@marshulll/openclaw-wecom 0.1.5 → 0.1.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@marshulll/openclaw-wecom",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "type": "module",
   "description": "OpenClaw WeCom channel plugin (intelligent bot + internal app)",
   "author": "OpenClaw",

package/wecom/src/monitor.ts

@@ -55,6 +55,11 @@ export async function handleWecomWebhookRequest(
   const path = resolvePath(req);
   const targets = webhookTargets.get(path);
   if (!targets || targets.length === 0) return false;
+  const firstTarget = targets[0];
+  const ua = req.headers["user-agent"] ?? "";
+  const fwd = req.headers["x-forwarded-for"] ?? "";
+  const ct = req.headers["content-type"] ?? "";
+  firstTarget?.runtime?.log?.(`[wecom] webhook ${req.method ?? "UNKNOWN"} ${req.url ?? ""} ct=${ct} ua=${ua} fwd=${fwd}`);
 
   // Prefer account-level mode. If both, we attempt bot first (JSON) then app (XML).
   // Concrete routing is implemented in handlers.

package/wecom/src/wecom-app.ts

@@ -26,8 +26,30 @@ function parseIncomingXml(xml: string): Record<string, any> {
 }
 
 function resolveQueryParams(req: IncomingMessage): URLSearchParams {
-  const url = new URL(req.url ?? "/", "http://localhost");
-  return url.searchParams;
+  const rawUrl = req.url ?? "";
+  const queryIndex = rawUrl.indexOf("?");
+  if (queryIndex < 0) return new URLSearchParams();
+  const queryString = rawUrl.slice(queryIndex + 1);
+  const params = new URLSearchParams();
+  if (!queryString) return params;
+  for (const part of queryString.split("&")) {
+    if (!part) continue;
+    const eqIndex = part.indexOf("=");
+    const keyRaw = eqIndex >= 0 ? part.slice(0, eqIndex) : part;
+    const valueRaw = eqIndex >= 0 ? part.slice(eqIndex + 1) : "";
+    const key = safeDecodeURIComponent(keyRaw);
+    const value = safeDecodeURIComponent(valueRaw);
+    params.append(key, value);
+  }
+  return params;
+}
+
+function safeDecodeURIComponent(value: string): string {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
 }
 
 function resolveSignatureParam(params: URLSearchParams): string {

package/wecom/src/wecom-bot.ts

@@ -11,6 +11,9 @@ import { getWecomRuntime } from "./runtime.js";
 
 const STREAM_TTL_MS = 10 * 60 * 1000;
 const STREAM_MAX_BYTES = 20_480;
+const STREAM_MAX_ENTRIES = 500;
+const DEDUPE_TTL_MS = 2 * 60 * 1000;
+const DEDUPE_MAX_ENTRIES = 2_000;
 
 type StreamState = {
   streamId: string;
@@ -25,6 +28,7 @@ type StreamState = {
 
 const streams = new Map<string, StreamState>();
 const msgidToStreamId = new Map<string, string>();
+const recentEncrypts = new Map<string, { ts: number; streamId?: string }>();
 
 function pruneStreams(): void {
   const cutoff = Date.now() - STREAM_TTL_MS;
@@ -38,6 +42,30 @@ function pruneStreams(): void {
       msgidToStreamId.delete(msgid);
     }
   }
+
+  const dedupeCutoff = Date.now() - DEDUPE_TTL_MS;
+  for (const [hash, entry] of recentEncrypts.entries()) {
+    if (entry.ts < dedupeCutoff) {
+      recentEncrypts.delete(hash);
+    }
+  }
+
+  if (streams.size > STREAM_MAX_ENTRIES) {
+    const sorted = Array.from(streams.entries()).sort((a, b) => a[1].updatedAt - b[1].updatedAt);
+    const overflow = sorted.length - STREAM_MAX_ENTRIES;
+    for (let i = 0; i < overflow; i += 1) {
+      const [streamId] = sorted[i]!;
+      streams.delete(streamId);
+    }
+  }
+
+  if (recentEncrypts.size > DEDUPE_MAX_ENTRIES) {
+    const sorted = Array.from(recentEncrypts.entries()).sort((a, b) => a[1].ts - b[1].ts);
+    const overflow = sorted.length - DEDUPE_MAX_ENTRIES;
+    for (let i = 0; i < overflow; i += 1) {
+      recentEncrypts.delete(sorted[i]![0]);
+    }
+  }
 }
 
 function truncateUtf8Bytes(text: string, maxBytes: number): string {
@@ -49,7 +77,7 @@ function truncateUtf8Bytes(text: string, maxBytes: number): string {
 
 function jsonOk(res: ServerResponse, body: unknown): void {
   res.statusCode = 200;
-  res.setHeader("Content-Type", "text/plain; charset=utf-8");
+  res.setHeader("Content-Type", "application/json; charset=utf-8");
   res.end(JSON.stringify(body));
 }
 
@@ -89,7 +117,7 @@ function buildEncryptedJsonReply(params: {
   plaintextJson: unknown;
   nonce: string;
   timestamp: string;
-}): { encrypt: string; msgsignature: string; timestamp: string; nonce: string } {
+}): { encrypt: string; msg_signature: string; timestamp: string; nonce: string } {
   const plaintext = JSON.stringify(params.plaintextJson ?? {});
   const encrypt = encryptWecomPlaintext({
     encodingAESKey: params.account.encodingAESKey ?? "",
@@ -104,15 +132,37 @@ function buildEncryptedJsonReply(params: {
   });
   return {
     encrypt,
-    msgsignature,
+    msg_signature: msgsignature,
     timestamp: params.timestamp,
     nonce: params.nonce,
   };
 }
 
 function resolveQueryParams(req: IncomingMessage): URLSearchParams {
-  const url = new URL(req.url ?? "/", "http://localhost");
-  return url.searchParams;
+  const rawUrl = req.url ?? "";
+  const queryIndex = rawUrl.indexOf("?");
+  if (queryIndex < 0) return new URLSearchParams();
+  const queryString = rawUrl.slice(queryIndex + 1);
+  const params = new URLSearchParams();
+  if (!queryString) return params;
+  for (const part of queryString.split("&")) {
+    if (!part) continue;
+    const eqIndex = part.indexOf("=");
+    const keyRaw = eqIndex >= 0 ? part.slice(0, eqIndex) : part;
+    const valueRaw = eqIndex >= 0 ? part.slice(eqIndex + 1) : "";
+    const key = safeDecodeURIComponent(keyRaw);
+    const value = safeDecodeURIComponent(valueRaw);
+    params.append(key, value);
+  }
+  return params;
+}
+
+function safeDecodeURIComponent(value: string): string {
+  try {
+    return decodeURIComponent(value);
+  } catch {
+    return value;
+  }
 }
 
 function resolveSignatureParam(params: URLSearchParams): string {
@@ -151,6 +201,10 @@ function createStreamId(): string {
   return crypto.randomBytes(16).toString("hex");
 }
 
+function hashEncryptPayload(encrypt: string): string {
+  return crypto.createHash("sha256").update(encrypt).digest("hex");
+}
+
 function logVerbose(target: WecomWebhookTarget, message: string): void {
   try {
     const core = getWecomRuntime();
@@ -424,6 +478,9 @@ export async function handleWecomBotWebhook(params: {
   if (req.method === "GET") {
     const echostr = query.get("echostr") ?? "";
     if (!timestamp || !nonce || !signature || !echostr) {
+      targets[0]?.runtime?.log?.(
+        `[wecom] bot GET missing params (timestamp=${Boolean(timestamp)} nonce=${Boolean(nonce)} signature=${Boolean(signature)} echostr=${Boolean(echostr)})`,
+      );
       return false;
     }
 
@@ -440,20 +497,18 @@ export async function handleWecomBotWebhook(params: {
       return ok;
     });
     if (!target || !target.account.encodingAESKey) {
+      targets[0]?.runtime?.log?.("[wecom] bot GET signature verify failed");
       return false;
     }
     try {
-      const plain = decryptWecomEncrypted({
-        encodingAESKey: target.account.encodingAESKey,
-        receiveId: target.account.receiveId,
-        encrypt: echostr,
-      });
+      const plain = decryptBotEncrypted(target.account, echostr);
       res.statusCode = 200;
       res.setHeader("Content-Type", "text/plain; charset=utf-8");
       res.end(plain);
       return true;
     } catch (err) {
       const msg = err instanceof Error ? err.message : String(err);
+      targets[0]?.runtime?.error?.(`[wecom] bot GET decrypt failed: ${msg}`);
       res.statusCode = 400;
       res.end(msg || "decrypt failed");
       return true;
@@ -464,11 +519,6 @@ export async function handleWecomBotWebhook(params: {
     return false;
   }
 
-  const contentType = req.headers["content-type"] ?? "";
-  if (!String(contentType).toLowerCase().includes("json")) {
-    return false;
-  }
-
   if (!timestamp || !nonce || !signature) {
     return false;
   }
@@ -509,13 +559,31 @@ export async function handleWecomBotWebhook(params: {
     return true;
   }
 
+  const encryptHash = hashEncryptPayload(encrypt);
+  const dedupeEntry = recentEncrypts.get(encryptHash);
+  if (dedupeEntry && Date.now() - dedupeEntry.ts <= DEDUPE_TTL_MS) {
+    const streamId = dedupeEntry.streamId ?? "";
+    const state = streamId ? streams.get(streamId) : undefined;
+    if (streamId && state) {
+      const reply = state.error || state.content.trim()
+        ? buildStreamReplyFromState(state)
+        : buildStreamPlaceholderReply(streamId);
+      logVerbose(target, `bot dedupe hit streamId=${streamId}`);
+      jsonOk(res, buildEncryptedJsonReply({
+        account: target.account,
+        plaintextJson: reply,
+        nonce,
+        timestamp,
+      }));
+      dedupeEntry.ts = Date.now();
+      return true;
+    }
+    recentEncrypts.delete(encryptHash);
+  }
+
   let plain: string;
   try {
-    plain = decryptWecomEncrypted({
-      encodingAESKey: target.account.encodingAESKey,
-      receiveId: target.account.receiveId,
-      encrypt,
-    });
+    plain = decryptBotEncrypted(target.account, encrypt);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     res.statusCode = 400;
@@ -528,6 +596,7 @@ export async function handleWecomBotWebhook(params: {
 
   const msgtype = String(msg.msgtype ?? "").toLowerCase();
   const msgid = msg.msgid ? String(msg.msgid) : undefined;
+  logVerbose(target, `bot inbound msgtype=${msgtype || "unknown"} msgid=${msgid || "n/a"}`);
 
   if (msgtype === "stream") {
     const streamId = String((msg as any).stream?.id ?? "").trim();
@@ -542,6 +611,7 @@ export async function handleWecomBotWebhook(params: {
           finished: true,
           content: "",
         });
+    logVerbose(target, `bot stream refresh reply streamId=${streamId || "unknown"} finished=${Boolean(state?.finished)}`);
     jsonOk(res, buildEncryptedJsonReply({
       account: target.account,
       plaintextJson: reply,
@@ -554,6 +624,7 @@ export async function handleWecomBotWebhook(params: {
   if (msgid && msgidToStreamId.has(msgid)) {
     const streamId = msgidToStreamId.get(msgid) ?? "";
     const reply = buildStreamPlaceholderReply(streamId);
+    logVerbose(target, `bot stream placeholder reply streamId=${streamId || "unknown"}`);
     jsonOk(res, buildEncryptedJsonReply({
       account: target.account,
       plaintextJson: reply,
@@ -570,6 +641,7 @@ export async function handleWecomBotWebhook(params: {
       const reply = welcome
         ? { msgtype: "text", text: { content: welcome } }
         : {};
+      logVerbose(target, "bot event enter_chat reply");
       jsonOk(res, buildEncryptedJsonReply({
         account: target.account,
         plaintextJson: reply,
@@ -579,6 +651,7 @@ export async function handleWecomBotWebhook(params: {
       return true;
     }
 
+    logVerbose(target, "bot event reply empty");
     jsonOk(res, buildEncryptedJsonReply({
       account: target.account,
       plaintextJson: {},
@@ -599,6 +672,7 @@ export async function handleWecomBotWebhook(params: {
     finished: false,
     content: "",
   });
+  recentEncrypts.set(encryptHash, { ts: Date.now(), streamId });
 
   let core: PluginRuntime | null = null;
   try {
@@ -634,6 +708,11 @@ export async function handleWecomBotWebhook(params: {
     ? buildStreamReplyFromState(state)
     : buildStreamPlaceholderReply(streamId);
 
+  logVerbose(
+    target,
+    `bot initial reply streamId=${streamId} mode=${state && (state.content.trim() || state.error) ? "stream" : "placeholder"}`,
+  );
+  target.runtime.log?.(`[wecom] bot reply acked streamId=${streamId} msgid=${msgid || "n/a"}`);
   jsonOk(res, buildEncryptedJsonReply({
     account: target.account,
     plaintextJson: initialReply,
@@ -643,3 +722,21 @@ export async function handleWecomBotWebhook(params: {
 
   return true;
 }
+
+function decryptBotEncrypted(account: ResolvedWecomAccount, encrypt: string): string {
+  const encodingAESKey = account.encodingAESKey ?? "";
+  if (!encodingAESKey) {
+    throw new Error("encodingAESKey missing");
+  }
+  const receiveId = account.receiveId || "";
+  try {
+    return decryptWecomEncrypted({ encodingAESKey, receiveId, encrypt });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    if (!msg.includes("receiveId mismatch")) {
+      throw err;
+    }
+    // Some WeCom bot callbacks omit receiveId in the encrypted payload.
+    return decryptWecomEncrypted({ encodingAESKey, encrypt });
+  }
+}