fix(feishu): enforce id-only allowlist matching

extensions/feishu/src/policy.test.ts

@@ -0,0 +1,59 @@
+import { describe, expect, it } from "vitest";
+import { isFeishuGroupAllowed, resolveFeishuAllowlistMatch } from "./policy.js";
+
+describe("feishu policy", () => {
+  describe("resolveFeishuAllowlistMatch", () => {
+    it("allows wildcard", () => {
+      expect(
+        resolveFeishuAllowlistMatch({
+          allowFrom: ["*"],
+          senderId: "ou-attacker",
+        }),
+      ).toEqual({ allowed: true, matchKey: "*", matchSource: "wildcard" });
+    });
+
+    it("matches normalized ID entries", () => {
+      expect(
+        resolveFeishuAllowlistMatch({
+          allowFrom: ["feishu:user:OU_ALLOWED"],
+          senderId: "ou_allowed",
+        }),
+      ).toEqual({ allowed: true, matchKey: "ou_allowed", matchSource: "id" });
+    });
+
+    it("supports user_id as an additional immutable sender candidate", () => {
+      expect(
+        resolveFeishuAllowlistMatch({
+          allowFrom: ["on_user_123"],
+          senderId: "ou_other",
+          senderIds: ["on_user_123"],
+        }),
+      ).toEqual({ allowed: true, matchKey: "on_user_123", matchSource: "id" });
+    });
+
+    it("does not authorize based on display-name collision", () => {
+      const victimOpenId = "ou_4f4ec5aa111122223333444455556666";
+
+      expect(
+        resolveFeishuAllowlistMatch({
+          allowFrom: [victimOpenId],
+          senderId: "ou_attacker_real_open_id",
+          senderIds: ["on_attacker_user_id"],
+          senderName: victimOpenId,
+        }),
+      ).toEqual({ allowed: false });
+    });
+  });
+
+  describe("isFeishuGroupAllowed", () => {
+    it("matches group IDs with chat: prefix", () => {
+      expect(
+        isFeishuGroupAllowed({
+          groupPolicy: "allowlist",
+          allowFrom: ["chat:oc_group_123"],
+          senderId: "oc_group_123",
+        }),
+      ).toBe(true);
+    });
+  });
+});