@kodelyth/feishu 2026.5.42 → 2026.6.1

package/src/monitor.webhook-e2e.test.ts

@@ -1,279 +0,0 @@
-import crypto from "node:crypto";
-import { afterAll, afterEach, describe, expect, it, vi } from "vitest";
-import { createFeishuRuntimeMockModule } from "./monitor.test-mocks.js";
-import { withRunningWebhookMonitor } from "./monitor.webhook.test-helpers.js";
-
-const probeFeishuMock = vi.hoisted(() => vi.fn());
-
-vi.mock("./probe.js", () => ({
-  probeFeishu: probeFeishuMock,
-}));
-
-vi.mock("./client.js", async () => {
-  const actual = await vi.importActual<typeof import("./client.js")>("./client.js");
-  return {
-    ...actual,
-    createFeishuWSClient: vi.fn(() => ({ start: vi.fn() })),
-  };
-});
-
-vi.mock("./runtime.js", () => createFeishuRuntimeMockModule());
-
-import { monitorFeishuProvider, stopFeishuMonitor } from "./monitor.js";
-
-function signFeishuPayload(params: {
-  encryptKey: string;
-  rawBody: string;
-  timestamp?: string;
-  nonce?: string;
-}): Record<string, string> {
-  const timestamp = params.timestamp ?? "1711111111";
-  const nonce = params.nonce ?? "nonce-test";
-  const signature = crypto
-    .createHash("sha256")
-    .update(timestamp + nonce + params.encryptKey + params.rawBody)
-    .digest("hex");
-  return {
-    "content-type": "application/json",
-    "x-lark-request-timestamp": timestamp,
-    "x-lark-request-nonce": nonce,
-    "x-lark-signature": signature,
-  };
-}
-
-function encryptFeishuPayload(encryptKey: string, payload: Record<string, unknown>): string {
-  const iv = crypto.randomBytes(16);
-  const key = crypto.createHash("sha256").update(encryptKey).digest();
-  const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
-  const plaintext = Buffer.from(JSON.stringify(payload), "utf8");
-  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-  return Buffer.concat([iv, encrypted]).toString("base64");
-}
-
-async function postSignedPayload(url: string, payload: Record<string, unknown>) {
-  const rawBody = JSON.stringify(payload);
-  return await fetch(url, {
-    method: "POST",
-    headers: signFeishuPayload({ encryptKey: "encrypt_key", rawBody }),
-    body: rawBody,
-  });
-}
-
-afterEach(() => {
-  stopFeishuMonitor();
-});
-
-afterAll(() => {
-  vi.doUnmock("./probe.js");
-  vi.doUnmock("./client.js");
-  vi.doUnmock("./runtime.js");
-  vi.resetModules();
-});
-
-describe("Feishu webhook signed-request e2e", () => {
-  it("rejects invalid signatures with 401 instead of empty 200", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "invalid-signature",
-        path: "/hook-e2e-invalid-signature",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const payload = { type: "url_verification", challenge: "challenge-token" };
-        const rawBody = JSON.stringify(payload);
-        const response = await fetch(url, {
-          method: "POST",
-          headers: {
-            ...signFeishuPayload({ encryptKey: "wrong_key", rawBody }),
-          },
-          body: rawBody,
-        });
-
-        expect(response.status).toBe(401);
-        expect(await response.text()).toBe("Invalid signature");
-      },
-    );
-  });
-
-  it("rejects missing signature headers with 401", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "missing-signature",
-        path: "/hook-e2e-missing-signature",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const response = await fetch(url, {
-          method: "POST",
-          headers: { "content-type": "application/json" },
-          body: JSON.stringify({ type: "url_verification", challenge: "challenge-token" }),
-        });
-
-        expect(response.status).toBe(401);
-        expect(await response.text()).toBe("Invalid signature");
-      },
-    );
-  });
-
-  it("rejects malformed short signatures with 401", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "short-signature",
-        path: "/hook-e2e-short-signature",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const payload = { type: "url_verification", challenge: "challenge-token" };
-        const headers = signFeishuPayload({
-          encryptKey: "encrypt_key",
-          rawBody: JSON.stringify(payload),
-        });
-        headers["x-lark-signature"] = headers["x-lark-signature"].slice(0, 12);
-
-        const response = await fetch(url, {
-          method: "POST",
-          headers,
-          body: JSON.stringify(payload),
-        });
-
-        expect(response.status).toBe(401);
-        expect(await response.text()).toBe("Invalid signature");
-      },
-    );
-  });
-
-  it("returns 401 for unsigned invalid json before parsing", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "invalid-json",
-        path: "/hook-e2e-invalid-json",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const response = await fetch(url, {
-          method: "POST",
-          headers: { "content-type": "application/json" },
-          body: "{not-json",
-        });
-
-        expect(response.status).toBe(401);
-        expect(await response.text()).toBe("Invalid signature");
-      },
-    );
-  });
-
-  it("returns 400 for signed invalid json after signature validation", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "signed-invalid-json",
-        path: "/hook-e2e-signed-invalid-json",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const rawBody = "{not-json";
-        const response = await fetch(url, {
-          method: "POST",
-          headers: signFeishuPayload({ encryptKey: "encrypt_key", rawBody }),
-          body: rawBody,
-        });
-
-        expect(response.status).toBe(400);
-        expect(await response.text()).toBe("Invalid JSON");
-      },
-    );
-  });
-
-  it("accepts signed plaintext url_verification challenges end-to-end", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "signed-challenge",
-        path: "/hook-e2e-signed-challenge",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const payload = { type: "url_verification", challenge: "challenge-token" };
-        const response = await postSignedPayload(url, payload);
-
-        expect(response.status).toBe(200);
-        await expect(response.json()).resolves.toEqual({ challenge: "challenge-token" });
-      },
-    );
-  });
-
-  it("accepts signed non-challenge events and reaches the dispatcher", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "signed-dispatch",
-        path: "/hook-e2e-signed-dispatch",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const payload = {
-          schema: "2.0",
-          header: { event_type: "unknown.event" },
-          event: {},
-        };
-        const response = await postSignedPayload(url, payload);
-
-        expect(response.status).toBe(200);
-        expect(await response.text()).toContain("no unknown.event event handle");
-      },
-    );
-  });
-
-  it("accepts signed encrypted url_verification challenges end-to-end", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    await withRunningWebhookMonitor(
-      {
-        accountId: "encrypted-challenge",
-        path: "/hook-e2e-encrypted-challenge",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const payload = {
-          encrypt: encryptFeishuPayload("encrypt_key", {
-            type: "url_verification",
-            challenge: "encrypted-challenge-token",
-          }),
-        };
-        const response = await postSignedPayload(url, payload);
-
-        expect(response.status).toBe(200);
-        await expect(response.json()).resolves.toEqual({
-          challenge: "encrypted-challenge-token",
-        });
-      },
-    );
-  });
-});

package/src/monitor.webhook-security.test.ts

@@ -1,389 +0,0 @@
-import type { IncomingMessage } from "node:http";
-import { createConnection } from "node:net";
-import { afterAll, afterEach, describe, expect, it, vi } from "vitest";
-import {
-  createFeishuClientMockModule,
-  createFeishuRuntimeMockModule,
-} from "./monitor.test-mocks.js";
-import {
-  buildWebhookConfig,
-  getFreePort,
-  withRunningWebhookMonitor,
-} from "./monitor.webhook.test-helpers.js";
-
-const probeFeishuMock = vi.hoisted(() => vi.fn());
-
-vi.mock("./probe.js", () => ({
-  probeFeishu: probeFeishuMock,
-}));
-
-vi.mock("./client.js", () => createFeishuClientMockModule());
-vi.mock("./runtime.js", () => createFeishuRuntimeMockModule());
-
-vi.mock("@larksuiteoapi/node-sdk", () => ({
-  adaptDefault: vi.fn(
-    () => (_req: unknown, res: { statusCode?: number; end: (s: string) => void }) => {
-      res.statusCode = 200;
-      res.end("ok");
-    },
-  ),
-}));
-
-vi.mock("./monitor.state.js", async (importOriginal) => {
-  const actual = await importOriginal<typeof import("./monitor.state.js")>();
-  return {
-    ...actual,
-    FEISHU_WEBHOOK_BODY_TIMEOUT_MS: 50,
-  };
-});
-
-import type { RuntimeEnv } from "../runtime-api.js";
-import { resolveRequestClientIp } from "./monitor-transport-runtime-api.js";
-import {
-  clearFeishuWebhookRateLimitStateForTest,
-  getFeishuWebhookRateLimitStateSizeForTest,
-  isWebhookRateLimitedForTest,
-  monitorFeishuProvider,
-  stopFeishuMonitor,
-} from "./monitor.js";
-import { buildFeishuWebhookRateLimitKeyForTest, monitorWebhook } from "./monitor.transport.js";
-import type { ResolvedFeishuAccount } from "./types.js";
-
-async function waitForSlowBodyTimeoutResponse(
-  url: string,
-  timeoutMs: number,
-): Promise<{ body: string; elapsedMs: number }> {
-  return await new Promise<{ body: string; elapsedMs: number }>((resolve, reject) => {
-    const target = new URL(url);
-    const startedAt = Date.now();
-    let response = "";
-    const socket = createConnection(
-      {
-        host: target.hostname,
-        port: Number(target.port),
-      },
-      () => {
-        socket.write(`POST ${target.pathname} HTTP/1.1\r\n`);
-        socket.write(`Host: ${target.hostname}\r\n`);
-        socket.write("Content-Type: application/json\r\n");
-        socket.write("Content-Length: 65536\r\n");
-        socket.write("\r\n");
-        socket.write('{"type":"url_verification"');
-      },
-    );
-
-    socket.setEncoding("utf8");
-    socket.on("error", () => {});
-    socket.on("data", (chunk) => {
-      response += chunk;
-      if (response.includes("Request body timeout")) {
-        clearTimeout(failTimer);
-        socket.destroy();
-        resolve({ body: response, elapsedMs: Date.now() - startedAt });
-      }
-    });
-
-    const failTimer = setTimeout(() => {
-      socket.destroy();
-      reject(new Error(`timeout response did not arrive within ${timeoutMs}ms`));
-    }, timeoutMs);
-  });
-}
-
-async function waitForOversizedBodyResponse(url: string): Promise<string> {
-  return await new Promise<string>((resolve, reject) => {
-    const target = new URL(url);
-    const body = JSON.stringify({ payload: "x".repeat(70 * 1024) });
-    let response = "";
-    let settled = false;
-    const socket = createConnection(
-      {
-        host: target.hostname,
-        port: Number(target.port),
-      },
-      () => {
-        socket.write(`POST ${target.pathname} HTTP/1.1\r\n`);
-        socket.write(`Host: ${target.hostname}\r\n`);
-        socket.write("Content-Type: application/json\r\n");
-        socket.write(`Content-Length: ${Buffer.byteLength(body)}\r\n`);
-        socket.write("\r\n");
-        socket.write(body);
-      },
-    );
-
-    const finish = (result: string) => {
-      if (settled) {
-        return;
-      }
-      settled = true;
-      clearTimeout(failTimer);
-      socket.destroy();
-      resolve(result);
-    };
-
-    socket.setEncoding("utf8");
-    socket.on("data", (chunk) => {
-      response += chunk;
-      if (response.includes("Payload too large")) {
-        finish(response);
-      }
-    });
-    socket.on("close", () => {
-      if (response.includes("Payload too large")) {
-        finish(response);
-      }
-    });
-    socket.on("error", (error: NodeJS.ErrnoException) => {
-      if (response.includes("Payload too large")) {
-        finish(response);
-        return;
-      }
-      if (error.code === "ECONNRESET") {
-        finish("ECONNRESET");
-        return;
-      }
-      reject(error);
-    });
-
-    const failTimer = setTimeout(() => {
-      socket.destroy();
-      reject(new Error("payload-too-large response did not arrive within 1000ms"));
-    }, 1_000);
-  });
-}
-
-function resolveTestClientIp(remoteAddress: string | undefined): string | undefined {
-  return resolveRequestClientIp({
-    headers: {},
-    socket: { remoteAddress },
-  } as IncomingMessage);
-}
-
-afterEach(() => {
-  clearFeishuWebhookRateLimitStateForTest();
-  stopFeishuMonitor();
-});
-
-afterAll(() => {
-  vi.doUnmock("./probe.js");
-  vi.doUnmock("./client.js");
-  vi.doUnmock("./runtime.js");
-  vi.doUnmock("@larksuiteoapi/node-sdk");
-  vi.doUnmock("./monitor.state.js");
-  vi.resetModules();
-});
-
-describe("Feishu webhook security hardening", () => {
-  it("rejects webhook mode without verificationToken", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    const cfg = buildWebhookConfig({
-      accountId: "missing-token",
-      path: "/hook-missing-token",
-      port: await getFreePort(),
-    });
-
-    await expect(monitorFeishuProvider({ config: cfg })).rejects.toThrow(
-      /requires verificationToken/i,
-    );
-  });
-
-  it("rejects webhook mode without encryptKey", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-
-    const cfg = buildWebhookConfig({
-      accountId: "missing-encrypt-key",
-      path: "/hook-missing-encrypt",
-      port: await getFreePort(),
-      verificationToken: "verify_token",
-    });
-
-    await expect(monitorFeishuProvider({ config: cfg })).rejects.toThrow(/requires encryptKey/i);
-  });
-
-  it("refuses to start the webhook transport without encryptKey", async () => {
-    const account = {
-      accountId: "transport-missing-encrypt-key",
-      config: {
-        enabled: true,
-        connectionMode: "webhook",
-        webhookHost: "127.0.0.1",
-        webhookPort: await getFreePort(),
-        webhookPath: "/hook-transport-missing-encrypt",
-      },
-    } as ResolvedFeishuAccount;
-
-    await expect(
-      monitorWebhook({
-        account,
-        accountId: account.accountId,
-        runtime: {
-          log: vi.fn(),
-          error: vi.fn(),
-          exit: vi.fn(),
-        } as RuntimeEnv,
-        abortSignal: new AbortController().signal,
-        eventDispatcher: {} as never,
-      }),
-    ).rejects.toThrow(/requires encryptKey/i);
-  });
-
-  it("returns 415 for POST requests without json content type", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-    await withRunningWebhookMonitor(
-      {
-        accountId: "content-type",
-        path: "/hook-content-type",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const response = await fetch(url, {
-          method: "POST",
-          headers: { "content-type": "text/plain" },
-          body: "{}",
-        });
-
-        expect(response.status).toBe(415);
-        expect(await response.text()).toBe("Unsupported Media Type");
-      },
-    );
-  });
-
-  it("rejects oversized unsigned webhook bodies with 413 before signature verification", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-    await withRunningWebhookMonitor(
-      {
-        accountId: "payload-too-large",
-        path: "/hook-payload-too-large",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const response = await waitForOversizedBodyResponse(url);
-
-        if (response === "ECONNRESET") {
-          expect(response).toBe("ECONNRESET");
-        } else {
-          expect(response).toContain("413 Payload Too Large");
-          expect(response).toContain("Payload too large");
-        }
-      },
-    );
-  });
-
-  it("drops slow-body webhook requests within the tightened pre-auth timeout", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-    await withRunningWebhookMonitor(
-      {
-        accountId: "slow-body-timeout",
-        path: "/hook-slow-body-timeout",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        const result = await waitForSlowBodyTimeoutResponse(url, 1_000);
-        expect(result.body).toContain("408 Request Timeout");
-        expect(result.body).toContain("Request body timeout");
-        expect(result.elapsedMs).toBeLessThan(500);
-      },
-    );
-  });
-
-  it("rate limits webhook burst traffic with 429", async () => {
-    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
-    await withRunningWebhookMonitor(
-      {
-        accountId: "rate-limit",
-        path: "/hook-rate-limit",
-        verificationToken: "verify_token",
-        encryptKey: "encrypt_key",
-      },
-      monitorFeishuProvider,
-      async (url) => {
-        let saw429 = false;
-        for (let i = 0; i < 130; i += 1) {
-          const response = await fetch(url, {
-            method: "POST",
-            headers: { "content-type": "text/plain" },
-            body: "{}",
-          });
-          if (response.status === 429) {
-            saw429 = true;
-            expect(await response.text()).toBe("Too Many Requests");
-            break;
-          }
-        }
-
-        expect(saw429).toBe(true);
-      },
-    );
-  });
-
-  it("uses one webhook rate-limit key for loopback address-family variants", () => {
-    const base = {
-      accountId: "rate-limit-key",
-      path: "/hook-rate-limit-key",
-    };
-
-    expect([
-      buildFeishuWebhookRateLimitKeyForTest({
-        ...base,
-        clientIp: resolveTestClientIp("127.0.0.1"),
-      }),
-      buildFeishuWebhookRateLimitKeyForTest({
-        ...base,
-        clientIp: resolveTestClientIp("127.0.0.42"),
-      }),
-      buildFeishuWebhookRateLimitKeyForTest({
-        ...base,
-        clientIp: resolveTestClientIp("::ffff:127.0.0.1"),
-      }),
-      buildFeishuWebhookRateLimitKeyForTest({
-        ...base,
-        clientIp: resolveTestClientIp("::1"),
-      }),
-    ]).toEqual([
-      "rate-limit-key:/hook-rate-limit-key:loopback",
-      "rate-limit-key:/hook-rate-limit-key:loopback",
-      "rate-limit-key:/hook-rate-limit-key:loopback",
-      "rate-limit-key:/hook-rate-limit-key:loopback",
-    ]);
-  });
-
-  it("keeps non-loopback and unknown webhook rate-limit key suffixes distinct", () => {
-    const base = {
-      accountId: "rate-limit-key",
-      path: "/hook-rate-limit-key",
-    };
-
-    expect(buildFeishuWebhookRateLimitKeyForTest({ ...base, clientIp: "10.0.0.1" })).toBe(
-      "rate-limit-key:/hook-rate-limit-key:10.0.0.1",
-    );
-    expect(buildFeishuWebhookRateLimitKeyForTest(base)).toBe(
-      "rate-limit-key:/hook-rate-limit-key:unknown",
-    );
-  });
-
-  it("caps tracked webhook rate-limit keys to prevent unbounded growth", () => {
-    const now = 1_000_000;
-    for (let i = 0; i < 4_500; i += 1) {
-      isWebhookRateLimitedForTest(`/feishu-rate-limit:key-${i}`, now);
-    }
-    expect(getFeishuWebhookRateLimitStateSizeForTest()).toBeLessThanOrEqual(4_096);
-  });
-
-  it("prunes stale webhook rate-limit state after window elapses", () => {
-    const now = 2_000_000;
-    for (let i = 0; i < 100; i += 1) {
-      isWebhookRateLimitedForTest(`/feishu-rate-limit-stale:key-${i}`, now);
-    }
-    expect(getFeishuWebhookRateLimitStateSizeForTest()).toBe(100);
-
-    isWebhookRateLimitedForTest("/feishu-rate-limit-stale:fresh", now + 60_001);
-    expect(getFeishuWebhookRateLimitStateSizeForTest()).toBe(1);
-  });
-});