@openclaw/zalo 2026.5.2 → 2026.5.3-beta.2

package/src/monitor.webhook.ts

@@ -1,278 +0,0 @@
-import type { IncomingMessage, ServerResponse } from "node:http";
-import { createClaimableDedupe } from "openclaw/plugin-sdk/persistent-dedupe";
-import { safeEqualSecret } from "openclaw/plugin-sdk/security-runtime";
-import type { ResolvedZaloAccount } from "./accounts.js";
-import type { ZaloFetch, ZaloUpdate } from "./api.js";
-import type { ZaloRuntimeEnv } from "./monitor.types.js";
-import {
-  createFixedWindowRateLimiter,
-  createWebhookAnomalyTracker,
-  readJsonWebhookBodyOrReject,
-  applyBasicWebhookRequestGuards,
-  registerWebhookTargetWithPluginRoute,
-  type RegisterWebhookTargetOptions,
-  type RegisterWebhookPluginRouteOptions,
-  registerWebhookTarget,
-  resolveWebhookTargetWithAuthOrRejectSync,
-  withResolvedWebhookRequestPipeline,
-  WEBHOOK_ANOMALY_COUNTER_DEFAULTS,
-  WEBHOOK_RATE_LIMIT_DEFAULTS,
-  resolveClientIp,
-  type OpenClawConfig,
-} from "./runtime-api.js";
-
-const ZALO_WEBHOOK_REPLAY_WINDOW_MS = 5 * 60_000;
-
-export type ZaloWebhookTarget = {
-  token: string;
-  account: ResolvedZaloAccount;
-  config: OpenClawConfig;
-  runtime: ZaloRuntimeEnv;
-  core: unknown;
-  secret: string;
-  path: string;
-  webhookUrl: string;
-  webhookPath: string;
-  mediaMaxMb: number;
-  canHostMedia: boolean;
-  statusSink?: (patch: { lastInboundAt?: number; lastOutboundAt?: number }) => void;
-  fetcher?: ZaloFetch;
-};
-
-export type ZaloWebhookProcessUpdate = (params: {
-  update: ZaloUpdate;
-  target: ZaloWebhookTarget;
-}) => Promise<void>;
-
-const webhookTargets = new Map<string, ZaloWebhookTarget[]>();
-const webhookRateLimiter = createFixedWindowRateLimiter({
-  windowMs: WEBHOOK_RATE_LIMIT_DEFAULTS.windowMs,
-  maxRequests: WEBHOOK_RATE_LIMIT_DEFAULTS.maxRequests,
-  maxTrackedKeys: WEBHOOK_RATE_LIMIT_DEFAULTS.maxTrackedKeys,
-});
-const recentWebhookEvents = createClaimableDedupe({
-  ttlMs: ZALO_WEBHOOK_REPLAY_WINDOW_MS,
-  memoryMaxSize: 5000,
-});
-const webhookAnomalyTracker = createWebhookAnomalyTracker({
-  maxTrackedKeys: WEBHOOK_ANOMALY_COUNTER_DEFAULTS.maxTrackedKeys,
-  ttlMs: WEBHOOK_ANOMALY_COUNTER_DEFAULTS.ttlMs,
-  logEvery: WEBHOOK_ANOMALY_COUNTER_DEFAULTS.logEvery,
-});
-
-export function clearZaloWebhookSecurityStateForTest(): void {
-  webhookRateLimiter.clear();
-  recentWebhookEvents.clearMemory();
-  webhookAnomalyTracker.clear();
-}
-
-export function getZaloWebhookRateLimitStateSizeForTest(): number {
-  return webhookRateLimiter.size();
-}
-
-export function getZaloWebhookStatusCounterSizeForTest(): number {
-  return webhookAnomalyTracker.size();
-}
-
-function timingSafeEquals(left: string, right: string): boolean {
-  return safeEqualSecret(left, right);
-}
-
-function buildReplayEventCacheKey(target: ZaloWebhookTarget, update: ZaloUpdate): string | null {
-  const messageId = update.message?.message_id;
-  if (!messageId) {
-    return null;
-  }
-  const chatId = update.message?.chat?.id ?? "";
-  const senderId = update.message?.from?.id ?? "";
-  return JSON.stringify([
-    target.path,
-    target.account.accountId,
-    update.event_name,
-    chatId,
-    senderId,
-    messageId,
-  ]);
-}
-
-export class ZaloRetryableWebhookError extends Error {
-  constructor(message: string, options?: ErrorOptions) {
-    super(message, options);
-    this.name = "ZaloRetryableWebhookError";
-  }
-}
-
-export async function processZaloReplayGuardedUpdate(params: {
-  target: ZaloWebhookTarget;
-  update: ZaloUpdate;
-  processUpdate: ZaloWebhookProcessUpdate;
-  nowMs?: number;
-}): Promise<"processed" | "duplicate"> {
-  const replayEventKey = buildReplayEventCacheKey(params.target, params.update);
-  if (replayEventKey) {
-    const replayClaim = await recentWebhookEvents.claim(replayEventKey, { now: params.nowMs });
-    if (replayClaim.kind !== "claimed") {
-      return "duplicate";
-    }
-  }
-
-  params.target.statusSink?.({ lastInboundAt: Date.now() });
-  try {
-    await params.processUpdate({ update: params.update, target: params.target });
-    if (replayEventKey) {
-      await recentWebhookEvents.commit(replayEventKey);
-    }
-    return "processed";
-  } catch (error) {
-    if (replayEventKey) {
-      if (error instanceof ZaloRetryableWebhookError) {
-        recentWebhookEvents.release(replayEventKey, { error });
-      } else {
-        await recentWebhookEvents.commit(replayEventKey);
-      }
-    }
-    throw error;
-  }
-}
-
-function recordWebhookStatus(
-  runtime: ZaloRuntimeEnv | undefined,
-  path: string,
-  statusCode: number,
-): void {
-  webhookAnomalyTracker.record({
-    key: `${path}:${statusCode}`,
-    statusCode,
-    log: runtime?.log,
-    message: (count) =>
-      `[zalo] webhook anomaly path=${path} status=${statusCode} count=${String(count)}`,
-  });
-}
-
-function headerValue(value: string | string[] | undefined): string | undefined {
-  return Array.isArray(value) ? value[0] : value;
-}
-
-export function registerZaloWebhookTarget(
-  target: ZaloWebhookTarget,
-  opts?: {
-    route?: RegisterWebhookPluginRouteOptions;
-  } & Pick<
-    RegisterWebhookTargetOptions<ZaloWebhookTarget>,
-    "onFirstPathTarget" | "onLastPathTargetRemoved"
-  >,
-): () => void {
-  if (opts?.route) {
-    return registerWebhookTargetWithPluginRoute({
-      targetsByPath: webhookTargets,
-      target,
-      route: opts.route,
-      onLastPathTargetRemoved: opts.onLastPathTargetRemoved,
-    }).unregister;
-  }
-  return registerWebhookTarget(webhookTargets, target, opts).unregister;
-}
-
-export async function handleZaloWebhookRequest(
-  req: IncomingMessage,
-  res: ServerResponse,
-  processUpdate: ZaloWebhookProcessUpdate,
-): Promise<boolean> {
-  return await withResolvedWebhookRequestPipeline({
-    req,
-    res,
-    targetsByPath: webhookTargets,
-    allowMethods: ["POST"],
-    handle: async ({ targets, path }) => {
-      const trustedProxies = targets[0]?.config.gateway?.trustedProxies;
-      const allowRealIpFallback = targets[0]?.config.gateway?.allowRealIpFallback === true;
-      const clientIp =
-        resolveClientIp({
-          remoteAddr: req.socket.remoteAddress,
-          forwardedFor: headerValue(req.headers["x-forwarded-for"]),
-          realIp: headerValue(req.headers["x-real-ip"]),
-          trustedProxies,
-          allowRealIpFallback,
-        }) ??
-        req.socket.remoteAddress ??
-        "unknown";
-      const rateLimitKey = `${path}:${clientIp}`;
-      const nowMs = Date.now();
-      if (
-        !applyBasicWebhookRequestGuards({
-          req,
-          res,
-          rateLimiter: webhookRateLimiter,
-          rateLimitKey,
-          nowMs,
-        })
-      ) {
-        recordWebhookStatus(targets[0]?.runtime, path, res.statusCode);
-        return true;
-      }
-
-      const headerToken = String(req.headers["x-bot-api-secret-token"] ?? "");
-      const target = resolveWebhookTargetWithAuthOrRejectSync({
-        targets,
-        res,
-        isMatch: (entry) => timingSafeEquals(entry.secret, headerToken),
-      });
-      if (!target) {
-        recordWebhookStatus(targets[0]?.runtime, path, res.statusCode);
-        return true;
-      }
-      // Preserve the historical 401-before-415 ordering for invalid secrets while still
-      // consuming rate-limit budget on unauthenticated guesses.
-      if (
-        !applyBasicWebhookRequestGuards({
-          req,
-          res,
-          requireJsonContentType: true,
-        })
-      ) {
-        recordWebhookStatus(target.runtime, path, res.statusCode);
-        return true;
-      }
-      const body = await readJsonWebhookBodyOrReject({
-        req,
-        res,
-        maxBytes: 1024 * 1024,
-        timeoutMs: 30_000,
-        emptyObjectOnEmpty: false,
-        invalidJsonMessage: "Bad Request",
-      });
-      if (!body.ok) {
-        recordWebhookStatus(target.runtime, path, res.statusCode);
-        return true;
-      }
-      const raw = body.value;
-
-      // Zalo sends updates directly as { event_name, message, ... }, not wrapped in { ok, result }.
-      const record = raw && typeof raw === "object" ? (raw as Record<string, unknown>) : null;
-      const update: ZaloUpdate | undefined =
-        record && record.ok === true && record.result
-          ? (record.result as ZaloUpdate)
-          : ((record as ZaloUpdate | null) ?? undefined);
-
-      if (!update?.event_name) {
-        res.statusCode = 400;
-        res.end("Bad Request");
-        recordWebhookStatus(target.runtime, path, res.statusCode);
-        return true;
-      }
-
-      void processZaloReplayGuardedUpdate({
-        target,
-        update,
-        processUpdate,
-        nowMs,
-      }).catch((err) => {
-        target.runtime.error?.(`[${target.account.accountId}] Zalo webhook failed: ${String(err)}`);
-      });
-
-      res.statusCode = 200;
-      res.end("ok");
-      return true;
-    },
-  });
-}

package/src/outbound-media.test.ts

@@ -1,182 +0,0 @@
-import { stat } from "node:fs/promises";
-import { join } from "node:path";
-import { resolvePreferredOpenClawTmpDir } from "openclaw/plugin-sdk/temp-path";
-import { beforeEach, describe, expect, it, vi } from "vitest";
-
-const loadOutboundMediaFromUrlMock = vi.fn();
-
-vi.mock("openclaw/plugin-sdk/outbound-media", () => ({
-  loadOutboundMediaFromUrl: (...args: unknown[]) => loadOutboundMediaFromUrlMock(...args),
-}));
-
-import {
-  clearHostedZaloMediaForTest,
-  prepareHostedZaloMediaUrl,
-  resolveHostedZaloMediaRoutePrefix,
-  tryHandleHostedZaloMediaRequest,
-} from "./outbound-media.js";
-
-function createMockResponse() {
-  const headers = new Map<string, string>();
-  return {
-    headers,
-    res: {
-      statusCode: 200,
-      setHeader(name: string, value: string) {
-        headers.set(name, value);
-      },
-      end: vi.fn(),
-    },
-  };
-}
-
-describe("zalo outbound hosted media", () => {
-  beforeEach(() => {
-    clearHostedZaloMediaForTest();
-    loadOutboundMediaFromUrlMock.mockReset();
-    loadOutboundMediaFromUrlMock.mockResolvedValue({
-      buffer: Buffer.from("image-bytes"),
-      contentType: "image/png",
-      fileName: "photo.png",
-    });
-  });
-
-  it("loads outbound media under OpenClaw control and returns a hosted URL", async () => {
-    const hostedUrl = await prepareHostedZaloMediaUrl({
-      mediaUrl: "https://example.com/photo.png",
-      webhookUrl: "https://gateway.example.com/zalo-webhook",
-      maxBytes: 1024,
-    });
-
-    expect(loadOutboundMediaFromUrlMock).toHaveBeenCalledWith("https://example.com/photo.png", {
-      maxBytes: 1024,
-    });
-    expect(hostedUrl).toMatch(
-      /^https:\/\/gateway\.example\.com\/zalo-webhook\/media\/[a-f0-9]+\?token=[a-f0-9]+$/,
-    );
-  });
-
-  it("passes proxy-aware fetch options into hosted media downloads", async () => {
-    await prepareHostedZaloMediaUrl({
-      mediaUrl: "https://example.com/photo.png",
-      webhookUrl: "https://gateway.example.com/zalo-webhook",
-      maxBytes: 1024,
-      proxyUrl: "http://proxy.example:8080",
-    });
-
-    expect(loadOutboundMediaFromUrlMock).toHaveBeenCalledWith("https://example.com/photo.png", {
-      maxBytes: 1024,
-      proxyUrl: "http://proxy.example:8080",
-    });
-  });
-
-  it("creates hosted media storage with private filesystem permissions", async () => {
-    const hostedUrl = await prepareHostedZaloMediaUrl({
-      mediaUrl: "https://example.com/photo.png",
-      webhookUrl: "https://gateway.example.com/zalo-webhook",
-      maxBytes: 1024,
-    });
-
-    if (process.platform === "win32") {
-      expect(hostedUrl).toContain("/zalo-webhook/media/");
-      return;
-    }
-
-    const { pathname } = new URL(hostedUrl);
-    const id = pathname.split("/").pop();
-    expect(id).toBeTruthy();
-
-    const storageDir = join(resolvePreferredOpenClawTmpDir(), "openclaw-zalo-outbound-media");
-    const [dirStats, metadataStats, bufferStats] = await Promise.all([
-      stat(storageDir),
-      stat(join(storageDir, `${id}.json`)),
-      stat(join(storageDir, `${id}.bin`)),
-    ]);
-
-    expect(dirStats.mode & 0o777).toBe(0o700);
-    expect(metadataStats.mode & 0o777).toBe(0o600);
-    expect(bufferStats.mode & 0o777).toBe(0o600);
-  });
-
-  it("preserves the root webhook path when deriving the hosted media route", () => {
-    expect(
-      resolveHostedZaloMediaRoutePrefix({
-        webhookUrl: "https://gateway.example.com/",
-      }),
-    ).toBe("/media");
-  });
-
-  it("serves hosted media once when the route token matches", async () => {
-    const hostedUrl = await prepareHostedZaloMediaUrl({
-      mediaUrl: "https://example.com/photo.png",
-      webhookUrl: "https://gateway.example.com/zalo-webhook",
-      maxBytes: 1024,
-    });
-    const { pathname, search } = new URL(hostedUrl);
-    const response = createMockResponse();
-
-    const handled = await tryHandleHostedZaloMediaRequest(
-      {
-        method: "GET",
-        url: `${pathname}${search}`,
-      } as never,
-      response.res as never,
-    );
-
-    expect(handled).toBe(true);
-    expect(response.res.statusCode).toBe(200);
-    expect(response.headers.get("Content-Type")).toBe("image/png");
-    expect(response.res.end).toHaveBeenCalledWith(Buffer.from("image-bytes"));
-
-    const secondResponse = createMockResponse();
-    const handledAgain = await tryHandleHostedZaloMediaRequest(
-      {
-        method: "GET",
-        url: `${pathname}${search}`,
-      } as never,
-      secondResponse.res as never,
-    );
-
-    expect(handledAgain).toBe(true);
-    expect(secondResponse.res.statusCode).toBe(404);
-  });
-
-  it("rejects hosted media requests with the wrong token", async () => {
-    const hostedUrl = await prepareHostedZaloMediaUrl({
-      mediaUrl: "https://example.com/photo.png",
-      webhookUrl: "https://gateway.example.com/custom/zalo",
-      webhookPath: "/custom/zalo-hook",
-      maxBytes: 1024,
-    });
-    const pathname = new URL(hostedUrl).pathname;
-    const response = createMockResponse();
-
-    const handled = await tryHandleHostedZaloMediaRequest(
-      {
-        method: "GET",
-        url: `${pathname}?token=wrong`,
-      } as never,
-      response.res as never,
-    );
-
-    expect(handled).toBe(true);
-    expect(response.res.statusCode).toBe(401);
-    expect(response.res.end).toHaveBeenCalledWith("Unauthorized");
-  });
-
-  it("rejects malformed hosted media ids before touching disk", async () => {
-    const response = createMockResponse();
-
-    const handled = await tryHandleHostedZaloMediaRequest(
-      {
-        method: "GET",
-        url: "/zalo-webhook/media/not-a-valid-hex-id?token=wrong",
-      } as never,
-      response.res as never,
-    );
-
-    expect(handled).toBe(true);
-    expect(response.res.statusCode).toBe(404);
-    expect(response.res.end).toHaveBeenCalledWith("Not Found");
-  });
-});

package/src/outbound-media.ts

@@ -1,241 +0,0 @@
-import { randomBytes } from "node:crypto";
-import { rmSync } from "node:fs";
-import { chmod, mkdir, readdir, readFile, stat, unlink, writeFile } from "node:fs/promises";
-import type { IncomingMessage, ServerResponse } from "node:http";
-import { join } from "node:path";
-import { loadOutboundMediaFromUrl } from "openclaw/plugin-sdk/outbound-media";
-import { resolvePreferredOpenClawTmpDir } from "openclaw/plugin-sdk/temp-path";
-import { resolveWebhookPath } from "openclaw/plugin-sdk/webhook-ingress";
-
-const ZALO_OUTBOUND_MEDIA_TTL_MS = 2 * 60_000;
-const ZALO_OUTBOUND_MEDIA_SEGMENT = "media";
-const ZALO_OUTBOUND_MEDIA_PREFIX = `/${ZALO_OUTBOUND_MEDIA_SEGMENT}/`;
-const ZALO_OUTBOUND_MEDIA_DIR = join(
-  resolvePreferredOpenClawTmpDir(),
-  "openclaw-zalo-outbound-media",
-);
-const ZALO_OUTBOUND_MEDIA_ID_RE = /^[a-f0-9]{24}$/;
-
-type HostedZaloMediaMetadata = {
-  routePath: string;
-  token: string;
-  contentType?: string;
-  expiresAt: number;
-};
-
-function resolveHostedZaloMediaMetadataPath(id: string): string {
-  return join(ZALO_OUTBOUND_MEDIA_DIR, `${id}.json`);
-}
-
-function resolveHostedZaloMediaBufferPath(id: string): string {
-  return join(ZALO_OUTBOUND_MEDIA_DIR, `${id}.bin`);
-}
-
-function createHostedZaloMediaId(): string {
-  return randomBytes(12).toString("hex");
-}
-
-function createHostedZaloMediaToken(): string {
-  return randomBytes(24).toString("hex");
-}
-
-async function ensureHostedZaloMediaDir(): Promise<void> {
-  await mkdir(ZALO_OUTBOUND_MEDIA_DIR, { recursive: true, mode: 0o700 });
-  await chmod(ZALO_OUTBOUND_MEDIA_DIR, 0o700).catch(() => undefined);
-}
-
-async function deleteHostedZaloMediaEntry(id: string): Promise<void> {
-  await Promise.all([
-    unlink(resolveHostedZaloMediaMetadataPath(id)).catch(() => undefined),
-    unlink(resolveHostedZaloMediaBufferPath(id)).catch(() => undefined),
-  ]);
-}
-
-async function cleanupExpiredHostedZaloMedia(nowMs = Date.now()): Promise<void> {
-  let fileNames: string[];
-  try {
-    fileNames = await readdir(ZALO_OUTBOUND_MEDIA_DIR);
-  } catch {
-    return;
-  }
-
-  await Promise.all(
-    fileNames
-      .filter((fileName) => fileName.endsWith(".json"))
-      .map(async (fileName) => {
-        const id = fileName.slice(0, -5);
-        try {
-          const metadataRaw = await readFile(resolveHostedZaloMediaMetadataPath(id), "utf8");
-          const metadata = JSON.parse(metadataRaw) as HostedZaloMediaMetadata;
-          if (metadata.expiresAt <= nowMs) {
-            await deleteHostedZaloMediaEntry(id);
-          }
-        } catch {
-          await deleteHostedZaloMediaEntry(id);
-        }
-      }),
-  );
-}
-
-async function readHostedZaloMediaEntry(id: string): Promise<{
-  metadata: HostedZaloMediaMetadata;
-  buffer: Buffer;
-} | null> {
-  try {
-    const [metadataRaw, buffer] = await Promise.all([
-      readFile(resolveHostedZaloMediaMetadataPath(id), "utf8"),
-      readFile(resolveHostedZaloMediaBufferPath(id)),
-    ]);
-    return {
-      metadata: JSON.parse(metadataRaw) as HostedZaloMediaMetadata,
-      buffer,
-    };
-  } catch {
-    return null;
-  }
-}
-
-export function resolveHostedZaloMediaRoutePrefix(params: {
-  webhookUrl: string;
-  webhookPath?: string;
-}): string {
-  const webhookRoutePath = resolveWebhookPath({
-    webhookPath: params.webhookPath,
-    webhookUrl: params.webhookUrl,
-    defaultPath: null,
-  });
-  if (!webhookRoutePath) {
-    throw new Error("Zalo webhookPath could not be derived for outbound media hosting");
-  }
-  return webhookRoutePath === "/"
-    ? `/${ZALO_OUTBOUND_MEDIA_SEGMENT}`
-    : `${webhookRoutePath}/${ZALO_OUTBOUND_MEDIA_SEGMENT}`;
-}
-
-function resolveHostedZaloMediaRoutePath(params: {
-  webhookUrl: string;
-  webhookPath?: string;
-}): string {
-  return `${resolveHostedZaloMediaRoutePrefix(params)}/`;
-}
-
-export async function prepareHostedZaloMediaUrl(params: {
-  mediaUrl: string;
-  webhookUrl: string;
-  webhookPath?: string;
-  maxBytes: number;
-  proxyUrl?: string;
-}): Promise<string> {
-  await ensureHostedZaloMediaDir();
-  await cleanupExpiredHostedZaloMedia();
-
-  const media = await loadOutboundMediaFromUrl(params.mediaUrl, {
-    maxBytes: params.maxBytes,
-    ...(params.proxyUrl ? { proxyUrl: params.proxyUrl } : {}),
-  });
-
-  const routePath = resolveHostedZaloMediaRoutePath({
-    webhookUrl: params.webhookUrl,
-    webhookPath: params.webhookPath,
-  });
-  const id = createHostedZaloMediaId();
-  const token = createHostedZaloMediaToken();
-  const publicBaseUrl = new URL(params.webhookUrl).origin;
-
-  await writeFile(resolveHostedZaloMediaBufferPath(id), media.buffer, { mode: 0o600 });
-  try {
-    await writeFile(
-      resolveHostedZaloMediaMetadataPath(id),
-      JSON.stringify({
-        routePath,
-        token,
-        contentType: media.contentType,
-        expiresAt: Date.now() + ZALO_OUTBOUND_MEDIA_TTL_MS,
-      } satisfies HostedZaloMediaMetadata),
-      { encoding: "utf8", mode: 0o600 },
-    );
-  } catch (error) {
-    await deleteHostedZaloMediaEntry(id);
-    throw error;
-  }
-
-  return `${publicBaseUrl}${routePath}${id}?token=${token}`;
-}
-
-export async function tryHandleHostedZaloMediaRequest(
-  req: IncomingMessage,
-  res: ServerResponse,
-): Promise<boolean> {
-  await cleanupExpiredHostedZaloMedia();
-
-  const method = req.method ?? "GET";
-  if (method !== "GET" && method !== "HEAD") {
-    return false;
-  }
-
-  let url: URL;
-  try {
-    url = new URL(req.url ?? "/", "http://localhost");
-  } catch {
-    return false;
-  }
-
-  const mediaPath = url.pathname;
-  const prefixIndex = mediaPath.lastIndexOf(ZALO_OUTBOUND_MEDIA_PREFIX);
-  if (prefixIndex < 0) {
-    return false;
-  }
-
-  const routePath = mediaPath.slice(0, prefixIndex + ZALO_OUTBOUND_MEDIA_PREFIX.length);
-  const id = mediaPath.slice(prefixIndex + ZALO_OUTBOUND_MEDIA_PREFIX.length);
-  if (!id || !ZALO_OUTBOUND_MEDIA_ID_RE.test(id)) {
-    res.statusCode = 404;
-    res.end("Not Found");
-    return true;
-  }
-
-  const entry = await readHostedZaloMediaEntry(id);
-  if (!entry || entry.metadata.routePath !== routePath) {
-    res.statusCode = 404;
-    res.end("Not Found");
-    return true;
-  }
-
-  if (entry.metadata.expiresAt <= Date.now()) {
-    await deleteHostedZaloMediaEntry(id);
-    res.statusCode = 410;
-    res.end("Expired");
-    return true;
-  }
-
-  if (url.searchParams.get("token") !== entry.metadata.token) {
-    res.statusCode = 401;
-    res.end("Unauthorized");
-    return true;
-  }
-
-  if (entry.metadata.contentType) {
-    res.setHeader("Content-Type", entry.metadata.contentType);
-  }
-  res.setHeader("Cache-Control", "no-store");
-  res.setHeader("X-Content-Type-Options", "nosniff");
-  const bufferStats = await stat(resolveHostedZaloMediaBufferPath(id)).catch(() => null);
-  if (bufferStats) {
-    res.setHeader("Content-Length", String(bufferStats.size));
-  }
-
-  if (method === "HEAD") {
-    res.statusCode = 200;
-    res.end();
-    return true;
-  }
-
-  res.statusCode = 200;
-  res.end(entry.buffer);
-  await deleteHostedZaloMediaEntry(id);
-  return true;
-}
-
-export function clearHostedZaloMediaForTest(): void {
-  rmSync(ZALO_OUTBOUND_MEDIA_DIR, { recursive: true, force: true });
-}