agent-messenger 2.23.5 → 2.24.0

package/src/platforms/webex/client.test.ts

@@ -81,6 +81,38 @@ describe('WebexClient', () => {
       expect((client as any).deviceUrl).toBe('https://wdm-r.wbx2.com/wdm/api/v1/devices/dev-1')
       expect((client as any).tokenType).toBe('extracted')
     })
+
+    const DEVICE_URL = 'https://wdm-r.wbx2.com/wdm/api/v1/devices/dev-1'
+    const encryptionOf = (client: WebexClient) =>
+      (client as unknown as { encryption: WebexEncryptionService | null }).encryption
+
+    it('initializes encryption for explicit extracted credentials with a device URL', async () => {
+      const client = await new WebexClient().login({
+        token: 'extracted-token',
+        deviceUrl: DEVICE_URL,
+        tokenType: 'extracted',
+      })
+      expect(encryptionOf(client)).toBeInstanceOf(WebexEncryptionService)
+    })
+
+    it('initializes encryption for explicit password credentials with a device URL', async () => {
+      const client = await new WebexClient().login({
+        token: 'password-token',
+        deviceUrl: DEVICE_URL,
+        tokenType: 'password',
+      })
+      expect(encryptionOf(client)).toBeInstanceOf(WebexEncryptionService)
+    })
+
+    it('does not initialize encryption for a plain token without device URL', async () => {
+      const client = await new WebexClient().login({ token: 'plain-token' })
+      expect(encryptionOf(client)).toBeNull()
+    })
+
+    it('does not initialize encryption when device URL is absent', async () => {
+      const client = await new WebexClient().login({ token: 'extracted-token', tokenType: 'extracted' })
+      expect(encryptionOf(client)).toBeNull()
+    })
   })
 
   describe('testAuth', () => {
@@ -623,12 +655,17 @@ describe('WebexClient', () => {
       activities: { items: activities },
     })
 
+    // These tests exercise the cleartext internal-API shape, so the KMS-backed
+    // encryption service is cleared after login; the encrypted path has its own
+    // createEncryptedClient that re-attaches a stub service.
     const createExtractedClient = async () => {
-      return new WebexClient().login({
+      const client = await new WebexClient().login({
         token: 'extracted-token',
         deviceUrl: TEST_DEVICE_URL,
         tokenType: 'extracted',
       })
+      ;(client as unknown as { encryption: null }).encryption = null
+      return client
     }
 
     describe('sendMessage', () => {
@@ -988,6 +1025,31 @@ describe('WebexClient', () => {
         expect(decodeJweHeader(body.object.displayName).kid).toBe(TEST_KEY_URI)
         expect(decodeJweHeader(body.object.content).kid).toBe(TEST_KEY_URI)
       })
+
+      it('explicit-credential login encrypts the send without manually attaching a service', async () => {
+        const keystore = jose.JWK.createKeyStore()
+        const key = await keystore.generate('oct', 256, { alg: 'A256GCM' })
+        const serializedKey = JSON.stringify({ uri: TEST_KEY_URI, jwk: key.toJSON(true) })
+
+        const client = await new WebexClient().login({
+          token: 'extracted-token',
+          deviceUrl: TEST_DEVICE_URL,
+          tokenType: 'extracted',
+        })
+        const service = (client as unknown as { encryption: WebexEncryptionService | null }).encryption
+        expect(service).toBeInstanceOf(WebexEncryptionService)
+        service?.setKeyProvider({ fetchKey: async () => serializedKey })
+
+        mockResponse({ id: TEST_CONV_UUID, defaultActivityEncryptionKeyUrl: TEST_KEY_URI })
+        mockResponse(mockActivity('Hello world'))
+
+        await client.sendMessage(TEST_ROOM_ID, 'Hello world')
+
+        const body = JSON.parse(fetchCalls[1].options?.body as string)
+        expect(body.object.displayName.startsWith('eyJ')).toBe(true)
+        expect(body.encryptionKeyUrl).toBe(TEST_KEY_URI)
+        expect(decodeJweHeader(body.object.displayName).kid).toBe(TEST_KEY_URI)
+      })
     })
 
     describe('sendDirectMessage', () => {

package/src/platforms/webex/client.ts

@@ -52,6 +52,7 @@ export class WebexClient {
       this.token = credentials.token
       if (credentials.deviceUrl !== undefined) this.deviceUrl = credentials.deviceUrl
       if (credentials.tokenType !== undefined) this.tokenType = credentials.tokenType
+      this.initializeEncryption(credentials.token)
       return this
     }
 
@@ -63,29 +64,46 @@ export class WebexClient {
     if (!token) {
       throw new WebexError('No Webex credentials found. Run "auth login" to authenticate.', 'no_credentials')
     }
+    this.token = token
     this.deviceUrl = config?.deviceUrl ?? null
     this.tokenType = config?.tokenType ?? null
-    await this.login({ token })
-
-    if (this.tokenType === 'extracted' || this.tokenType === 'password') {
-      const keysMap = new Map(Object.entries(config?.encryptionKeys ?? {}))
-      this.encryption = new WebexEncryptionService(keysMap)
-      const kmsProvider = new KmsKeyProvider({ token })
-      this.encryption.setKeyProvider({
-        fetchKey: async (keyUri: string) => {
-          const serializedKey = await kmsProvider.fetchKey(keyUri)
-          if (serializedKey) {
-            await this.persistEncryptionKey(credManager, keyUri, serializedKey)
-          }
-          return serializedKey
-        },
-        close: () => kmsProvider.close(),
-      })
-    }
+    this.initializeEncryption(token, {
+      cachedKeys: config?.encryptionKeys,
+      persist: (keyUri, serializedKey) => this.persistEncryptionKey(credManager, keyUri, serializedKey),
+    })
 
     return this
   }
 
+  // Both login paths must run this. Explicit-credential callers would otherwise
+  // skip encryption setup and send cleartext on the internal conversation API,
+  // which Webex flags as "not encrypted before it was sent". Gated on a
+  // device-backed extracted/password session, the only case E2E applies to.
+  private initializeEncryption(
+    token: string,
+    options?: {
+      cachedKeys?: Record<string, string>
+      persist?: (keyUri: string, serializedKey: string) => Promise<void>
+    },
+  ): void {
+    if (this.tokenType !== 'extracted' && this.tokenType !== 'password') return
+    if (this.deviceUrl === null) return
+
+    const keysMap = new Map(Object.entries(options?.cachedKeys ?? {}))
+    this.encryption = new WebexEncryptionService(keysMap)
+    const kmsProvider = new KmsKeyProvider({ token })
+    this.encryption.setKeyProvider({
+      fetchKey: async (keyUri: string) => {
+        const serializedKey = await kmsProvider.fetchKey(keyUri)
+        if (serializedKey) {
+          await options?.persist?.(keyUri, serializedKey)
+        }
+        return serializedKey
+      },
+      close: () => kmsProvider.close(),
+    })
+  }
+
   async dispose(): Promise<void> {
     await this.encryption?.close()
   }

package/src/vendor/linejs/base/request/mod.js

@@ -158,7 +158,7 @@ const square = [
       throw new InternalError("RequestError", `Request internal failed, ${methodName}(${path}) -> ` + JSON.stringify(res.data.e), res.data.e);
     }
     if (hasError && !isRefresh) {
-      if (res.data.e.code === "NOT_AUTHORIZED_DEVICE") {
+      if (res.data.e && res.data.e.code === "NOT_AUTHORIZED_DEVICE") {
         delete this.client.authToken;
         this.client.emit("end", this.client.profile);
       }

package/src/vendor/linejs/base/request/mod.test.ts

@@ -0,0 +1,54 @@
+import { describe, expect, it } from 'bun:test'
+
+import { InternalError } from '../core/mod.js'
+import { RequestClient } from './mod.js'
+
+// Regression: a thrift error response can set hasError (empty res.data[0]) while
+// omitting the exception struct (res.data[1] absent), leaving res.data.e undefined.
+function createClient(readThriftResult: { data: Record<string, unknown> }) {
+  const deviceDetails = {
+    device: 'TEST',
+    appVersion: '0.0.0',
+    systemName: 'TEST',
+    systemVersion: '0.0.0',
+  }
+  const stubClient = {
+    deviceDetails,
+    endpoint: 'legy.line-apps.test',
+    authToken: 'expired-token',
+    config: { timeout: 1000 },
+    storage: { get: async () => undefined },
+    log: () => {},
+    emit: () => {},
+    fetch: async () => ({
+      headers: { get: () => null },
+      arrayBuffer: async () => new ArrayBuffer(0),
+    }),
+    thrift: {
+      writeThrift: () => new Uint8Array(),
+      readThrift: () => readThriftResult,
+      rename_data: () => {},
+    },
+  }
+
+  return new RequestClient(stubClient as never)
+}
+
+describe('RequestClient.requestCore error handling', () => {
+  it('throws a clean RequestError when hasError is set but no exception struct is present', async () => {
+    // given: an error response with an empty success slot and no exception struct
+    const client = createClient({ data: { 0: undefined, someField: 1 } })
+
+    // when / then: the error branch must throw InternalError, not a TypeError
+    let thrown: unknown
+    try {
+      await client.requestCore('/S3', [], 'testMethod', 3)
+    } catch (error) {
+      thrown = error
+    }
+
+    expect(thrown).toBeInstanceOf(InternalError)
+    expect((thrown as InternalError).type).toBe('RequestError')
+    expect(thrown).not.toBeInstanceOf(TypeError)
+  })
+})