@kodelyth/nextcloud-talk 2026.5.39 → 2026.5.42

package/src/setup.test.ts

@@ -0,0 +1,445 @@
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { DEFAULT_ACCOUNT_ID } from "klaw/plugin-sdk/routing";
+import { describe, expect, it } from "vitest";
+import { resolveNextcloudTalkAccount } from "./accounts.js";
+import {
+  clearNextcloudTalkAccountFields,
+  nextcloudTalkDmPolicy,
+  nextcloudTalkSetupAdapter,
+  normalizeNextcloudTalkBaseUrl,
+  setNextcloudTalkAccountConfig,
+  validateNextcloudTalkBaseUrl,
+} from "./setup-core.js";
+import { nextcloudTalkSetupWizard } from "./setup-surface.js";
+import type { CoreConfig } from "./types.js";
+
+describe("nextcloud talk setup", () => {
+  it("shows a bot install command with webhook, response, and reaction features", () => {
+    expect(nextcloudTalkSetupWizard.introNote?.lines.join("\n")).toContain(
+      "--feature webhook --feature response --feature reaction",
+    );
+  });
+
+  it("normalizes and validates base urls", () => {
+    expect(normalizeNextcloudTalkBaseUrl(" https://cloud.example.com/// ")).toBe(
+      "https://cloud.example.com",
+    );
+    expect(normalizeNextcloudTalkBaseUrl(undefined)).toBe("");
+
+    expect(validateNextcloudTalkBaseUrl("")).toBe("Required");
+    expect(validateNextcloudTalkBaseUrl("cloud.example.com")).toBe(
+      "URL must start with http:// or https://",
+    );
+    expect(validateNextcloudTalkBaseUrl("https://cloud.example.com")).toBeUndefined();
+  });
+
+  it("patches scoped account config and clears selected fields", () => {
+    const cfg: CoreConfig = {
+      channels: {
+        "nextcloud-talk": {
+          baseUrl: "https://cloud.example.com",
+          botSecret: "top-secret",
+          accounts: {
+            work: {
+              botSecret: "work-secret",
+              botSecretFile: "/tmp/work-secret",
+              apiPassword: "api-secret",
+            },
+          },
+        },
+      },
+    };
+
+    expect(
+      setNextcloudTalkAccountConfig(cfg, DEFAULT_ACCOUNT_ID, {
+        apiUser: "bot",
+      }),
+    ).toEqual({
+      channels: {
+        "nextcloud-talk": {
+          enabled: true,
+          baseUrl: "https://cloud.example.com",
+          botSecret: "top-secret",
+          apiUser: "bot",
+          accounts: {
+            work: {
+              botSecret: "work-secret",
+              botSecretFile: "/tmp/work-secret",
+              apiPassword: "api-secret",
+            },
+          },
+        },
+      },
+    });
+
+    expect(clearNextcloudTalkAccountFields(cfg, DEFAULT_ACCOUNT_ID, ["botSecret"])).toEqual({
+      channels: {
+        "nextcloud-talk": {
+          baseUrl: "https://cloud.example.com",
+          accounts: {
+            work: {
+              botSecret: "work-secret",
+              botSecretFile: "/tmp/work-secret",
+              apiPassword: "api-secret",
+            },
+          },
+        },
+      },
+    });
+    expect(
+      clearNextcloudTalkAccountFields(cfg, DEFAULT_ACCOUNT_ID, ["botSecret"]),
+    ).not.toHaveProperty(["channels", "nextcloud-talk", "botSecret"]);
+
+    expect(clearNextcloudTalkAccountFields(cfg, "work", ["botSecret", "botSecretFile"])).toEqual({
+      channels: {
+        "nextcloud-talk": {
+          baseUrl: "https://cloud.example.com",
+          botSecret: "top-secret",
+          accounts: {
+            work: {
+              apiPassword: "api-secret",
+            },
+          },
+        },
+      },
+    });
+  });
+
+  it("sets top-level DM policy state", () => {
+    const base: CoreConfig = {
+      channels: {
+        "nextcloud-talk": {},
+      },
+    };
+
+    expect(nextcloudTalkDmPolicy.getCurrent(base)).toBe("pairing");
+    expect(nextcloudTalkDmPolicy.setPolicy(base, "open")).toEqual({
+      channels: {
+        "nextcloud-talk": {
+          enabled: true,
+          dmPolicy: "open",
+          allowFrom: ["*"],
+        },
+      },
+    });
+  });
+
+  it("honors named-account DM policy state and config keys", () => {
+    const base: CoreConfig = {
+      channels: {
+        "nextcloud-talk": {
+          dmPolicy: "disabled",
+          accounts: {
+            work: {
+              baseUrl: "https://cloud.example.com",
+              botSecret: "work-secret",
+              dmPolicy: "allowlist",
+            },
+          },
+        },
+      },
+    };
+
+    expect(nextcloudTalkDmPolicy.getCurrent(base, "work")).toBe("allowlist");
+    expect(nextcloudTalkDmPolicy.resolveConfigKeys?.(base, "work")).toEqual({
+      policyKey: "channels.nextcloud-talk.accounts.work.dmPolicy",
+      allowFromKey: "channels.nextcloud-talk.accounts.work.allowFrom",
+    });
+  });
+
+  it("uses configured defaultAccount for omitted DM policy account context", () => {
+    const base: CoreConfig = {
+      channels: {
+        "nextcloud-talk": {
+          defaultAccount: "work",
+          dmPolicy: "disabled",
+          accounts: {
+            work: {
+              baseUrl: "https://cloud.example.com",
+              botSecret: "work-secret",
+              dmPolicy: "allowlist",
+            },
+          },
+        },
+      },
+    };
+
+    expect(nextcloudTalkDmPolicy.getCurrent(base)).toBe("allowlist");
+    expect(nextcloudTalkDmPolicy.resolveConfigKeys?.(base)).toEqual({
+      policyKey: "channels.nextcloud-talk.accounts.work.dmPolicy",
+      allowFromKey: "channels.nextcloud-talk.accounts.work.allowFrom",
+    });
+
+    const next = nextcloudTalkDmPolicy.setPolicy(base, "open");
+    expect(next.channels?.["nextcloud-talk"]?.dmPolicy).toBe("disabled");
+    const workAccount = next.channels?.["nextcloud-talk"]?.accounts?.work as
+      | { dmPolicy?: string; allowFrom?: Array<string | number> }
+      | undefined;
+    expect(workAccount?.dmPolicy).toBe("open");
+  });
+
+  it('writes open DM policy to the named account and preserves inherited allowFrom with "*"', () => {
+    const next = nextcloudTalkDmPolicy.setPolicy(
+      {
+        channels: {
+          "nextcloud-talk": {
+            allowFrom: ["alice"],
+            accounts: {
+              work: {
+                baseUrl: "https://cloud.example.com",
+                botSecret: "work-secret",
+              },
+            },
+          },
+        },
+      },
+      "open",
+      "work",
+    );
+
+    expect(next.channels?.["nextcloud-talk"]?.dmPolicy).toBeUndefined();
+    const workAccount = next.channels?.["nextcloud-talk"]?.accounts?.work as
+      | { dmPolicy?: string; allowFrom?: Array<string | number> }
+      | undefined;
+    expect(workAccount?.dmPolicy).toBe("open");
+    expect(workAccount?.allowFrom).toEqual(["alice", "*"]);
+  });
+
+  it("validates env/default-account constraints and applies config patches", () => {
+    const validateInput = nextcloudTalkSetupAdapter.validateInput;
+    const applyAccountConfig = nextcloudTalkSetupAdapter.applyAccountConfig;
+    expect(validateInput).toBeTypeOf("function");
+    expect(applyAccountConfig).toBeTypeOf("function");
+    if (!validateInput) {
+      throw new Error("Expected Nextcloud Talk setup validateInput");
+    }
+
+    expect(
+      validateInput({
+        accountId: "work",
+        input: { useEnv: true },
+      } as never),
+    ).toBe("NEXTCLOUD_TALK_BOT_SECRET can only be used for the default account.");
+
+    expect(
+      validateInput({
+        accountId: DEFAULT_ACCOUNT_ID,
+        input: { useEnv: false, baseUrl: "", secret: "" },
+      } as never),
+    ).toBe("Nextcloud Talk requires bot secret or --secret-file (or --use-env).");
+
+    expect(
+      validateInput({
+        accountId: DEFAULT_ACCOUNT_ID,
+        input: { useEnv: false, secret: "secret", baseUrl: "" },
+      } as never),
+    ).toBe("Nextcloud Talk requires --base-url.");
+
+    expect(
+      applyAccountConfig({
+        cfg: {
+          channels: {
+            "nextcloud-talk": {},
+          },
+        },
+        accountId: DEFAULT_ACCOUNT_ID,
+        input: {
+          name: "Default",
+          baseUrl: "https://cloud.example.com///",
+          secret: "bot-secret",
+        },
+      } as never),
+    ).toEqual({
+      channels: {
+        "nextcloud-talk": {
+          enabled: true,
+          name: "Default",
+          baseUrl: "https://cloud.example.com",
+          botSecret: "bot-secret",
+        },
+      },
+    });
+
+    expect(
+      applyAccountConfig({
+        cfg: {
+          channels: {
+            "nextcloud-talk": {
+              accounts: {
+                work: {
+                  botSecret: "old-secret",
+                },
+              },
+            },
+          },
+        },
+        accountId: "work",
+        input: {
+          name: "Work",
+          useEnv: true,
+          baseUrl: "https://cloud.example.com",
+        },
+      } as never),
+    ).toEqual({
+      channels: {
+        "nextcloud-talk": {
+          enabled: true,
+          accounts: {
+            work: {
+              enabled: true,
+              name: "Work",
+              baseUrl: "https://cloud.example.com",
+            },
+          },
+        },
+      },
+    });
+  });
+
+  it("clears stored bot secret fields when switching the default account to env", () => {
+    type ApplyAccountConfigContext = Parameters<
+      typeof nextcloudTalkSetupAdapter.applyAccountConfig
+    >[0];
+
+    const next = nextcloudTalkSetupAdapter.applyAccountConfig({
+      cfg: {
+        channels: {
+          "nextcloud-talk": {
+            enabled: true,
+            baseUrl: "https://cloud.old.example",
+            botSecret: "stored-secret",
+            botSecretFile: "/tmp/secret.txt",
+          },
+        },
+      },
+      accountId: DEFAULT_ACCOUNT_ID,
+      input: {
+        baseUrl: "https://cloud.example.com",
+        useEnv: true,
+      },
+    } as unknown as ApplyAccountConfigContext);
+
+    expect(next.channels?.["nextcloud-talk"]?.baseUrl).toBe("https://cloud.example.com");
+    expect(next.channels?.["nextcloud-talk"]).not.toHaveProperty("botSecret");
+    expect(next.channels?.["nextcloud-talk"]).not.toHaveProperty("botSecretFile");
+  });
+
+  it("clears stored bot secret fields when the wizard switches to env", async () => {
+    const credential = nextcloudTalkSetupWizard.credentials[0];
+    const next = await credential.applyUseEnv?.({
+      cfg: {
+        channels: {
+          "nextcloud-talk": {
+            enabled: true,
+            baseUrl: "https://cloud.example.com",
+            botSecret: "stored-secret",
+            botSecretFile: "/tmp/secret.txt",
+          },
+        },
+      },
+      accountId: DEFAULT_ACCOUNT_ID,
+    });
+
+    expect(next?.channels?.["nextcloud-talk"]).not.toHaveProperty("botSecret");
+    expect(next?.channels?.["nextcloud-talk"]).not.toHaveProperty("botSecretFile");
+  });
+});
+
+describe("resolveNextcloudTalkAccount", () => {
+  it("matches normalized configured account ids", () => {
+    const account = resolveNextcloudTalkAccount({
+      cfg: {
+        channels: {
+          "nextcloud-talk": {
+            accounts: {
+              "Ops Team": {
+                baseUrl: "https://cloud.example.com",
+                botSecret: "bot-secret",
+              },
+            },
+          },
+        },
+      } as CoreConfig,
+      accountId: "ops-team",
+    });
+
+    expect(account.accountId).toBe("ops-team");
+    expect(account.baseUrl).toBe("https://cloud.example.com");
+    expect(account.secret).toBe("bot-secret");
+    expect(account.secretSource).toBe("config");
+  });
+
+  it.runIf(process.platform !== "win32")("rejects symlinked botSecretFile paths", () => {
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), "klaw-nextcloud-talk-"));
+    const secretFile = path.join(dir, "secret.txt");
+    const secretLink = path.join(dir, "secret-link.txt");
+    fs.writeFileSync(secretFile, "bot-secret\n", "utf8");
+    fs.symlinkSync(secretFile, secretLink);
+
+    const cfg = {
+      channels: {
+        "nextcloud-talk": {
+          baseUrl: "https://cloud.example.com",
+          botSecretFile: secretLink,
+        },
+      },
+    } as CoreConfig;
+
+    const account = resolveNextcloudTalkAccount({ cfg });
+    expect(account.secret).toBe("");
+    expect(account.secretSource).toBe("none");
+    fs.rmSync(dir, { recursive: true, force: true });
+  });
+
+  it("uses configured defaultAccount when accountId is omitted", () => {
+    const account = resolveNextcloudTalkAccount({
+      cfg: {
+        channels: {
+          "nextcloud-talk": {
+            defaultAccount: "work",
+            botSecret: "top-secret",
+            accounts: {
+              work: {
+                baseUrl: "https://cloud.example.com",
+                botSecret: "work-secret",
+              },
+            },
+          },
+        },
+      } as CoreConfig,
+    });
+
+    expect(account.accountId).toBe("work");
+    expect(account.baseUrl).toBe("https://cloud.example.com");
+    expect(account.secret).toBe("work-secret");
+    expect(account.secretSource).toBe("config");
+  });
+
+  it("uses configured defaultAccount for omitted setup configured state", () => {
+    const configured = nextcloudTalkSetupWizard.status.resolveConfigured({
+      cfg: {
+        channels: {
+          "nextcloud-talk": {
+            defaultAccount: "work",
+            baseUrl: "https://root.example.com",
+            botSecret: "root-secret",
+            accounts: {
+              alerts: {
+                baseUrl: "https://alerts.example.com",
+                botSecret: "alerts-secret",
+              },
+              work: {
+                baseUrl: "",
+                botSecret: "",
+              },
+            },
+          },
+        },
+      } as CoreConfig,
+    });
+
+    expect(configured).toBe(false);
+  });
+});

package/src/signature.ts

@@ -0,0 +1,82 @@
+import { createHmac, randomBytes, timingSafeEqual } from "node:crypto";
+import { normalizeLowercaseStringOrEmpty } from "klaw/plugin-sdk/string-coerce-runtime";
+import type { NextcloudTalkWebhookHeaders } from "./types.js";
+
+const SIGNATURE_HEADER = "x-nextcloud-talk-signature";
+const RANDOM_HEADER = "x-nextcloud-talk-random";
+const BACKEND_HEADER = "x-nextcloud-talk-backend";
+
+/**
+ * Verify the HMAC-SHA256 signature of an incoming webhook request.
+ * Signature is calculated as: HMAC-SHA256(random + body, secret)
+ */
+export function verifyNextcloudTalkSignature(params: {
+  signature: string;
+  random: string;
+  body: string;
+  secret: string;
+}): boolean {
+  const { signature, random, body, secret } = params;
+  if (!signature || !random || !secret) {
+    return false;
+  }
+
+  const expected = createHmac("sha256", secret)
+    .update(random + body)
+    .digest("hex");
+
+  const expectedBuf = Buffer.from(expected, "utf8");
+  const signatureBuf = Buffer.from(signature, "utf8");
+
+  // Pad to equal length before constant-time comparison to prevent
+  // leaking length information via early-return timing.
+  // Note: digest("hex") always produces lowercase ASCII (64 bytes for SHA-256),
+  // so expectedBuf is always 64 bytes — no variable-length concern on the expected side.
+  const maxLen = Math.max(expectedBuf.length, signatureBuf.length);
+  const paddedExpected = Buffer.alloc(maxLen);
+  const paddedSignature = Buffer.alloc(maxLen);
+  expectedBuf.copy(paddedExpected);
+  signatureBuf.copy(paddedSignature);
+
+  // Use crypto.timingSafeEqual instead of manual XOR loop to avoid
+  // potential JIT-optimisation timing leaks in the JavaScript engine.
+  const timingResult = timingSafeEqual(paddedExpected, paddedSignature);
+  return expectedBuf.length === signatureBuf.length && timingResult;
+}
+
+/**
+ * Extract webhook headers from an incoming request.
+ */
+export function extractNextcloudTalkHeaders(
+  headers: Record<string, string | string[] | undefined>,
+): NextcloudTalkWebhookHeaders | null {
+  const getHeader = (name: string): string | undefined => {
+    const value = headers[name] ?? headers[normalizeLowercaseStringOrEmpty(name)];
+    return Array.isArray(value) ? value[0] : value;
+  };
+
+  const signature = getHeader(SIGNATURE_HEADER);
+  const random = getHeader(RANDOM_HEADER);
+  const backend = getHeader(BACKEND_HEADER);
+
+  if (!signature || !random || !backend) {
+    return null;
+  }
+
+  return { signature, random, backend };
+}
+
+/**
+ * Generate signature headers for an outbound request to Nextcloud Talk.
+ */
+export function generateNextcloudTalkSignature(params: { body: string; secret: string }): {
+  random: string;
+  signature: string;
+} {
+  const { body, secret } = params;
+  const random = randomBytes(32).toString("hex");
+  const signature = createHmac("sha256", secret)
+    .update(random + body)
+    .digest("hex");
+  return { random, signature };
+}