@openclaw/feishu 2026.3.11 → 2026.3.13

package/src/monitor.startup.test.ts

@@ -3,33 +3,19 @@ import { afterEach, describe, expect, it, vi } from "vitest";
 import { monitorFeishuProvider, stopFeishuMonitor } from "./monitor.js";
 
 const probeFeishuMock = vi.hoisted(() => vi.fn());
-const feishuClientMockModule = vi.hoisted(() => ({
-  createFeishuWSClient: vi.fn(() => ({ start: vi.fn() })),
-  createEventDispatcher: vi.fn(() => ({ register: vi.fn() })),
-}));
-const feishuRuntimeMockModule = vi.hoisted(() => ({
-  getFeishuRuntime: () => ({
-    channel: {
-      debounce: {
-        resolveInboundDebounceMs: () => 0,
-        createInboundDebouncer: () => ({
-          enqueue: async () => {},
-          flushKey: async () => {},
-        }),
-      },
-      text: {
-        hasControlCommand: () => false,
-      },
-    },
-  }),
-}));
 
 vi.mock("./probe.js", () => ({
   probeFeishu: probeFeishuMock,
 }));
 
-vi.mock("./client.js", () => feishuClientMockModule);
-vi.mock("./runtime.js", () => feishuRuntimeMockModule);
+vi.mock("./client.js", async () => {
+  const { createFeishuClientMockModule } = await import("./monitor.test-mocks.js");
+  return createFeishuClientMockModule();
+});
+vi.mock("./runtime.js", async () => {
+  const { createFeishuRuntimeMockModule } = await import("./monitor.test-mocks.js");
+  return createFeishuRuntimeMockModule();
+});
 
 function buildMultiAccountWebsocketConfig(accountIds: string[]): ClawdbotConfig {
   return {
@@ -52,6 +38,12 @@ function buildMultiAccountWebsocketConfig(accountIds: string[]): ClawdbotConfig
   } as ClawdbotConfig;
 }
 
+async function waitForStartedAccount(started: string[], accountId: string) {
+  for (let i = 0; i < 10 && !started.includes(accountId); i += 1) {
+    await Promise.resolve();
+  }
+}
+
 afterEach(() => {
   stopFeishuMonitor();
 });
@@ -116,10 +108,7 @@ describe("Feishu monitor startup preflight", () => {
     });
 
     try {
-      for (let i = 0; i < 10 && !started.includes("beta"); i += 1) {
-        await Promise.resolve();
-      }
-
+      await waitForStartedAccount(started, "beta");
       expect(started).toEqual(["alpha", "beta"]);
       expect(started.filter((accountId) => accountId === "alpha")).toHaveLength(1);
     } finally {
@@ -153,10 +142,7 @@ describe("Feishu monitor startup preflight", () => {
     });
 
     try {
-      for (let i = 0; i < 10 && !started.includes("beta"); i += 1) {
-        await Promise.resolve();
-      }
-
+      await waitForStartedAccount(started, "beta");
       expect(started).toEqual(["alpha", "beta"]);
       expect(runtime.error).toHaveBeenCalledWith(
         expect.stringContaining("bot info probe timed out"),

package/src/monitor.transport.ts

@@ -1,7 +1,9 @@
 import * as http from "http";
+import crypto from "node:crypto";
 import * as Lark from "@larksuiteoapi/node-sdk";
 import {
   applyBasicWebhookRequestGuards,
+  readJsonBodyWithLimit,
   type RuntimeEnv,
   installRequestBodyLimitGuard,
 } from "openclaw/plugin-sdk/feishu";
@@ -26,6 +28,50 @@ export type MonitorTransportParams = {
   eventDispatcher: Lark.EventDispatcher;
 };
 
+function isFeishuWebhookPayload(value: unknown): value is Record<string, unknown> {
+  return !!value && typeof value === "object" && !Array.isArray(value);
+}
+
+function buildFeishuWebhookEnvelope(
+  req: http.IncomingMessage,
+  payload: Record<string, unknown>,
+): Record<string, unknown> {
+  return Object.assign(Object.create({ headers: req.headers }), payload) as Record<string, unknown>;
+}
+
+function isFeishuWebhookSignatureValid(params: {
+  headers: http.IncomingHttpHeaders;
+  payload: Record<string, unknown>;
+  encryptKey?: string;
+}): boolean {
+  const encryptKey = params.encryptKey?.trim();
+  if (!encryptKey) {
+    return true;
+  }
+
+  const timestampHeader = params.headers["x-lark-request-timestamp"];
+  const nonceHeader = params.headers["x-lark-request-nonce"];
+  const signatureHeader = params.headers["x-lark-signature"];
+  const timestamp = Array.isArray(timestampHeader) ? timestampHeader[0] : timestampHeader;
+  const nonce = Array.isArray(nonceHeader) ? nonceHeader[0] : nonceHeader;
+  const signature = Array.isArray(signatureHeader) ? signatureHeader[0] : signatureHeader;
+  if (!timestamp || !nonce || !signature) {
+    return false;
+  }
+
+  const computedSignature = crypto
+    .createHash("sha256")
+    .update(timestamp + nonce + encryptKey + JSON.stringify(params.payload))
+    .digest("hex");
+  return computedSignature === signature;
+}
+
+function respondText(res: http.ServerResponse, statusCode: number, body: string): void {
+  res.statusCode = statusCode;
+  res.setHeader("Content-Type", "text/plain; charset=utf-8");
+  res.end(body);
+}
+
 export async function monitorWebSocket({
   account,
   accountId,
@@ -88,7 +134,6 @@ export async function monitorWebhook({
   log(`feishu[${accountId}]: starting Webhook server on ${host}:${port}, path ${path}...`);
 
   const server = http.createServer();
-  const webhookHandler = Lark.adaptDefault(path, eventDispatcher, { autoChallenge: true });
 
   server.on("request", (req, res) => {
     res.on("finish", () => {
@@ -118,15 +163,68 @@ export async function monitorWebhook({
       return;
     }
 
-    void Promise.resolve(webhookHandler(req, res))
-      .catch((err) => {
+    void (async () => {
+      try {
+        const bodyResult = await readJsonBodyWithLimit(req, {
+          maxBytes: FEISHU_WEBHOOK_MAX_BODY_BYTES,
+          timeoutMs: FEISHU_WEBHOOK_BODY_TIMEOUT_MS,
+        });
+        if (guard.isTripped() || res.writableEnded) {
+          return;
+        }
+        if (!bodyResult.ok) {
+          if (bodyResult.code === "INVALID_JSON") {
+            respondText(res, 400, "Invalid JSON");
+          }
+          return;
+        }
+        if (!isFeishuWebhookPayload(bodyResult.value)) {
+          respondText(res, 400, "Invalid JSON");
+          return;
+        }
+
+        // Lark's default adapter drops invalid signatures as an empty 200. Reject here instead.
+        if (
+          !isFeishuWebhookSignatureValid({
+            headers: req.headers,
+            payload: bodyResult.value,
+            encryptKey: account.encryptKey,
+          })
+        ) {
+          respondText(res, 401, "Invalid signature");
+          return;
+        }
+
+        const { isChallenge, challenge } = Lark.generateChallenge(bodyResult.value, {
+          encryptKey: account.encryptKey ?? "",
+        });
+        if (isChallenge) {
+          res.statusCode = 200;
+          res.setHeader("Content-Type", "application/json; charset=utf-8");
+          res.end(JSON.stringify(challenge));
+          return;
+        }
+
+        const value = await eventDispatcher.invoke(
+          buildFeishuWebhookEnvelope(req, bodyResult.value),
+          { needCheck: false },
+        );
+        if (!res.headersSent) {
+          res.statusCode = 200;
+          res.setHeader("Content-Type", "application/json; charset=utf-8");
+          res.end(JSON.stringify(value));
+        }
+      } catch (err) {
         if (!guard.isTripped()) {
           error(`feishu[${accountId}]: webhook handler error: ${String(err)}`);
+          if (!res.headersSent) {
+            respondText(res, 500, "Internal Server Error");
+          }
         }
-      })
-      .finally(() => {
+      } finally {
         guard.dispose();
-      });
+      }
+    })();
   });
 
   httpServers.set(accountId, server);

package/src/monitor.webhook-e2e.test.ts

@@ -0,0 +1,214 @@
+import crypto from "node:crypto";
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { createFeishuRuntimeMockModule } from "./monitor.test-mocks.js";
+import { withRunningWebhookMonitor } from "./monitor.webhook.test-helpers.js";
+
+const probeFeishuMock = vi.hoisted(() => vi.fn());
+
+vi.mock("./probe.js", () => ({
+  probeFeishu: probeFeishuMock,
+}));
+
+vi.mock("./client.js", async () => {
+  const actual = await vi.importActual<typeof import("./client.js")>("./client.js");
+  return {
+    ...actual,
+    createFeishuWSClient: vi.fn(() => ({ start: vi.fn() })),
+  };
+});
+
+vi.mock("./runtime.js", () => createFeishuRuntimeMockModule());
+
+import { monitorFeishuProvider, stopFeishuMonitor } from "./monitor.js";
+
+function signFeishuPayload(params: {
+  encryptKey: string;
+  payload: Record<string, unknown>;
+  timestamp?: string;
+  nonce?: string;
+}): Record<string, string> {
+  const timestamp = params.timestamp ?? "1711111111";
+  const nonce = params.nonce ?? "nonce-test";
+  const signature = crypto
+    .createHash("sha256")
+    .update(timestamp + nonce + params.encryptKey + JSON.stringify(params.payload))
+    .digest("hex");
+  return {
+    "content-type": "application/json",
+    "x-lark-request-timestamp": timestamp,
+    "x-lark-request-nonce": nonce,
+    "x-lark-signature": signature,
+  };
+}
+
+function encryptFeishuPayload(encryptKey: string, payload: Record<string, unknown>): string {
+  const iv = crypto.randomBytes(16);
+  const key = crypto.createHash("sha256").update(encryptKey).digest();
+  const cipher = crypto.createCipheriv("aes-256-cbc", key, iv);
+  const plaintext = Buffer.from(JSON.stringify(payload), "utf8");
+  const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  return Buffer.concat([iv, encrypted]).toString("base64");
+}
+
+async function postSignedPayload(url: string, payload: Record<string, unknown>) {
+  return await fetch(url, {
+    method: "POST",
+    headers: signFeishuPayload({ encryptKey: "encrypt_key", payload }),
+    body: JSON.stringify(payload),
+  });
+}
+
+afterEach(() => {
+  stopFeishuMonitor();
+});
+
+describe("Feishu webhook signed-request e2e", () => {
+  it("rejects invalid signatures with 401 instead of empty 200", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    await withRunningWebhookMonitor(
+      {
+        accountId: "invalid-signature",
+        path: "/hook-e2e-invalid-signature",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        const payload = { type: "url_verification", challenge: "challenge-token" };
+        const response = await fetch(url, {
+          method: "POST",
+          headers: {
+            ...signFeishuPayload({ encryptKey: "wrong_key", payload }),
+          },
+          body: JSON.stringify(payload),
+        });
+
+        expect(response.status).toBe(401);
+        expect(await response.text()).toBe("Invalid signature");
+      },
+    );
+  });
+
+  it("rejects missing signature headers with 401", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    await withRunningWebhookMonitor(
+      {
+        accountId: "missing-signature",
+        path: "/hook-e2e-missing-signature",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        const response = await fetch(url, {
+          method: "POST",
+          headers: { "content-type": "application/json" },
+          body: JSON.stringify({ type: "url_verification", challenge: "challenge-token" }),
+        });
+
+        expect(response.status).toBe(401);
+        expect(await response.text()).toBe("Invalid signature");
+      },
+    );
+  });
+
+  it("returns 400 for invalid json before invoking the sdk", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    await withRunningWebhookMonitor(
+      {
+        accountId: "invalid-json",
+        path: "/hook-e2e-invalid-json",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        const response = await fetch(url, {
+          method: "POST",
+          headers: { "content-type": "application/json" },
+          body: "{not-json",
+        });
+
+        expect(response.status).toBe(400);
+        expect(await response.text()).toBe("Invalid JSON");
+      },
+    );
+  });
+
+  it("accepts signed plaintext url_verification challenges end-to-end", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    await withRunningWebhookMonitor(
+      {
+        accountId: "signed-challenge",
+        path: "/hook-e2e-signed-challenge",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        const payload = { type: "url_verification", challenge: "challenge-token" };
+        const response = await postSignedPayload(url, payload);
+
+        expect(response.status).toBe(200);
+        await expect(response.json()).resolves.toEqual({ challenge: "challenge-token" });
+      },
+    );
+  });
+
+  it("accepts signed non-challenge events and reaches the dispatcher", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    await withRunningWebhookMonitor(
+      {
+        accountId: "signed-dispatch",
+        path: "/hook-e2e-signed-dispatch",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        const payload = {
+          schema: "2.0",
+          header: { event_type: "unknown.event" },
+          event: {},
+        };
+        const response = await postSignedPayload(url, payload);
+
+        expect(response.status).toBe(200);
+        expect(await response.text()).toContain("no unknown.event event handle");
+      },
+    );
+  });
+
+  it("accepts signed encrypted url_verification challenges end-to-end", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    await withRunningWebhookMonitor(
+      {
+        accountId: "encrypted-challenge",
+        path: "/hook-e2e-encrypted-challenge",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        const payload = {
+          encrypt: encryptFeishuPayload("encrypt_key", {
+            type: "url_verification",
+            challenge: "encrypted-challenge-token",
+          }),
+        };
+        const response = await postSignedPayload(url, payload);
+
+        expect(response.status).toBe(200);
+        await expect(response.json()).resolves.toEqual({
+          challenge: "encrypted-challenge-token",
+        });
+      },
+    );
+  });
+});

package/src/monitor.webhook-security.test.ts

@@ -1,11 +1,13 @@
-import { createServer } from "node:http";
-import type { AddressInfo } from "node:net";
-import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
 import { afterEach, describe, expect, it, vi } from "vitest";
 import {
   createFeishuClientMockModule,
   createFeishuRuntimeMockModule,
 } from "./monitor.test-mocks.js";
+import {
+  buildWebhookConfig,
+  getFreePort,
+  withRunningWebhookMonitor,
+} from "./monitor.webhook.test-helpers.js";
 
 const probeFeishuMock = vi.hoisted(() => vi.fn());
 
@@ -33,94 +35,6 @@ import {
   stopFeishuMonitor,
 } from "./monitor.js";
 
-async function getFreePort(): Promise<number> {
-  const server = createServer();
-  await new Promise<void>((resolve) => server.listen(0, "127.0.0.1", () => resolve()));
-  const address = server.address() as AddressInfo | null;
-  if (!address) {
-    throw new Error("missing server address");
-  }
-  await new Promise<void>((resolve) => server.close(() => resolve()));
-  return address.port;
-}
-
-async function waitUntilServerReady(url: string): Promise<void> {
-  for (let i = 0; i < 50; i += 1) {
-    try {
-      const response = await fetch(url, { method: "GET" });
-      if (response.status >= 200 && response.status < 500) {
-        return;
-      }
-    } catch {
-      // retry
-    }
-    await new Promise((resolve) => setTimeout(resolve, 20));
-  }
-  throw new Error(`server did not start: ${url}`);
-}
-
-function buildConfig(params: {
-  accountId: string;
-  path: string;
-  port: number;
-  verificationToken?: string;
-}): ClawdbotConfig {
-  return {
-    channels: {
-      feishu: {
-        enabled: true,
-        accounts: {
-          [params.accountId]: {
-            enabled: true,
-            appId: "cli_test",
-            appSecret: "secret_test", // pragma: allowlist secret
-            connectionMode: "webhook",
-            webhookHost: "127.0.0.1",
-            webhookPort: params.port,
-            webhookPath: params.path,
-            verificationToken: params.verificationToken,
-          },
-        },
-      },
-    },
-  } as ClawdbotConfig;
-}
-
-async function withRunningWebhookMonitor(
-  params: {
-    accountId: string;
-    path: string;
-    verificationToken: string;
-  },
-  run: (url: string) => Promise<void>,
-) {
-  const port = await getFreePort();
-  const cfg = buildConfig({
-    accountId: params.accountId,
-    path: params.path,
-    port,
-    verificationToken: params.verificationToken,
-  });
-
-  const abortController = new AbortController();
-  const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
-  const monitorPromise = monitorFeishuProvider({
-    config: cfg,
-    runtime,
-    abortSignal: abortController.signal,
-  });
-
-  const url = `http://127.0.0.1:${port}${params.path}`;
-  await waitUntilServerReady(url);
-
-  try {
-    await run(url);
-  } finally {
-    abortController.abort();
-    await monitorPromise;
-  }
-}
-
 afterEach(() => {
   clearFeishuWebhookRateLimitStateForTest();
   stopFeishuMonitor();
@@ -130,7 +44,7 @@ describe("Feishu webhook security hardening", () => {
   it("rejects webhook mode without verificationToken", async () => {
     probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
 
-    const cfg = buildConfig({
+    const cfg = buildWebhookConfig({
       accountId: "missing-token",
       path: "/hook-missing-token",
       port: await getFreePort(),
@@ -141,6 +55,19 @@ describe("Feishu webhook security hardening", () => {
     );
   });
 
+  it("rejects webhook mode without encryptKey", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    const cfg = buildWebhookConfig({
+      accountId: "missing-encrypt-key",
+      path: "/hook-missing-encrypt",
+      port: await getFreePort(),
+      verificationToken: "verify_token",
+    });
+
+    await expect(monitorFeishuProvider({ config: cfg })).rejects.toThrow(/requires encryptKey/i);
+  });
+
   it("returns 415 for POST requests without json content type", async () => {
     probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
     await withRunningWebhookMonitor(
@@ -148,7 +75,9 @@ describe("Feishu webhook security hardening", () => {
         accountId: "content-type",
         path: "/hook-content-type",
         verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
       },
+      monitorFeishuProvider,
       async (url) => {
         const response = await fetch(url, {
           method: "POST",
@@ -169,7 +98,9 @@ describe("Feishu webhook security hardening", () => {
         accountId: "rate-limit",
         path: "/hook-rate-limit",
         verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
       },
+      monitorFeishuProvider,
       async (url) => {
         let saw429 = false;
         for (let i = 0; i < 130; i += 1) {

package/src/monitor.webhook.test-helpers.ts

@@ -0,0 +1,98 @@
+import { createServer } from "node:http";
+import type { AddressInfo } from "node:net";
+import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
+import { vi } from "vitest";
+import type { monitorFeishuProvider } from "./monitor.js";
+
+export async function getFreePort(): Promise<number> {
+  const server = createServer();
+  await new Promise<void>((resolve) => server.listen(0, "127.0.0.1", () => resolve()));
+  const address = server.address() as AddressInfo | null;
+  if (!address) {
+    throw new Error("missing server address");
+  }
+  await new Promise<void>((resolve) => server.close(() => resolve()));
+  return address.port;
+}
+
+async function waitUntilServerReady(url: string): Promise<void> {
+  for (let i = 0; i < 50; i += 1) {
+    try {
+      const response = await fetch(url, { method: "GET" });
+      if (response.status >= 200 && response.status < 500) {
+        return;
+      }
+    } catch {
+      // retry
+    }
+    await new Promise((resolve) => setTimeout(resolve, 20));
+  }
+  throw new Error(`server did not start: ${url}`);
+}
+
+export function buildWebhookConfig(params: {
+  accountId: string;
+  path: string;
+  port: number;
+  verificationToken?: string;
+  encryptKey?: string;
+}): ClawdbotConfig {
+  return {
+    channels: {
+      feishu: {
+        enabled: true,
+        accounts: {
+          [params.accountId]: {
+            enabled: true,
+            appId: "cli_test",
+            appSecret: "secret_test", // pragma: allowlist secret
+            connectionMode: "webhook",
+            webhookHost: "127.0.0.1",
+            webhookPort: params.port,
+            webhookPath: params.path,
+            encryptKey: params.encryptKey,
+            verificationToken: params.verificationToken,
+          },
+        },
+      },
+    },
+  } as ClawdbotConfig;
+}
+
+export async function withRunningWebhookMonitor(
+  params: {
+    accountId: string;
+    path: string;
+    verificationToken: string;
+    encryptKey: string;
+  },
+  monitor: typeof monitorFeishuProvider,
+  run: (url: string) => Promise<void>,
+) {
+  const port = await getFreePort();
+  const cfg = buildWebhookConfig({
+    accountId: params.accountId,
+    path: params.path,
+    port,
+    encryptKey: params.encryptKey,
+    verificationToken: params.verificationToken,
+  });
+
+  const abortController = new AbortController();
+  const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
+  const monitorPromise = monitor({
+    config: cfg,
+    runtime,
+    abortSignal: abortController.signal,
+  });
+
+  const url = `http://127.0.0.1:${port}${params.path}`;
+  await waitUntilServerReady(url);
+
+  try {
+    await run(url);
+  } finally {
+    abortController.abort();
+    await monitorPromise;
+  }
+}