mirror of
https://github.com/openclaw/openclaw.git
synced 2026-05-10 16:34:59 +00:00
refactor: simplify telegram event authorization flow
This commit is contained in:
Peter Steinberger
@@ -17,6 +17,7 @@ import { resolveChannelConfigWrites } from "../channels/plugins/config-writes.js
|
||||
import { loadConfig } from "../config/config.js";
|
||||
import { writeConfigFile } from "../config/io.js";
|
||||
import { loadSessionStore, resolveStorePath } from "../config/sessions.js";
|
||||
import type { DmPolicy } from "../config/types.base.js";
|
||||
import type { TelegramGroupConfig, TelegramTopicConfig } from "../config/types.js";
|
||||
import { danger, logVerbose, warn } from "../globals.js";
|
||||
import { enqueueSystemEvent } from "../infra/system-events.js";
|
||||
@@ -507,54 +508,87 @@ export const registerTelegramHandlers = ({
|
||||
return false;
|
||||
};
|
||||
|
||||
const isTelegramEventSenderAuthorized = async (params: {
|
||||
type TelegramGroupAllowContext = Awaited<ReturnType<typeof resolveTelegramGroupAllowFromContext>>;
|
||||
type TelegramEventAuthorizationMode = "reaction" | "callback-scope" | "callback-allowlist";
|
||||
type TelegramEventAuthorizationResult = { allowed: true } | { allowed: false; reason: string };
|
||||
type TelegramEventAuthorizationContext = TelegramGroupAllowContext & { dmPolicy: DmPolicy };
|
||||
|
||||
const TELEGRAM_EVENT_AUTH_RULES: Record<
|
||||
TelegramEventAuthorizationMode,
|
||||
{
|
||||
enforceDirectAuthorization: boolean;
|
||||
enforceGroupAllowlistAuthorization: boolean;
|
||||
deniedDmReason: string;
|
||||
deniedGroupReason: string;
|
||||
}
|
||||
> = {
|
||||
reaction: {
|
||||
enforceDirectAuthorization: true,
|
||||
enforceGroupAllowlistAuthorization: false,
|
||||
deniedDmReason: "reaction unauthorized by dm policy/allowlist",
|
||||
deniedGroupReason: "reaction unauthorized by group allowlist",
|
||||
},
|
||||
"callback-scope": {
|
||||
enforceDirectAuthorization: false,
|
||||
enforceGroupAllowlistAuthorization: false,
|
||||
deniedDmReason: "callback unauthorized by inlineButtonsScope",
|
||||
deniedGroupReason: "callback unauthorized by inlineButtonsScope",
|
||||
},
|
||||
"callback-allowlist": {
|
||||
enforceDirectAuthorization: true,
|
||||
enforceGroupAllowlistAuthorization: true,
|
||||
deniedDmReason: "callback unauthorized by inlineButtonsScope allowlist",
|
||||
deniedGroupReason: "callback unauthorized by inlineButtonsScope allowlist",
|
||||
},
|
||||
};
|
||||
|
||||
const resolveTelegramEventAuthorizationContext = async (params: {
|
||||
chatId: number;
|
||||
chatTitle?: string;
|
||||
isGroup: boolean;
|
||||
isForum: boolean;
|
||||
messageThreadId?: number;
|
||||
senderId: string;
|
||||
senderUsername: string;
|
||||
enforceDirectAuthorization: boolean;
|
||||
enforceGroupAllowlistAuthorization: boolean;
|
||||
deniedDmReason: string;
|
||||
deniedGroupReason: string;
|
||||
groupAllowContext?: Awaited<ReturnType<typeof resolveTelegramGroupAllowFromContext>>;
|
||||
}) => {
|
||||
const {
|
||||
chatId,
|
||||
chatTitle,
|
||||
isGroup,
|
||||
isForum,
|
||||
messageThreadId,
|
||||
senderId,
|
||||
senderUsername,
|
||||
enforceDirectAuthorization,
|
||||
enforceGroupAllowlistAuthorization,
|
||||
deniedDmReason,
|
||||
deniedGroupReason,
|
||||
groupAllowContext: preResolvedGroupAllowContext,
|
||||
} = params;
|
||||
groupAllowContext?: TelegramGroupAllowContext;
|
||||
}): Promise<TelegramEventAuthorizationContext> => {
|
||||
const dmPolicy = telegramCfg.dmPolicy ?? "pairing";
|
||||
const groupAllowContext =
|
||||
preResolvedGroupAllowContext ??
|
||||
params.groupAllowContext ??
|
||||
(await resolveTelegramGroupAllowFromContext({
|
||||
chatId,
|
||||
chatId: params.chatId,
|
||||
accountId,
|
||||
dmPolicy,
|
||||
isForum,
|
||||
messageThreadId,
|
||||
isForum: params.isForum,
|
||||
messageThreadId: params.messageThreadId,
|
||||
groupAllowFrom,
|
||||
resolveTelegramGroupConfig,
|
||||
}));
|
||||
return { dmPolicy, ...groupAllowContext };
|
||||
};
|
||||
|
||||
const authorizeTelegramEventSender = (params: {
|
||||
chatId: number;
|
||||
chatTitle?: string;
|
||||
isGroup: boolean;
|
||||
senderId: string;
|
||||
senderUsername: string;
|
||||
mode: TelegramEventAuthorizationMode;
|
||||
context: TelegramEventAuthorizationContext;
|
||||
}): TelegramEventAuthorizationResult => {
|
||||
const { chatId, chatTitle, isGroup, senderId, senderUsername, mode, context } = params;
|
||||
const {
|
||||
dmPolicy,
|
||||
resolvedThreadId,
|
||||
storeAllowFrom,
|
||||
groupConfig,
|
||||
topicConfig,
|
||||
effectiveGroupAllow,
|
||||
hasGroupAllowOverride,
|
||||
} = groupAllowContext;
|
||||
} = context;
|
||||
const authRules = TELEGRAM_EVENT_AUTH_RULES[mode];
|
||||
const {
|
||||
enforceDirectAuthorization,
|
||||
enforceGroupAllowlistAuthorization,
|
||||
deniedDmReason,
|
||||
deniedGroupReason,
|
||||
} = authRules;
|
||||
if (
|
||||
shouldSkipGroupMessage({
|
||||
isGroup,
|
||||
@@ -569,7 +603,7 @@ export const registerTelegramHandlers = ({
|
||||
topicConfig,
|
||||
})
|
||||
) {
|
||||
return false;
|
||||
return { allowed: false, reason: "group-policy" };
|
||||
}
|
||||
|
||||
if (!isGroup && enforceDirectAuthorization) {
|
||||
@@ -577,7 +611,7 @@ export const registerTelegramHandlers = ({
|
||||
logVerbose(
|
||||
`Blocked telegram direct event from ${senderId || "unknown"} (${deniedDmReason})`,
|
||||
);
|
||||
return false;
|
||||
return { allowed: false, reason: "direct-disabled" };
|
||||
}
|
||||
if (dmPolicy !== "open") {
|
||||
const effectiveDmAllow = normalizeAllowFromWithStore({
|
||||
@@ -587,17 +621,17 @@ export const registerTelegramHandlers = ({
|
||||
});
|
||||
if (!isAllowlistAuthorized(effectiveDmAllow, senderId, senderUsername)) {
|
||||
logVerbose(`Blocked telegram direct sender ${senderId || "unknown"} (${deniedDmReason})`);
|
||||
return false;
|
||||
return { allowed: false, reason: "direct-unauthorized" };
|
||||
}
|
||||
}
|
||||
}
|
||||
if (isGroup && enforceGroupAllowlistAuthorization) {
|
||||
if (!isAllowlistAuthorized(effectiveGroupAllow, senderId, senderUsername)) {
|
||||
logVerbose(`Blocked telegram group sender ${senderId || "unknown"} (${deniedGroupReason})`);
|
||||
return false;
|
||||
return { allowed: false, reason: "group-unauthorized" };
|
||||
}
|
||||
}
|
||||
return true;
|
||||
return { allowed: true };
|
||||
};
|
||||
|
||||
// Handle emoji reactions to messages.
|
||||
@@ -630,19 +664,20 @@ export const registerTelegramHandlers = ({
|
||||
if (reactionMode === "own" && !wasSentByBot(chatId, messageId)) {
|
||||
return;
|
||||
}
|
||||
const senderAuthorized = await isTelegramEventSenderAuthorized({
|
||||
const eventAuthContext = await resolveTelegramEventAuthorizationContext({
|
||||
chatId,
|
||||
isForum,
|
||||
});
|
||||
const senderAuthorization = authorizeTelegramEventSender({
|
||||
chatId,
|
||||
chatTitle: reaction.chat.title,
|
||||
isGroup,
|
||||
isForum,
|
||||
senderId,
|
||||
senderUsername,
|
||||
enforceDirectAuthorization: true,
|
||||
enforceGroupAllowlistAuthorization: false,
|
||||
deniedDmReason: "reaction unauthorized by dm policy/allowlist",
|
||||
deniedGroupReason: "reaction unauthorized by group allowlist",
|
||||
mode: "reaction",
|
||||
context: eventAuthContext,
|
||||
});
|
||||
if (!senderAuthorized) {
|
||||
if (!senderAuthorization.allowed) {
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -965,33 +1000,26 @@ export const registerTelegramHandlers = ({
|
||||
|
||||
const messageThreadId = callbackMessage.message_thread_id;
|
||||
const isForum = callbackMessage.chat.is_forum === true;
|
||||
const groupAllowContext = await resolveTelegramGroupAllowFromContext({
|
||||
const eventAuthContext = await resolveTelegramEventAuthorizationContext({
|
||||
chatId,
|
||||
accountId,
|
||||
dmPolicy: telegramCfg.dmPolicy ?? "pairing",
|
||||
isForum,
|
||||
messageThreadId,
|
||||
groupAllowFrom,
|
||||
resolveTelegramGroupConfig,
|
||||
});
|
||||
const { resolvedThreadId, storeAllowFrom } = groupAllowContext;
|
||||
const { resolvedThreadId, storeAllowFrom } = eventAuthContext;
|
||||
const senderId = callback.from?.id ? String(callback.from.id) : "";
|
||||
const senderUsername = callback.from?.username ?? "";
|
||||
const senderAuthorized = await isTelegramEventSenderAuthorized({
|
||||
const authorizationMode: TelegramEventAuthorizationMode =
|
||||
inlineButtonsScope === "allowlist" ? "callback-allowlist" : "callback-scope";
|
||||
const senderAuthorization = authorizeTelegramEventSender({
|
||||
chatId,
|
||||
chatTitle: callbackMessage.chat.title,
|
||||
isGroup,
|
||||
isForum,
|
||||
messageThreadId,
|
||||
senderId,
|
||||
senderUsername,
|
||||
enforceDirectAuthorization: inlineButtonsScope === "allowlist",
|
||||
enforceGroupAllowlistAuthorization: inlineButtonsScope === "allowlist",
|
||||
deniedDmReason: "callback unauthorized by inlineButtonsScope allowlist",
|
||||
deniedGroupReason: "callback unauthorized by inlineButtonsScope allowlist",
|
||||
groupAllowContext,
|
||||
mode: authorizationMode,
|
||||
context: eventAuthContext,
|
||||
});
|
||||
if (!senderAuthorized) {
|
||||
if (!senderAuthorization.allowed) {
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -1230,25 +1258,20 @@ export const registerTelegramHandlers = ({
|
||||
if (shouldSkipUpdate(event.ctxForDedupe)) {
|
||||
return;
|
||||
}
|
||||
const dmPolicy = telegramCfg.dmPolicy ?? "pairing";
|
||||
|
||||
const groupAllowContext = await resolveTelegramGroupAllowFromContext({
|
||||
const eventAuthContext = await resolveTelegramEventAuthorizationContext({
|
||||
chatId: event.chatId,
|
||||
accountId,
|
||||
dmPolicy,
|
||||
isForum: event.isForum,
|
||||
messageThreadId: event.messageThreadId,
|
||||
groupAllowFrom,
|
||||
resolveTelegramGroupConfig,
|
||||
});
|
||||
const {
|
||||
dmPolicy,
|
||||
resolvedThreadId,
|
||||
storeAllowFrom,
|
||||
groupConfig,
|
||||
topicConfig,
|
||||
effectiveGroupAllow,
|
||||
hasGroupAllowOverride,
|
||||
} = groupAllowContext;
|
||||
} = eventAuthContext;
|
||||
const effectiveDmAllow = normalizeAllowFromWithStore({
|
||||
allowFrom,
|
||||
storeAllowFrom,
|
||||
|
||||
Reference in New Issue
Block a user