@openclaw/zalo 2026.2.19 → 2026.2.22

package/CHANGELOG.md

@@ -1,132 +1,6 @@
 # Changelog
 
-## 2026.2.19
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.2.16
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.2.15
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.2.14
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.2.13
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.2.6-3
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.2.6-2
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.2.6
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.2.4
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.2.2
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.31
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.30
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.29
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.23
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.22
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.21
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.20
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.17-1
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.17
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.16
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.15
-
-### Changes
-
-- Version alignment with core OpenClaw release numbers.
-
-## 2026.1.14
+## 2026.2.22
 
 ### Changes
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/zalo",
-  "version": "2026.2.19",
+  "version": "2026.2.22",
   "description": "OpenClaw Zalo channel plugin",
   "type": "module",
   "dependencies": {

package/src/monitor.ts

@@ -2,10 +2,12 @@ import { timingSafeEqual } from "node:crypto";
 import type { IncomingMessage, ServerResponse } from "node:http";
 import type { OpenClawConfig, MarkdownTableMode } from "openclaw/plugin-sdk";
 import {
+  createDedupeCache,
   createReplyPrefixOptions,
   readJsonBodyWithLimit,
   registerWebhookTarget,
   rejectNonPostWebhookRequest,
+  resolveSingleWebhookTarget,
   resolveSenderCommandAuthorization,
   resolveWebhookPath,
   resolveWebhookTargets,
@@ -91,7 +93,10 @@ type WebhookTarget = {
 
 const webhookTargets = new Map<string, WebhookTarget[]>();
 const webhookRateLimits = new Map<string, WebhookRateLimitState>();
-const recentWebhookEvents = new Map<string, number>();
+const recentWebhookEvents = createDedupeCache({
+  ttlMs: ZALO_WEBHOOK_REPLAY_WINDOW_MS,
+  maxSize: 5000,
+});
 const webhookStatusCounters = new Map<string, number>();
 
 function isJsonContentType(value: string | string[] | undefined): boolean {
@@ -140,22 +145,7 @@ function isReplayEvent(update: ZaloUpdate, nowMs: number): boolean {
     return false;
   }
   const key = `${update.event_name}:${messageId}`;
-  const seenAt = recentWebhookEvents.get(key);
-  recentWebhookEvents.set(key, nowMs);
-
-  if (seenAt && nowMs - seenAt < ZALO_WEBHOOK_REPLAY_WINDOW_MS) {
-    return true;
-  }
-
-  if (recentWebhookEvents.size > 5000) {
-    for (const [eventKey, timestamp] of recentWebhookEvents) {
-      if (nowMs - timestamp >= ZALO_WEBHOOK_REPLAY_WINDOW_MS) {
-        recentWebhookEvents.delete(eventKey);
-      }
-    }
-  }
-
-  return false;
+  return recentWebhookEvents.check(key, nowMs);
 }
 
 function recordWebhookStatus(
@@ -195,20 +185,22 @@ export async function handleZaloWebhookRequest(
   }
 
   const headerToken = String(req.headers["x-bot-api-secret-token"] ?? "");
-  const matching = targets.filter((entry) => timingSafeEquals(entry.secret, headerToken));
-  if (matching.length === 0) {
+  const matchedTarget = resolveSingleWebhookTarget(targets, (entry) =>
+    timingSafeEquals(entry.secret, headerToken),
+  );
+  if (matchedTarget.kind === "none") {
     res.statusCode = 401;
     res.end("unauthorized");
     recordWebhookStatus(targets[0]?.runtime, req.url ?? "<unknown>", res.statusCode);
     return true;
   }
-  if (matching.length > 1) {
+  if (matchedTarget.kind === "ambiguous") {
     res.statusCode = 401;
     res.end("ambiguous webhook target");
     recordWebhookStatus(targets[0]?.runtime, req.url ?? "<unknown>", res.statusCode);
     return true;
   }
-  const target = matching[0];
+  const target = matchedTarget.target;
   const path = req.url ?? "<unknown>";
   const rateLimitKey = `${path}:${req.socket.remoteAddress ?? "unknown"}`;
   const nowMs = Date.now();
@@ -444,7 +436,7 @@ async function handleImageMessage(
   if (photo) {
     try {
       const maxBytes = mediaMaxMb * 1024 * 1024;
-      const fetched = await core.channel.media.fetchRemoteMedia({ url: photo });
+      const fetched = await core.channel.media.fetchRemoteMedia({ url: photo, maxBytes });
       const saved = await core.channel.media.saveMediaBuffer(
         fetched.buffer,
         fetched.contentType,

package/src/monitor.webhook.test.ts

@@ -21,113 +21,84 @@ async function withServer(handler: RequestListener, fn: (baseUrl: string) => Pro
   }
 }
 
+const DEFAULT_ACCOUNT: ResolvedZaloAccount = {
+  accountId: "default",
+  enabled: true,
+  token: "tok",
+  tokenSource: "config",
+  config: {},
+};
+
+const webhookRequestHandler: RequestListener = async (req, res) => {
+  const handled = await handleZaloWebhookRequest(req, res);
+  if (!handled) {
+    res.statusCode = 404;
+    res.end("not found");
+  }
+};
+
+function registerTarget(params: {
+  path: string;
+  secret?: string;
+  statusSink?: (patch: { lastInboundAt?: number; lastOutboundAt?: number }) => void;
+}): () => void {
+  return registerZaloWebhookTarget({
+    token: "tok",
+    account: DEFAULT_ACCOUNT,
+    config: {} as OpenClawConfig,
+    runtime: {},
+    core: {} as PluginRuntime,
+    secret: params.secret ?? "secret",
+    path: params.path,
+    mediaMaxMb: 5,
+    statusSink: params.statusSink,
+  });
+}
+
 describe("handleZaloWebhookRequest", () => {
   it("returns 400 for non-object payloads", async () => {
-    const core = {} as PluginRuntime;
-    const account: ResolvedZaloAccount = {
-      accountId: "default",
-      enabled: true,
-      token: "tok",
-      tokenSource: "config",
-      config: {},
-    };
-    const unregister = registerZaloWebhookTarget({
-      token: "tok",
-      account,
-      config: {} as OpenClawConfig,
-      runtime: {},
-      core,
-      secret: "secret",
-      path: "/hook",
-      mediaMaxMb: 5,
-    });
+    const unregister = registerTarget({ path: "/hook" });
 
     try {
-      await withServer(
-        async (req, res) => {
-          const handled = await handleZaloWebhookRequest(req, res);
-          if (!handled) {
-            res.statusCode = 404;
-            res.end("not found");
-          }
-        },
-        async (baseUrl) => {
-          const response = await fetch(`${baseUrl}/hook`, {
-            method: "POST",
-            headers: {
-              "x-bot-api-secret-token": "secret",
-              "content-type": "application/json",
-            },
-            body: "null",
-          });
-
-          expect(response.status).toBe(400);
-          expect(await response.text()).toBe("Bad Request");
-        },
-      );
+      await withServer(webhookRequestHandler, async (baseUrl) => {
+        const response = await fetch(`${baseUrl}/hook`, {
+          method: "POST",
+          headers: {
+            "x-bot-api-secret-token": "secret",
+            "content-type": "application/json",
+          },
+          body: "null",
+        });
+
+        expect(response.status).toBe(400);
+        expect(await response.text()).toBe("Bad Request");
+      });
     } finally {
       unregister();
     }
   });
 
   it("rejects ambiguous routing when multiple targets match the same secret", async () => {
-    const core = {} as PluginRuntime;
-    const account: ResolvedZaloAccount = {
-      accountId: "default",
-      enabled: true,
-      token: "tok",
-      tokenSource: "config",
-      config: {},
-    };
     const sinkA = vi.fn();
     const sinkB = vi.fn();
-    const unregisterA = registerZaloWebhookTarget({
-      token: "tok",
-      account,
-      config: {} as OpenClawConfig,
-      runtime: {},
-      core,
-      secret: "secret",
-      path: "/hook",
-      mediaMaxMb: 5,
-      statusSink: sinkA,
-    });
-    const unregisterB = registerZaloWebhookTarget({
-      token: "tok",
-      account,
-      config: {} as OpenClawConfig,
-      runtime: {},
-      core,
-      secret: "secret",
-      path: "/hook",
-      mediaMaxMb: 5,
-      statusSink: sinkB,
-    });
+    const unregisterA = registerTarget({ path: "/hook", statusSink: sinkA });
+    const unregisterB = registerTarget({ path: "/hook", statusSink: sinkB });
 
     try {
-      await withServer(
-        async (req, res) => {
-          const handled = await handleZaloWebhookRequest(req, res);
-          if (!handled) {
-            res.statusCode = 404;
-            res.end("not found");
-          }
-        },
-        async (baseUrl) => {
-          const response = await fetch(`${baseUrl}/hook`, {
-            method: "POST",
-            headers: {
-              "x-bot-api-secret-token": "secret",
-              "content-type": "application/json",
-            },
-            body: "{}",
-          });
-
-          expect(response.status).toBe(401);
-          expect(sinkA).not.toHaveBeenCalled();
-          expect(sinkB).not.toHaveBeenCalled();
-        },
-      );
+      await withServer(webhookRequestHandler, async (baseUrl) => {
+        const response = await fetch(`${baseUrl}/hook`, {
+          method: "POST",
+          headers: {
+            "x-bot-api-secret-token": "secret",
+            "content-type": "application/json",
+          },
+          body: "{}",
+        });
+
+        expect(response.status).toBe(401);
+        expect(sinkA).not.toHaveBeenCalled();
+        expect(sinkB).not.toHaveBeenCalled();
+      });
     } finally {
       unregisterA();
       unregisterB();
@@ -135,73 +106,29 @@ describe("handleZaloWebhookRequest", () => {
   });
 
   it("returns 415 for non-json content-type", async () => {
-    const core = {} as PluginRuntime;
-    const account: ResolvedZaloAccount = {
-      accountId: "default",
-      enabled: true,
-      token: "tok",
-      tokenSource: "config",
-      config: {},
-    };
-    const unregister = registerZaloWebhookTarget({
-      token: "tok",
-      account,
-      config: {} as OpenClawConfig,
-      runtime: {},
-      core,
-      secret: "secret",
-      path: "/hook-content-type",
-      mediaMaxMb: 5,
-    });
+    const unregister = registerTarget({ path: "/hook-content-type" });
 
     try {
-      await withServer(
-        async (req, res) => {
-          const handled = await handleZaloWebhookRequest(req, res);
-          if (!handled) {
-            res.statusCode = 404;
-            res.end("not found");
-          }
-        },
-        async (baseUrl) => {
-          const response = await fetch(`${baseUrl}/hook-content-type`, {
-            method: "POST",
-            headers: {
-              "x-bot-api-secret-token": "secret",
-              "content-type": "text/plain",
-            },
-            body: "{}",
-          });
-
-          expect(response.status).toBe(415);
-        },
-      );
+      await withServer(webhookRequestHandler, async (baseUrl) => {
+        const response = await fetch(`${baseUrl}/hook-content-type`, {
+          method: "POST",
+          headers: {
+            "x-bot-api-secret-token": "secret",
+            "content-type": "text/plain",
+          },
+          body: "{}",
+        });
+
+        expect(response.status).toBe(415);
+      });
     } finally {
       unregister();
     }
   });
 
   it("deduplicates webhook replay by event_name + message_id", async () => {
-    const core = {} as PluginRuntime;
-    const account: ResolvedZaloAccount = {
-      accountId: "default",
-      enabled: true,
-      token: "tok",
-      tokenSource: "config",
-      config: {},
-    };
     const sink = vi.fn();
-    const unregister = registerZaloWebhookTarget({
-      token: "tok",
-      account,
-      config: {} as OpenClawConfig,
-      runtime: {},
-      core,
-      secret: "secret",
-      path: "/hook-replay",
-      mediaMaxMb: 5,
-      statusSink: sink,
-    });
+    const unregister = registerTarget({ path: "/hook-replay", statusSink: sink });
 
     const payload = {
       event_name: "message.text.received",
@@ -215,91 +142,56 @@ describe("handleZaloWebhookRequest", () => {
     };
 
     try {
-      await withServer(
-        async (req, res) => {
-          const handled = await handleZaloWebhookRequest(req, res);
-          if (!handled) {
-            res.statusCode = 404;
-            res.end("not found");
-          }
-        },
-        async (baseUrl) => {
-          const first = await fetch(`${baseUrl}/hook-replay`, {
-            method: "POST",
-            headers: {
-              "x-bot-api-secret-token": "secret",
-              "content-type": "application/json",
-            },
-            body: JSON.stringify(payload),
-          });
-          const second = await fetch(`${baseUrl}/hook-replay`, {
-            method: "POST",
-            headers: {
-              "x-bot-api-secret-token": "secret",
-              "content-type": "application/json",
-            },
-            body: JSON.stringify(payload),
-          });
-
-          expect(first.status).toBe(200);
-          expect(second.status).toBe(200);
-          expect(sink).toHaveBeenCalledTimes(1);
-        },
-      );
+      await withServer(webhookRequestHandler, async (baseUrl) => {
+        const first = await fetch(`${baseUrl}/hook-replay`, {
+          method: "POST",
+          headers: {
+            "x-bot-api-secret-token": "secret",
+            "content-type": "application/json",
+          },
+          body: JSON.stringify(payload),
+        });
+        const second = await fetch(`${baseUrl}/hook-replay`, {
+          method: "POST",
+          headers: {
+            "x-bot-api-secret-token": "secret",
+            "content-type": "application/json",
+          },
+          body: JSON.stringify(payload),
+        });
+
+        expect(first.status).toBe(200);
+        expect(second.status).toBe(200);
+        expect(sink).toHaveBeenCalledTimes(1);
+      });
     } finally {
       unregister();
     }
   });
 
   it("returns 429 when per-path request rate exceeds threshold", async () => {
-    const core = {} as PluginRuntime;
-    const account: ResolvedZaloAccount = {
-      accountId: "default",
-      enabled: true,
-      token: "tok",
-      tokenSource: "config",
-      config: {},
-    };
-    const unregister = registerZaloWebhookTarget({
-      token: "tok",
-      account,
-      config: {} as OpenClawConfig,
-      runtime: {},
-      core,
-      secret: "secret",
-      path: "/hook-rate",
-      mediaMaxMb: 5,
-    });
+    const unregister = registerTarget({ path: "/hook-rate" });
 
     try {
-      await withServer(
-        async (req, res) => {
-          const handled = await handleZaloWebhookRequest(req, res);
-          if (!handled) {
-            res.statusCode = 404;
-            res.end("not found");
-          }
-        },
-        async (baseUrl) => {
-          let saw429 = false;
-          for (let i = 0; i < 130; i += 1) {
-            const response = await fetch(`${baseUrl}/hook-rate`, {
-              method: "POST",
-              headers: {
-                "x-bot-api-secret-token": "secret",
-                "content-type": "application/json",
-              },
-              body: "{}",
-            });
-            if (response.status === 429) {
-              saw429 = true;
-              break;
-            }
+      await withServer(webhookRequestHandler, async (baseUrl) => {
+        let saw429 = false;
+        for (let i = 0; i < 130; i += 1) {
+          const response = await fetch(`${baseUrl}/hook-rate`, {
+            method: "POST",
+            headers: {
+              "x-bot-api-secret-token": "secret",
+              "content-type": "application/json",
+            },
+            body: "{}",
+          });
+          if (response.status === 429) {
+            saw429 = true;
+            break;
           }
+        }
 
-          expect(saw429).toBe(true);
-        },
-      );
+        expect(saw429).toBe(true);
+      });
     } finally {
       unregister();
     }