@openclaw/feishu 2026.3.13 → 2026.5.2-beta.1

package/src/monitor.webhook-e2e.test.ts

@@ -23,7 +23,7 @@ import { monitorFeishuProvider, stopFeishuMonitor } from "./monitor.js";
 
 function signFeishuPayload(params: {
   encryptKey: string;
-  payload: Record<string, unknown>;
+  rawBody: string;
   timestamp?: string;
   nonce?: string;
 }): Record<string, string> {
@@ -31,7 +31,7 @@ function signFeishuPayload(params: {
   const nonce = params.nonce ?? "nonce-test";
   const signature = crypto
     .createHash("sha256")
-    .update(timestamp + nonce + params.encryptKey + JSON.stringify(params.payload))
+    .update(timestamp + nonce + params.encryptKey + params.rawBody)
     .digest("hex");
   return {
     "content-type": "application/json",
@@ -51,10 +51,11 @@ function encryptFeishuPayload(encryptKey: string, payload: Record<string, unknow
 }
 
 async function postSignedPayload(url: string, payload: Record<string, unknown>) {
+  const rawBody = JSON.stringify(payload);
   return await fetch(url, {
     method: "POST",
-    headers: signFeishuPayload({ encryptKey: "encrypt_key", payload }),
-    body: JSON.stringify(payload),
+    headers: signFeishuPayload({ encryptKey: "encrypt_key", rawBody }),
+    body: rawBody,
   });
 }
 
@@ -76,12 +77,13 @@ describe("Feishu webhook signed-request e2e", () => {
       monitorFeishuProvider,
       async (url) => {
         const payload = { type: "url_verification", challenge: "challenge-token" };
+        const rawBody = JSON.stringify(payload);
         const response = await fetch(url, {
           method: "POST",
           headers: {
-            ...signFeishuPayload({ encryptKey: "wrong_key", payload }),
+            ...signFeishuPayload({ encryptKey: "wrong_key", rawBody }),
           },
-          body: JSON.stringify(payload),
+          body: rawBody,
         });
 
         expect(response.status).toBe(401);
@@ -114,7 +116,38 @@ describe("Feishu webhook signed-request e2e", () => {
     );
   });
 
-  it("returns 400 for invalid json before invoking the sdk", async () => {
+  it("rejects malformed short signatures with 401", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    await withRunningWebhookMonitor(
+      {
+        accountId: "short-signature",
+        path: "/hook-e2e-short-signature",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        const payload = { type: "url_verification", challenge: "challenge-token" };
+        const headers = signFeishuPayload({
+          encryptKey: "encrypt_key",
+          rawBody: JSON.stringify(payload),
+        });
+        headers["x-lark-signature"] = headers["x-lark-signature"].slice(0, 12);
+
+        const response = await fetch(url, {
+          method: "POST",
+          headers,
+          body: JSON.stringify(payload),
+        });
+
+        expect(response.status).toBe(401);
+        expect(await response.text()).toBe("Invalid signature");
+      },
+    );
+  });
+
+  it("returns 401 for unsigned invalid json before parsing", async () => {
     probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
 
     await withRunningWebhookMonitor(
@@ -132,6 +165,31 @@ describe("Feishu webhook signed-request e2e", () => {
           body: "{not-json",
         });
 
+        expect(response.status).toBe(401);
+        expect(await response.text()).toBe("Invalid signature");
+      },
+    );
+  });
+
+  it("returns 400 for signed invalid json after signature validation", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+
+    await withRunningWebhookMonitor(
+      {
+        accountId: "signed-invalid-json",
+        path: "/hook-e2e-signed-invalid-json",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        const rawBody = "{not-json";
+        const response = await fetch(url, {
+          method: "POST",
+          headers: signFeishuPayload({ encryptKey: "encrypt_key", rawBody }),
+          body: rawBody,
+        });
+
         expect(response.status).toBe(400);
         expect(await response.text()).toBe("Invalid JSON");
       },

package/src/monitor.webhook-security.test.ts

@@ -1,3 +1,4 @@
+import { createConnection } from "node:net";
 import { afterEach, describe, expect, it, vi } from "vitest";
 import {
   createFeishuClientMockModule,
@@ -27,6 +28,15 @@ vi.mock("@larksuiteoapi/node-sdk", () => ({
   ),
 }));
 
+vi.mock("./monitor.state.js", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("./monitor.state.js")>();
+  return {
+    ...actual,
+    FEISHU_WEBHOOK_BODY_TIMEOUT_MS: 50,
+  };
+});
+
+import type { RuntimeEnv } from "../runtime-api.js";
 import {
   clearFeishuWebhookRateLimitStateForTest,
   getFeishuWebhookRateLimitStateSizeForTest,
@@ -34,6 +44,49 @@ import {
   monitorFeishuProvider,
   stopFeishuMonitor,
 } from "./monitor.js";
+import { monitorWebhook } from "./monitor.transport.js";
+import type { ResolvedFeishuAccount } from "./types.js";
+
+async function waitForSlowBodyTimeoutResponse(
+  url: string,
+  timeoutMs: number,
+): Promise<{ body: string; elapsedMs: number }> {
+  return await new Promise<{ body: string; elapsedMs: number }>((resolve, reject) => {
+    const target = new URL(url);
+    const startedAt = Date.now();
+    let response = "";
+    const socket = createConnection(
+      {
+        host: target.hostname,
+        port: Number(target.port),
+      },
+      () => {
+        socket.write(`POST ${target.pathname} HTTP/1.1\r\n`);
+        socket.write(`Host: ${target.hostname}\r\n`);
+        socket.write("Content-Type: application/json\r\n");
+        socket.write("Content-Length: 65536\r\n");
+        socket.write("\r\n");
+        socket.write('{"type":"url_verification"');
+      },
+    );
+
+    socket.setEncoding("utf8");
+    socket.on("error", () => {});
+    socket.on("data", (chunk) => {
+      response += chunk;
+      if (response.includes("Request body timeout")) {
+        clearTimeout(failTimer);
+        socket.destroy();
+        resolve({ body: response, elapsedMs: Date.now() - startedAt });
+      }
+    });
+
+    const failTimer = setTimeout(() => {
+      socket.destroy();
+      reject(new Error(`timeout response did not arrive within ${timeoutMs}ms`));
+    }, timeoutMs);
+  });
+}
 
 afterEach(() => {
   clearFeishuWebhookRateLimitStateForTest();
@@ -68,6 +121,33 @@ describe("Feishu webhook security hardening", () => {
     await expect(monitorFeishuProvider({ config: cfg })).rejects.toThrow(/requires encryptKey/i);
   });
 
+  it("refuses to start the webhook transport without encryptKey", async () => {
+    const account = {
+      accountId: "transport-missing-encrypt-key",
+      config: {
+        enabled: true,
+        connectionMode: "webhook",
+        webhookHost: "127.0.0.1",
+        webhookPort: await getFreePort(),
+        webhookPath: "/hook-transport-missing-encrypt",
+      },
+    } as ResolvedFeishuAccount;
+
+    await expect(
+      monitorWebhook({
+        account,
+        accountId: account.accountId,
+        runtime: {
+          log: vi.fn(),
+          error: vi.fn(),
+          exit: vi.fn(),
+        } as RuntimeEnv,
+        abortSignal: new AbortController().signal,
+        eventDispatcher: {} as never,
+      }),
+    ).rejects.toThrow(/requires encryptKey/i);
+  });
+
   it("returns 415 for POST requests without json content type", async () => {
     probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
     await withRunningWebhookMonitor(
@@ -91,6 +171,48 @@ describe("Feishu webhook security hardening", () => {
     );
   });
 
+  it("rejects oversized unsigned webhook bodies with 413 before signature verification", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+    await withRunningWebhookMonitor(
+      {
+        accountId: "payload-too-large",
+        path: "/hook-payload-too-large",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        const response = await fetch(url, {
+          method: "POST",
+          headers: { "content-type": "application/json" },
+          body: JSON.stringify({ payload: "x".repeat(70 * 1024) }),
+        });
+
+        expect(response.status).toBe(413);
+        expect(await response.text()).toBe("Payload too large");
+      },
+    );
+  });
+
+  it("drops slow-body webhook requests within the tightened pre-auth timeout", async () => {
+    probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
+    await withRunningWebhookMonitor(
+      {
+        accountId: "slow-body-timeout",
+        path: "/hook-slow-body-timeout",
+        verificationToken: "verify_token",
+        encryptKey: "encrypt_key",
+      },
+      monitorFeishuProvider,
+      async (url) => {
+        const result = await waitForSlowBodyTimeoutResponse(url, 1_000);
+        expect(result.body).toContain("408 Request Timeout");
+        expect(result.body).toContain("Request body timeout");
+        expect(result.elapsedMs).toBeLessThan(500);
+      },
+    );
+  });
+
   it("rate limits webhook burst traffic with 429", async () => {
     probeFeishuMock.mockResolvedValue({ ok: true, botOpenId: "bot_open_id" });
     await withRunningWebhookMonitor(

package/src/monitor.webhook.test-helpers.ts

@@ -1,9 +1,13 @@
 import { createServer } from "node:http";
 import type { AddressInfo } from "node:net";
-import type { ClawdbotConfig } from "openclaw/plugin-sdk/feishu";
 import { vi } from "vitest";
+import type { ClawdbotConfig } from "../runtime-api.js";
 import type { monitorFeishuProvider } from "./monitor.js";
 
+const WEBHOOK_READY_MAX_ATTEMPTS = 200;
+const WEBHOOK_READY_RETRY_DELAY_MS = 50;
+const WEBHOOK_MONITOR_START_MAX_ATTEMPTS = 4;
+
 export async function getFreePort(): Promise<number> {
   const server = createServer();
   await new Promise<void>((resolve) => server.listen(0, "127.0.0.1", () => resolve()));
@@ -16,7 +20,7 @@ export async function getFreePort(): Promise<number> {
 }
 
 async function waitUntilServerReady(url: string): Promise<void> {
-  for (let i = 0; i < 50; i += 1) {
+  for (let i = 0; i < WEBHOOK_READY_MAX_ATTEMPTS; i += 1) {
     try {
       const response = await fetch(url, { method: "GET" });
       if (response.status >= 200 && response.status < 500) {
@@ -25,7 +29,7 @@ async function waitUntilServerReady(url: string): Promise<void> {
     } catch {
       // retry
     }
-    await new Promise((resolve) => setTimeout(resolve, 20));
+    await new Promise((resolve) => setTimeout(resolve, WEBHOOK_READY_RETRY_DELAY_MS));
   }
   throw new Error(`server did not start: ${url}`);
 }
@@ -69,30 +73,44 @@ export async function withRunningWebhookMonitor(
   monitor: typeof monitorFeishuProvider,
   run: (url: string) => Promise<void>,
 ) {
-  const port = await getFreePort();
-  const cfg = buildWebhookConfig({
-    accountId: params.accountId,
-    path: params.path,
-    port,
-    encryptKey: params.encryptKey,
-    verificationToken: params.verificationToken,
-  });
-
-  const abortController = new AbortController();
-  const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
-  const monitorPromise = monitor({
-    config: cfg,
-    runtime,
-    abortSignal: abortController.signal,
-  });
+  let startupError: unknown;
+  for (let attempt = 1; attempt <= WEBHOOK_MONITOR_START_MAX_ATTEMPTS; attempt += 1) {
+    const port = await getFreePort();
+    const cfg = buildWebhookConfig({
+      accountId: params.accountId,
+      path: params.path,
+      port,
+      encryptKey: params.encryptKey,
+      verificationToken: params.verificationToken,
+    });
 
-  const url = `http://127.0.0.1:${port}${params.path}`;
-  await waitUntilServerReady(url);
+    const abortController = new AbortController();
+    const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
+    const monitorPromise = monitor({
+      config: cfg,
+      runtime,
+      abortSignal: abortController.signal,
+      accountId: params.accountId,
+    });
 
-  try {
-    await run(url);
-  } finally {
-    abortController.abort();
-    await monitorPromise;
+    const url = `http://127.0.0.1:${port}${params.path}`;
+    try {
+      await waitUntilServerReady(url);
+      try {
+        await run(url);
+      } finally {
+        abortController.abort();
+        await monitorPromise.catch(() => undefined);
+      }
+      return;
+    } catch (error) {
+      startupError = error;
+      abortController.abort();
+      await monitorPromise.catch(() => undefined);
+      if (attempt < WEBHOOK_MONITOR_START_MAX_ATTEMPTS) {
+        await new Promise((resolve) => setTimeout(resolve, attempt * WEBHOOK_READY_RETRY_DELAY_MS));
+      }
+    }
   }
+  throw startupError instanceof Error ? startupError : new Error("failed to start webhook monitor");
 }

package/src/outbound-runtime-api.ts

@@ -0,0 +1 @@
+export { chunkTextForOutbound, type ChannelOutboundAdapter } from "../runtime-api.js";