Skip to content

fix(feishu): correct invalid scope name in permission grant URL#31943

Closed
Sid-Qin wants to merge 1 commit intoopenclaw:mainfrom
Sid-Qin:fix/31761-feishu-scope
Closed

fix(feishu): correct invalid scope name in permission grant URL#31943
Sid-Qin wants to merge 1 commit intoopenclaw:mainfrom
Sid-Qin:fix/31761-feishu-scope

Conversation

@Sid-Qin
Copy link
Contributor

@Sid-Qin Sid-Qin commented Mar 2, 2026

Summary

  • Problem: The Feishu API returns permission error (code 99991672) with a grant URL containing the non-existent scope contact:contact.base:readonly. The correct scope is contact:user.base:readonly.
  • Impact: Every message triggers a system-injected error with a useless authorization URL. Users/admins cannot grant the permission because the scope doesn't exist.
  • Fix: Added a scope correction map in extractPermissionError that replaces known incorrect scope names (both raw and URL-encoded) in the grant URL before presenting it to the user.

Change Type (select all)

  • Bug fix
  • Feature
  • Refactor
  • Docs
  • Security hardening
  • Chore/infra

Scope (select all touched areas)

  • Gateway / orchestration
  • Skills / tool execution
  • Auth / tokens
  • Memory / storage
  • Integrations
  • API / contracts
  • UI / DX
  • CI/CD / infra

Linked Issue/PR

User-visible / Behavior Changes

  • Permission grant URL now contains the correct scope contact:user.base:readonly
  • Admins can successfully authorize the permission via the corrected URL

Security Impact (required)

  • New permissions/capabilities? No
  • Secrets/tokens handling changed? No
  • New/changed network calls? No
  • Command/tool execution surface changed? No
  • Data access scope changed? No

Repro + Verification

Steps

  1. Configure Feishu bot without contact:user.base:readonly granted
  2. Send message to bot in direct chat
  3. System injects error with corrected grant URL

Expected

Grant URL contains contact:user.base:readonly, admin can authorize.

Actual (before fix)

Grant URL contains contact:contact.base:readonly, which doesn't exist on Feishu Open Platform.

Evidence

✓ extensions/feishu tests: 220 passed

Human Verification (required)

  • Verified scenarios: 220 Feishu tests pass, TS compiles cleanly, URL-encoded and raw scope replacement both tested
  • Edge cases checked: Multiple incorrect scopes in URL, no match (passthrough), URL without scope
  • What I did not verify: Live Feishu API call with permission error

Compatibility / Migration

  • Backward compatible? Yes — only affects grant URL correction
  • Config/env changes? No
  • Migration needed? No

Failure Recovery (if this breaks)

  • How to disable/revert: Remove FEISHU_SCOPE_CORRECTIONS and correctFeishuScopeInUrl from bot.ts
  • Known bad symptoms: If Feishu fixes the scope name in their API, the correction map becomes a no-op (harmless)

@Sid-Qin
fix(feishu): correct invalid scope name in permission grant URL
47e5727 
The Feishu API returns error code 99991672 with an authorization URL
containing the non-existent scope `contact:contact.base:readonly`
when the `contact.user.get` endpoint is called without the correct
permission. The valid scope is `contact:user.base:readonly`.

Add a scope correction map that replaces known incorrect scope names
in the extracted grant URL before presenting it to the user/agent,
so the authorization link actually works.

Closes openclaw#31761
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Mar 2, 2026

Greptile Summary

Fixes Feishu API bug where permission error responses contain invalid scope name contact:contact.base:readonly instead of correct contact:user.base:readonly.

  • Added FEISHU_SCOPE_CORRECTIONS map to define scope name corrections
  • Implemented correctFeishuScopeInUrl() to replace incorrect scopes in grant URLs
  • Handles both URL-encoded (contact%3Acontact.base%3Areadonly) and raw scope formats
  • Corrects grant URLs before presenting to users/admins, enabling successful permission authorization
  • Well-documented with clear explanation of the API quirk being worked around

The fix is pragmatic and localized - if Feishu resolves the API bug, the correction becomes a harmless no-op. All 220 Feishu tests pass.

Confidence Score: 4/5

  • Safe to merge - well-contained bug fix with comprehensive test coverage
  • Simple, focused change that addresses a specific API bug. The string replacement logic correctly handles both encoded and raw scope formats. Well-documented and all 220 tests pass. Minor point: no explicit unit test for the new function, though integration tests cover it.
  • No files require special attention

Last reviewed commit: 47e5727

@Sid-Qin

This comment was marked as spam.

Sign in to view
@Takhoffman Takhoffman mentioned this pull request Mar 3, 2026
Merged
@Takhoffman
Copy link
Contributor

Takhoffman commented Mar 3, 2026

Superseded by #32509.

Reason: this environment does not have permission to update the fork head branch for #31943 (Sid-Qin:fix/31761-feishu-scope), and update-branch/merge from the existing PR head was blocked.

#32509 contains the same functional fix plus the changelog entry, was verified locally with full gate (pnpm install --frozen-lockfile, pnpm build, pnpm check, pnpm test:macmini), and has been merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

channel: feishu Channel integration: feishu size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feishu plugin checks non-existent scope contact:contact.base:readonly

2 participants

@Sid-Qin @Takhoffman