic({
     filePath: params.filePath,
     content: params.content,
@@ -28,7 +28,7 @@ export async function writeWebCredsRawAtomically(params: {
     syncTempFile: true,
     syncParentDir: true,
     beforeRename: async ({ filePath }) => {
-      assertWebCredsPathRegularFileOrMissing(filePath);
+      await assertWebCredsPathRegularFileOrMissing(filePath);
     },
   });
 }
diff --git a/extensions/whatsapp/src/session.ts b/extensions/whatsapp/src/session.ts
@@ -72,8 +72,8 @@ const WHATSAPP_WEBSOCKET_PROXY_TARGET = "https://mmg.whatsapp.net/";
 const CREDS_FLUSH_TIMEOUT_MESSAGE =
   "Queued WhatsApp creds save did not finish before auth bootstrap; skipping repair and continuing with primary creds.";
 
-function rejectUnsafeWebCredsPath(authDir: string): void {
-  assertWebCredsPathRegularFileOrMissing(resolveWebCredsPath(authDir));
+async function rejectUnsafeWebCredsPath(authDir: string): Promise<void> {
+  await assertWebCredsPathRegularFileOrMissing(resolveWebCredsPath(authDir));
 }
 
 function enqueueSaveCreds(
@@ -148,17 +148,17 @@ export async function createWaSocket(
   );
   const logger = toPinoLikeLogger(baseLogger, verbose ? "info" : "silent");
   const authDir = resolveUserPath(opts.authDir ?? resolveDefaultWebAuthDir());
-  rejectUnsafeWebCredsPath(authDir);
+  await rejectUnsafeWebCredsPath(authDir);
   await ensureDir(authDir);
   const sessionLogger = getChildLogger({ module: "web-session" });
   const queueResult = await waitForCredsSaveQueueWithTimeout(authDir);
   if (queueResult === "timed_out") {
     sessionLogger.warn({ authDir }, CREDS_FLUSH_TIMEOUT_MESSAGE);
   } else {
-    rejectUnsafeWebCredsPath(authDir);
+    await rejectUnsafeWebCredsPath(authDir);
     await restoreCredsFromBackupIfNeeded(authDir);
   }
-  rejectUnsafeWebCredsPath(authDir);
+  await rejectUnsafeWebCredsPath(authDir);
   const { state } = await useMultiFileAuthState(authDir);
   const saveCreds = async () => {
     await writeCredsJsonAtomically(authDir, state.creds);
diff --git a/src/infra/fs-safe.ts b/src/infra/fs-safe.ts
@@ -30,6 +30,7 @@ export {
   readRegularFile,
   readRegularFileSync,
   resolveRegularFileAppendFlags,
+  statRegularFile,
   statRegularFileSync,
 } from "@openclaw/fs-safe/advanced";
 export {
diff --git a/src/plugin-sdk/security-runtime.ts b/src/plugin-sdk/security-runtime.ts
@@ -37,6 +37,7 @@ export {
   readRegularFileSync,
   resolveRegularFileAppendFlags,
   root,
+  statRegularFile,
   statRegularFileSync,
   writeExternalFileWithinRoot,
   withTimeout,
