@gakr-gakr/whatsapp 0.1.0

package/src/inbound/access-control.ts

@@ -0,0 +1,187 @@
+import { createChannelPairingChallengeIssuer } from "autobot/plugin-sdk/channel-pairing";
+import type { AutoBotConfig } from "autobot/plugin-sdk/config-contracts";
+import { upsertChannelPairingRequest } from "autobot/plugin-sdk/conversation-runtime";
+import { defaultRuntime } from "autobot/plugin-sdk/runtime-env";
+import { warnMissingProviderGroupPolicyFallbackOnce } from "autobot/plugin-sdk/runtime-group-policy";
+import { resolveWhatsAppInboundPolicy, resolveWhatsAppIngressAccess } from "../inbound-policy.js";
+
+export type InboundAccessControlResult = {
+  allowed: boolean;
+  shouldMarkRead: boolean;
+  isSelfChat: boolean;
+  resolvedAccountId: string;
+};
+
+const PAIRING_REPLY_HISTORY_GRACE_MS = 30_000;
+
+function logWhatsAppVerbose(enabled: boolean | undefined, message: string) {
+  if (!enabled) {
+    return;
+  }
+  defaultRuntime.log(message);
+}
+
+export async function checkInboundAccessControl(params: {
+  cfg: AutoBotConfig;
+  accountId: string;
+  from: string;
+  selfE164: string | null;
+  senderE164: string | null;
+  group: boolean;
+  pushName?: string;
+  isFromMe: boolean;
+  messageTimestampMs?: number;
+  connectedAtMs?: number;
+  pairingGraceMs?: number;
+  verbose?: boolean;
+  sock: {
+    sendMessage: (jid: string, content: { text: string }) => Promise<unknown>;
+  };
+  remoteJid: string;
+}): Promise<InboundAccessControlResult> {
+  const policy = resolveWhatsAppInboundPolicy({
+    cfg: params.cfg,
+    accountId: params.accountId,
+    selfE164: params.selfE164,
+  });
+  const pairingGraceMs =
+    typeof params.pairingGraceMs === "number" && params.pairingGraceMs > 0
+      ? params.pairingGraceMs
+      : PAIRING_REPLY_HISTORY_GRACE_MS;
+  const suppressPairingReply =
+    typeof params.connectedAtMs === "number" &&
+    typeof params.messageTimestampMs === "number" &&
+    params.messageTimestampMs < params.connectedAtMs - pairingGraceMs;
+
+  // Group policy filtering:
+  // - "open": groups bypass allowFrom, only mention-gating applies
+  // - "disabled": block all group messages entirely
+  // - "allowlist": only allow group messages from senders in groupAllowFrom/allowFrom
+  warnMissingProviderGroupPolicyFallbackOnce({
+    providerMissingFallbackApplied: policy.providerMissingFallbackApplied,
+    providerKey: "whatsapp",
+    accountId: policy.account.accountId,
+    log: (message) => logWhatsAppVerbose(params.verbose, message),
+  });
+  const access = await resolveWhatsAppIngressAccess({
+    cfg: params.cfg,
+    policy,
+    isGroup: params.group,
+    conversationId: params.remoteJid,
+    senderId: params.group ? params.senderE164 : params.from,
+    dmSenderId: params.from,
+  });
+  const { senderAccess } = access;
+  if (params.group && senderAccess.decision !== "allow") {
+    if (senderAccess.reasonCode === "group_policy_disabled") {
+      logWhatsAppVerbose(params.verbose, "Blocked group message (groupPolicy: disabled)");
+    } else if (senderAccess.reasonCode === "group_policy_empty_allowlist") {
+      logWhatsAppVerbose(
+        params.verbose,
+        "Blocked group message (groupPolicy: allowlist, no groupAllowFrom)",
+      );
+    } else {
+      logWhatsAppVerbose(
+        params.verbose,
+        `Blocked group message from ${params.senderE164 ?? "unknown sender"} (groupPolicy: allowlist)`,
+      );
+    }
+    return {
+      allowed: false,
+      shouldMarkRead: false,
+      isSelfChat: policy.isSelfChat,
+      resolvedAccountId: policy.account.accountId,
+    };
+  }
+
+  // DM access control (secure defaults): "pairing" (default) / "allowlist" / "open" / "disabled".
+  if (!params.group) {
+    if (params.isFromMe && !policy.isSamePhone(params.from)) {
+      logWhatsAppVerbose(params.verbose, "Skipping outbound DM (fromMe); no pairing reply needed.");
+      return {
+        allowed: false,
+        shouldMarkRead: false,
+        isSelfChat: policy.isSelfChat,
+        resolvedAccountId: policy.account.accountId,
+      };
+    }
+    if (senderAccess.decision === "block" && senderAccess.reasonCode === "dm_policy_disabled") {
+      logWhatsAppVerbose(params.verbose, "Blocked dm (dmPolicy: disabled)");
+      return {
+        allowed: false,
+        shouldMarkRead: false,
+        isSelfChat: policy.isSelfChat,
+        resolvedAccountId: policy.account.accountId,
+      };
+    }
+    if (senderAccess.decision === "pairing" && !policy.isSamePhone(params.from)) {
+      const candidate = params.from;
+      if (suppressPairingReply) {
+        logWhatsAppVerbose(
+          params.verbose,
+          `Skipping pairing reply for historical DM from ${candidate}.`,
+        );
+      } else {
+        await createChannelPairingChallengeIssuer({
+          channel: "whatsapp",
+          upsertPairingRequest: async ({ id, meta }) =>
+            await upsertChannelPairingRequest({
+              channel: "whatsapp",
+              id,
+              accountId: policy.account.accountId,
+              meta,
+            }),
+        })({
+          senderId: candidate,
+          senderIdLine: `Your WhatsApp phone number: ${candidate}`,
+          meta: { name: (params.pushName ?? "").trim() || undefined },
+          onCreated: () => {
+            logWhatsAppVerbose(
+              params.verbose,
+              `whatsapp pairing request sender=${candidate} name=${params.pushName ?? "unknown"}`,
+            );
+          },
+          sendPairingReply: async (text) => {
+            await params.sock.sendMessage(params.remoteJid, { text });
+          },
+          onReplyError: (err) => {
+            logWhatsAppVerbose(
+              params.verbose,
+              `whatsapp pairing reply failed for ${candidate}: ${String(err)}`,
+            );
+          },
+        });
+      }
+      return {
+        allowed: false,
+        shouldMarkRead: false,
+        isSelfChat: policy.isSelfChat,
+        resolvedAccountId: policy.account.accountId,
+      };
+    }
+    if (senderAccess.decision !== "allow") {
+      logWhatsAppVerbose(
+        params.verbose,
+        `Blocked unauthorized sender ${params.from} (dmPolicy=${policy.dmPolicy})`,
+      );
+      return {
+        allowed: false,
+        shouldMarkRead: false,
+        isSelfChat: policy.isSelfChat,
+        resolvedAccountId: policy.account.accountId,
+      };
+    }
+  }
+
+  return {
+    allowed: true,
+    shouldMarkRead: true,
+    isSelfChat: policy.isSelfChat,
+    resolvedAccountId: policy.account.accountId,
+  };
+}
+
+export const testing = {
+  resolveWhatsAppInboundPolicy,
+};
+export { testing as __testing };

package/src/inbound/dedupe.ts

@@ -0,0 +1,132 @@
+import { createClaimableDedupe } from "autobot/plugin-sdk/persistent-dedupe";
+
+const RECENT_WEB_MESSAGE_TTL_MS = 20 * 60_000;
+const RECENT_WEB_MESSAGE_MAX = 5000;
+const RECENT_OUTBOUND_MESSAGE_TTL_MS = 20 * 60_000;
+const RECENT_OUTBOUND_MESSAGE_MAX = 5000;
+
+const claimableInboundMessages = createClaimableDedupe({
+  ttlMs: RECENT_WEB_MESSAGE_TTL_MS,
+  memoryMaxSize: RECENT_WEB_MESSAGE_MAX,
+});
+const recentOutboundMessages = createRecentMessageCache({
+  ttlMs: RECENT_OUTBOUND_MESSAGE_TTL_MS,
+  maxSize: RECENT_OUTBOUND_MESSAGE_MAX,
+});
+
+function createRecentMessageCache(options: { ttlMs: number; maxSize: number }) {
+  const ttlMs = Math.max(0, options.ttlMs);
+  const maxSize = Math.max(0, Math.floor(options.maxSize));
+  const cache = new Map<string, number>();
+
+  const prune = (now: number) => {
+    if (ttlMs > 0) {
+      const cutoff = now - ttlMs;
+      for (const [key, timestamp] of cache) {
+        if (timestamp < cutoff) {
+          cache.delete(key);
+        }
+      }
+    }
+    while (cache.size > maxSize) {
+      const oldest = cache.keys().next().value;
+      if (!oldest) {
+        break;
+      }
+      cache.delete(oldest);
+    }
+  };
+
+  const peek = (key: string | null, now = Date.now()): boolean => {
+    if (!key) {
+      return false;
+    }
+    const timestamp = cache.get(key);
+    if (timestamp === undefined) {
+      return false;
+    }
+    if (ttlMs > 0 && now - timestamp >= ttlMs) {
+      cache.delete(key);
+      return false;
+    }
+    return true;
+  };
+
+  return {
+    check: (key: string | null, now = Date.now()): boolean => {
+      if (!key) {
+        return false;
+      }
+      const existed = peek(key, now);
+      cache.delete(key);
+      cache.set(key, now);
+      prune(now);
+      return existed;
+    },
+    peek,
+    clear: () => cache.clear(),
+  };
+}
+
+export class WhatsAppRetryableInboundError extends Error {
+  constructor(message: string, options?: ErrorOptions) {
+    super(message, options);
+    this.name = "WhatsAppRetryableInboundError";
+  }
+}
+
+function buildMessageKey(params: {
+  accountId: string;
+  remoteJid: string;
+  messageId: string;
+}): string | null {
+  const accountId = params.accountId.trim();
+  const remoteJid = params.remoteJid.trim();
+  const messageId = params.messageId.trim();
+  if (!accountId || !remoteJid || !messageId || messageId === "unknown") {
+    return null;
+  }
+  return `${accountId}:${remoteJid}:${messageId}`;
+}
+
+export function resetWebInboundDedupe(): void {
+  claimableInboundMessages.clearMemory();
+  recentOutboundMessages.clear();
+}
+
+export async function claimRecentInboundMessage(key: string): Promise<boolean> {
+  const claim = await claimableInboundMessages.claim(key);
+  return claim.kind === "claimed";
+}
+
+export async function commitRecentInboundMessage(key: string): Promise<void> {
+  await claimableInboundMessages.commit(key);
+}
+
+export function releaseRecentInboundMessage(key: string, error?: unknown): void {
+  claimableInboundMessages.release(key, { error });
+}
+
+export function rememberRecentOutboundMessage(params: {
+  accountId: string;
+  remoteJid: string;
+  messageId: string;
+}): void {
+  const key = buildMessageKey(params);
+  if (!key) {
+    return;
+  }
+  recentOutboundMessages.check(key);
+}
+
+export function isRecentOutboundMessage(params: {
+  accountId: string;
+  remoteJid: string;
+  messageId: string;
+}): boolean {
+  const key = buildMessageKey(params);
+  if (!key) {
+    return false;
+  }
+  return recentOutboundMessages.peek(key);
+}