openclaw-groupme 0.0.4 → 0.3.0

package/src/onboarding.ts

@@ -1,8 +1,10 @@
+import { randomBytes } from "node:crypto";
 import type { ChannelOnboardingAdapter } from "openclaw/plugin-sdk";
 import type { OpenClawConfig } from "openclaw/plugin-sdk";
 import { DEFAULT_ACCOUNT_ID } from "openclaw/plugin-sdk";
-import type { CoreConfig, GroupMeConfig } from "./types.js";
 import { resolveGroupMeAccount } from "./accounts.js";
+import { createBot, fetchGroups } from "./groupme-api.js";
+import type { CoreConfig, GroupMeConfig } from "./types.js";
 
 function applyGroupMeConfig(params: {
   cfg: OpenClawConfig;
@@ -46,6 +48,13 @@ function applyGroupMeConfig(params: {
   };
 }
 
+function redactMiddle(value: string): string {
+  if (value.length <= 10) {
+    return value;
+  }
+  return `${value.slice(0, 6)}...${value.slice(-3)}`;
+}
+
 export const groupmeOnboardingAdapter: ChannelOnboardingAdapter = {
   channel: "groupme",
   getStatus: async ({ cfg, accountOverrides }) => {
@@ -56,72 +65,164 @@ export const groupmeOnboardingAdapter: ChannelOnboardingAdapter = {
     });
 
     const configured = account.configured;
+    const callbackUrlConfigured = Boolean(account.config.callbackUrl?.trim());
+    const groupIdConfigured = Boolean(account.config.groupId?.trim());
+    const publicDomainConfigured = Boolean(account.config.publicDomain?.trim());
+
     return {
       channel: "groupme",
       configured,
       statusLines: [
-        `GroupMe (${accountId}): ${configured ? "configured" : "needs botId"}`,
+        `GroupMe (${accountId}): ${configured ? "configured" : "needs access token"}`,
         account.config.accessToken?.trim()
           ? "Access token configured"
-          : "Access token missing (needed for image uploads)",
+          : "Access token missing",
+        callbackUrlConfigured
+          ? "Webhook callback URL configured"
+          : "Webhook callback URL missing",
+        publicDomainConfigured
+          ? "Public domain configured"
+          : "Public domain missing",
+        groupIdConfigured ? "Group ID configured" : "Group ID missing",
       ],
-      selectionHint: configured ? "configured" : "needs bot ID",
+      selectionHint: configured ? "configured" : "needs access token",
       quickstartScore: configured ? 1 : 0,
     };
   },
   configure: async ({ cfg, prompter, accountOverrides }) => {
     const accountId = accountOverrides.groupme ?? DEFAULT_ACCOUNT_ID;
 
-    await prompter.note(
-      [
-        "GroupMe bots are bound to a single group.",
-        "Create a bot at https://dev.groupme.com/bots and copy bot_id + access token.",
-      ].join("\n"),
-      "GroupMe setup",
-    );
-
-    const botId = (
+    const botNameInput = (
       await prompter.text({
-        message: "Bot ID",
-        validate: (value) => (value.trim() ? undefined : "Bot ID is required"),
+        message: "Bot name",
+        initialValue: "openclaw",
       })
     ).trim();
+    const botName = botNameInput || "openclaw";
 
     const accessToken = (
       await prompter.text({
-        message: "Access token",
-        validate: (value) => (value.trim() ? undefined : "Access token is required"),
+        message: "GroupMe access token",
+        validate: (value) =>
+          value.trim() ? undefined : "Access token is required",
       })
     ).trim();
 
-    const botName = (
-      await prompter.text({
-        message: "Bot name (mention fallback)",
-        initialValue: "openclaw",
-      })
-    ).trim();
+    const groupsSpin = prompter.progress("Fetching your GroupMe groups...");
+    let groups: Awaited<ReturnType<typeof fetchGroups>>;
+    try {
+      groups = await fetchGroups(accessToken);
+    } catch {
+      groupsSpin.stop("Failed");
+      await prompter.note(
+        "Could not fetch groups. Check your access token and try again.",
+        "GroupMe setup failed",
+      );
+      throw new Error("Could not fetch groups");
+    }
 
-    const callbackPath = (
-      await prompter.text({
-        message: "Webhook path",
-        initialValue: "/groupme",
-        validate: (value) => (value.trim().startsWith("/") ? undefined : "Path must start with /"),
-      })
-    ).trim();
+    if (groups.length === 0) {
+      groupsSpin.stop("No groups found");
+      await prompter.note(
+        "No groups found. Create or join a GroupMe group first.",
+        "GroupMe setup failed",
+      );
+      throw new Error("No GroupMe groups found");
+    }
+    groupsSpin.stop(`Found ${groups.length} groups`);
 
+    const groupId = await prompter.select<string>({
+      message: "Select a GroupMe group",
+      options: groups.map((group) => ({
+        value: group.id,
+        label: group.name || group.id,
+        hint: group.id,
+      })),
+    });
+    const selectedGroup = groups.find((group) => group.id === groupId);
     const requireMention = await prompter.confirm({
       message: "Require mention to respond?",
       initialValue: true,
     });
+    const publicDomainRaw = (
+      await prompter.text({
+        message: "Public domain (must be reachable — GroupMe will ping it)",
+        validate: (value) => {
+          const trimmed = value.trim();
+          if (!trimmed) {
+            return "Public domain is required";
+          }
+          const normalized = trimmed
+            .replace(/^https?:\/\//, "")
+            .replace(/\/+$/, "");
+          if (!normalized) {
+            return "Public domain is required";
+          }
+          return undefined;
+        },
+      })
+    ).trim();
+    let publicDomain: string;
+    try {
+      if (/^https?:\/\//i.test(publicDomainRaw)) {
+        const url = new URL(publicDomainRaw);
+        publicDomain = url.port ? `${url.hostname}:${url.port}` : url.hostname;
+      } else {
+        const withoutLeadingSlashes = publicDomainRaw.replace(/^\/+/, "");
+        publicDomain = withoutLeadingSlashes.split(/[\/?#]/, 1)[0];
+      }
+    } catch {
+      // Fallback: best-effort stripping of scheme and any path/query/fragment
+      const noScheme = publicDomainRaw.replace(/^https?:\/\//i, "");
+      publicDomain = noScheme.split(/[\/?#]/, 1)[0];
+    }
+
+    const pathSegment = randomBytes(8).toString("hex");
+    const callbackToken = randomBytes(32).toString("hex");
+    const callbackUrl = `/groupme/${pathSegment}?k=${callbackToken}`;
+    await prompter.note(
+      `Generated webhook callback URL: /groupme/${pathSegment}?k=***`,
+      "Generated callback URL",
+    );
+
+    const botSpin = prompter.progress("Registering bot with GroupMe...");
+    let botId = "";
+    try {
+      const bot = await createBot({
+        accessToken,
+        name: botName,
+        groupId,
+        callbackUrl: `https://${publicDomain}${callbackUrl}`,
+      });
+      botId = bot.bot_id;
+      botSpin.stop("Bot registered");
+    } catch (error) {
+      botSpin.stop("Failed");
+      const detail = error instanceof Error ? `\n\nDetails: ${error.message}` : "";
+      await prompter.note(
+        `Failed to register bot with GroupMe. Check your access token and try again.${detail}`,
+        "GroupMe setup failed",
+      );
+      throw new Error("Failed to register GroupMe bot", {
+        cause: error instanceof Error ? error : undefined,
+      });
+    }
+
+    await prompter.note(
+      `Bot "${botName}" registered in group "${selectedGroup?.name ?? groupId}" (bot ID: ${redactMiddle(botId)})`,
+      "GroupMe bot registered",
+    );
 
     const next = applyGroupMeConfig({
       cfg,
       accountId,
       updates: {
-        botId,
-        accessToken,
         botName,
-        callbackPath,
+        accessToken,
+        botId,
+        groupId,
+        publicDomain,
+        callbackUrl,
         requireMention,
       },
     });
@@ -129,9 +230,8 @@ export const groupmeOnboardingAdapter: ChannelOnboardingAdapter = {
     await prompter.note(
       [
         "Next steps:",
-        `1. Set GroupMe callback URL to https://<your-domain>${callbackPath}`,
-        "2. Restart gateway",
-        "3. Send a message in the group to test",
+        "1. Restart the gateway: openclaw gateway restart",
+        "2. Send a message in the group to test",
       ].join("\n"),
       "GroupMe next steps",
     );

package/src/parse.ts

@@ -51,7 +51,7 @@ function parseNumberMatrix(value: unknown): number[][] {
     const parsedRow: number[] = [];
     for (const cell of row) {
       const num = readNumber(cell);
-      if (typeof num !== "number") {
+      if (num === undefined) {
         continue;
       }
       parsedRow.push(num);
@@ -68,7 +68,9 @@ function parseStringArray(value: unknown): string[] {
     return [];
   }
 
-  return value.map((entry) => readString(entry)).filter((entry): entry is string => Boolean(entry));
+  return value
+    .map((entry) => readString(entry))
+    .filter((entry): entry is string => Boolean(entry));
 }
 
 function parseAttachment(entry: unknown): GroupMeAttachment | null {
@@ -86,11 +88,7 @@ function parseAttachment(entry: unknown): GroupMeAttachment | null {
     if (!url) {
       return null;
     }
-    const imageAttachment: GroupMeImageAttachment = {
-      type,
-      url,
-    };
-    return imageAttachment;
+    return { type, url } satisfies GroupMeImageAttachment;
   }
 
   if (type === "location") {
@@ -100,22 +98,15 @@ function parseAttachment(entry: unknown): GroupMeAttachment | null {
     if (!lat || !lng || !name) {
       return null;
     }
-    const locationAttachment: GroupMeLocationAttachment = {
-      type,
-      lat,
-      lng,
-      name,
-    };
-    return locationAttachment;
+    return { type, lat, lng, name } satisfies GroupMeLocationAttachment;
   }
 
   if (type === "mentions") {
-    const mentionsAttachment: GroupMeMentionsAttachment = {
+    return {
       type,
       user_ids: parseStringArray(entry.user_ids),
       loci: parseNumberMatrix(entry.loci),
-    };
-    return mentionsAttachment;
+    } satisfies GroupMeMentionsAttachment;
   }
 
   if (type === "emoji") {
@@ -123,12 +114,11 @@ function parseAttachment(entry: unknown): GroupMeAttachment | null {
     if (!placeholder) {
       return null;
     }
-    const emojiAttachment: GroupMeEmojiAttachment = {
+    return {
       type,
       placeholder,
       charmap: parseNumberMatrix(entry.charmap),
-    };
-    return emojiAttachment;
+    } satisfies GroupMeEmojiAttachment;
   }
 
   return {
@@ -141,18 +131,14 @@ function parseAttachments(value: unknown): GroupMeAttachment[] {
   if (!Array.isArray(value)) {
     return [];
   }
-
-  const attachments: GroupMeAttachment[] = [];
-  for (const entry of value) {
-    const parsed = parseAttachment(entry);
-    if (parsed) {
-      attachments.push(parsed);
-    }
-  }
-  return attachments;
+  return value
+    .map((entry) => parseAttachment(entry))
+    .filter((parsed): parsed is GroupMeAttachment => parsed !== null);
 }
 
-export function parseGroupMeCallback(data: unknown): GroupMeCallbackData | null {
+export function parseGroupMeCallback(
+  data: unknown,
+): GroupMeCallbackData | null {
   if (!isRecord(data)) {
     return null;
   }
@@ -166,7 +152,15 @@ export function parseGroupMeCallback(data: unknown): GroupMeCallbackData | null
   const sourceGuid = readString(data.source_guid);
   const createdAt = readNumber(data.created_at);
 
-  if (!id || !name || !senderType || !senderId || !userId || !groupId || !sourceGuid) {
+  if (
+    !id ||
+    !name ||
+    !senderType ||
+    !senderId ||
+    !userId ||
+    !groupId ||
+    !sourceGuid
+  ) {
     return null;
   }
   if (typeof createdAt !== "number") {
@@ -212,12 +206,17 @@ export function shouldProcessCallback(msg: GroupMeCallbackData): string | null {
 
 export function extractImageUrls(attachments: GroupMeAttachment[]): string[] {
   return attachments
-    .filter((attachment): attachment is GroupMeImageAttachment => attachment.type === "image")
+    .filter(
+      (attachment): attachment is GroupMeImageAttachment =>
+        attachment.type === "image",
+    )
     .map((attachment) => attachment.url);
 }
 
 function normalizeMentionText(text: string): string {
-  return text.replace(/[\u200b-\u200f\u202a-\u202e\u2060-\u206f]/g, "").toLowerCase();
+  return text
+    .replace(/[\u200b-\u200f\u202a-\u202e\u2060-\u206f]/g, "")
+    .toLowerCase();
 }
 
 function buildRegexes(patterns?: string[]): RegExp[] {

package/src/policy.ts

@@ -1,10 +1,13 @@
-import { normalizeGroupMeAllowEntry, normalizeGroupMeUserId } from "./normalize.js";
+import {
+  normalizeGroupMeAllowEntry,
+  normalizeStringId,
+} from "./normalize.js";
 
 export function resolveSenderAccess(params: {
   senderId: string;
   allowFrom?: Array<string | number>;
 }): boolean {
-  const senderId = normalizeGroupMeUserId(params.senderId);
+  const senderId = normalizeStringId(params.senderId);
   if (!senderId) {
     return false;
   }

package/src/rate-limit.ts

@@ -0,0 +1,128 @@
+export type RateLimitCheck =
+  | { kind: "accepted"; release: () => void }
+  | { kind: "rejected"; scope: "ip" | "sender" | "concurrency" };
+
+type SlidingWindowState = Map<string, number[]>;
+const DEFAULT_MAX_TRACKED_KEYS = 10_000;
+
+function allowInWindow(params: {
+  state: SlidingWindowState;
+  key: string;
+  limit: number;
+  windowMs: number;
+  now: number;
+}): boolean {
+  const { state, key, limit, windowMs, now } = params;
+  const current = state.get(key) ?? [];
+  const minTs = now - windowMs;
+  const retained = current.filter((ts) => ts > minTs);
+  if (retained.length >= limit) {
+    state.set(key, retained);
+    return false;
+  }
+  retained.push(now);
+  state.set(key, retained);
+  return true;
+}
+
+export class GroupMeRateLimiter {
+  private readonly windowMs: number;
+  private readonly maxRequestsPerIp: number;
+  private readonly maxRequestsPerSender: number;
+  private readonly maxConcurrent: number;
+  private readonly maxTrackedKeys: number;
+  private readonly byIp: SlidingWindowState = new Map();
+  private readonly bySender: SlidingWindowState = new Map();
+  private inFlight = 0;
+
+  constructor(params: {
+    windowMs: number;
+    maxRequestsPerIp: number;
+    maxRequestsPerSender: number;
+    maxConcurrent: number;
+  }) {
+    this.windowMs = Math.max(1, Math.floor(params.windowMs));
+    this.maxRequestsPerIp = Math.max(1, Math.floor(params.maxRequestsPerIp));
+    this.maxRequestsPerSender = Math.max(
+      1,
+      Math.floor(params.maxRequestsPerSender),
+    );
+    this.maxConcurrent = Math.max(1, Math.floor(params.maxConcurrent));
+    this.maxTrackedKeys = DEFAULT_MAX_TRACKED_KEYS;
+  }
+
+  evaluate(params: { ip: string; senderId: string }, now = Date.now()): RateLimitCheck {
+    const ipKey = params.ip.trim() || "unknown";
+    const senderKey = params.senderId.trim() || "unknown";
+    this.pruneState(this.byIp, now);
+    this.pruneState(this.bySender, now);
+    this.capStateSize(this.byIp);
+    this.capStateSize(this.bySender);
+
+    if (this.inFlight >= this.maxConcurrent) {
+      return { kind: "rejected", scope: "concurrency" };
+    }
+
+    if (
+      !allowInWindow({
+        state: this.byIp,
+        key: ipKey,
+        limit: this.maxRequestsPerIp,
+        windowMs: this.windowMs,
+        now,
+      })
+    ) {
+      return { kind: "rejected", scope: "ip" };
+    }
+    if (
+      !allowInWindow({
+        state: this.bySender,
+        key: senderKey,
+        limit: this.maxRequestsPerSender,
+        windowMs: this.windowMs,
+        now,
+      })
+    ) {
+      return { kind: "rejected", scope: "sender" };
+    }
+
+    this.inFlight += 1;
+    let released = false;
+    return {
+      kind: "accepted",
+      release: () => {
+        if (released) {
+          return;
+        }
+        released = true;
+        this.inFlight = Math.max(0, this.inFlight - 1);
+      },
+    };
+  }
+
+  inflightCount(): number {
+    return this.inFlight;
+  }
+
+  private pruneState(state: SlidingWindowState, now: number) {
+    const minTs = now - this.windowMs;
+    for (const [key, timestamps] of state) {
+      const retained = timestamps.filter((ts) => ts > minTs);
+      if (retained.length === 0) {
+        state.delete(key);
+        continue;
+      }
+      state.set(key, retained);
+    }
+  }
+
+  private capStateSize(state: SlidingWindowState) {
+    while (state.size > this.maxTrackedKeys) {
+      const oldest = state.keys().next().value as string | undefined;
+      if (!oldest) {
+        return;
+      }
+      state.delete(oldest);
+    }
+  }
+}

package/src/replay-cache.ts

@@ -0,0 +1,71 @@
+import { createHash } from "node:crypto";
+import type { GroupMeCallbackData, ReplayCheck } from "./types.js";
+
+type ReplayEntry = {
+  expiresAt: number;
+};
+
+export class GroupMeReplayCache {
+  private readonly ttlMs: number;
+  private readonly maxEntries: number;
+  private readonly entries = new Map<string, ReplayEntry>();
+
+  constructor(params: { ttlSeconds: number; maxEntries: number }) {
+    this.ttlMs = Math.max(1, Math.floor(params.ttlSeconds * 1000));
+    this.maxEntries = Math.max(1, Math.floor(params.maxEntries));
+  }
+
+  checkAndRemember(key: string, now = Date.now()): ReplayCheck {
+    this.pruneExpired(now);
+
+    const existing = this.entries.get(key);
+    if (existing && existing.expiresAt > now) {
+      return { kind: "duplicate", key };
+    }
+
+    this.entries.delete(key);
+    this.entries.set(key, { expiresAt: now + this.ttlMs });
+    this.evictOverflow();
+    return { kind: "accepted", key };
+  }
+
+  size(): number {
+    return this.entries.size;
+  }
+
+  private pruneExpired(now: number) {
+    for (const [key, entry] of this.entries) {
+      if (entry.expiresAt > now) {
+        continue;
+      }
+      this.entries.delete(key);
+    }
+  }
+
+  private evictOverflow() {
+    while (this.entries.size > this.maxEntries) {
+      const oldest = this.entries.keys().next().value as string | undefined;
+      if (!oldest) {
+        return;
+      }
+      this.entries.delete(oldest);
+    }
+  }
+}
+
+export function buildReplayKey(message: GroupMeCallbackData): string {
+  const id = message.id.trim();
+  if (id) {
+    return `id:${id}`;
+  }
+  const sourceGuid = message.sourceGuid.trim();
+  if (sourceGuid) {
+    return `source_guid:${sourceGuid}`;
+  }
+  const fallback = createHash("sha256")
+    .update(
+      `${message.groupId}\u0000${message.senderId}\u0000${message.createdAt}\u0000${message.text}`,
+    )
+    .digest("hex");
+  return `fallback:${fallback}`;
+}