Security: require Feishu webhook encrypt key (#44087)

* Feishu: require webhook encrypt key in schema * Feishu: cover encrypt key webhook validation * Feishu: enforce encrypt key at startup * Feishu: add webhook forgery regression test * Feishu: collect encrypt key during onboarding * Docs: require Feishu webhook encrypt key * Changelog: note Feishu webhook hardening * Docs: clarify Feishu encrypt key screenshot * Feishu: treat webhook encrypt key as secret input * Feishu: resolve encrypt key only in webhook mode
2026-04-28 18:18:37 +00:00 · 2026-03-12 11:01:00 -04:00
parent 99170e2408
commit 7844bc89a1
13 changed files with 254 additions and 18 deletions
--- a/extensions/feishu/src/config-schema.test.ts
+++ b/extensions/feishu/src/config-schema.test.ts
@@ -47,7 +47,7 @@ describe("FeishuConfigSchema webhook validation", () => {
    }
  });

-  it("accepts top-level webhook mode with verificationToken", () => {
+  it("rejects top-level webhook mode without encryptKey", () => {
    const result = FeishuConfigSchema.safeParse({
      connectionMode: "webhook",
      verificationToken: "token_top",
@@ -55,6 +55,21 @@ describe("FeishuConfigSchema webhook validation", () => {
      appSecret: "secret_top", // pragma: allowlist secret
    });

+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.error.issues.some((issue) => issue.path.join(".") === "encryptKey")).toBe(true);
+    }
+  });
+
+  it("accepts top-level webhook mode with verificationToken and encryptKey", () => {
+    const result = FeishuConfigSchema.safeParse({
+      connectionMode: "webhook",
+      verificationToken: "token_top",
+      encryptKey: "encrypt_top",
+      appId: "cli_top",
+      appSecret: "secret_top", // pragma: allowlist secret
+    });
+
    expect(result.success).toBe(true);
  });

@@ -79,9 +94,30 @@ describe("FeishuConfigSchema webhook validation", () => {
    }
  });

-  it("accepts account webhook mode inheriting top-level verificationToken", () => {
+  it("rejects account webhook mode without encryptKey", () => {
+    const result = FeishuConfigSchema.safeParse({
+      accounts: {
+        main: {
+          connectionMode: "webhook",
+          verificationToken: "token_main",
+          appId: "cli_main",
+          appSecret: "secret_main", // pragma: allowlist secret
+        },
+      },
+    });
+
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(
+        result.error.issues.some((issue) => issue.path.join(".") === "accounts.main.encryptKey"),
+      ).toBe(true);
+    }
+  });
+
+  it("accepts account webhook mode inheriting top-level verificationToken and encryptKey", () => {
    const result = FeishuConfigSchema.safeParse({
      verificationToken: "token_top",
+      encryptKey: "encrypt_top",
      accounts: {
        main: {
          connectionMode: "webhook",
@@ -102,6 +138,31 @@ describe("FeishuConfigSchema webhook validation", () => {
        provider: "default",
        id: "FEISHU_VERIFICATION_TOKEN",
      },
+      encryptKey: "encrypt_top",
+      appId: "cli_top",
+      appSecret: {
+        source: "env",
+        provider: "default",
+        id: "FEISHU_APP_SECRET",
+      },
+    });
+
+    expect(result.success).toBe(true);
+  });
+
+  it("accepts SecretRef encryptKey in webhook mode", () => {
+    const result = FeishuConfigSchema.safeParse({
+      connectionMode: "webhook",
+      verificationToken: {
+        source: "env",
+        provider: "default",
+        id: "FEISHU_VERIFICATION_TOKEN",
+      },
+      encryptKey: {
+        source: "env",
+        provider: "default",
+        id: "FEISHU_ENCRYPT_KEY",
+      },
      appId: "cli_top",
      appSecret: {
        source: "env",