fix(twitch): enforce allowFrom allowlist

2026-04-19 07:37:27 +00:00 · 2026-02-02 00:16:22 +00:00
parent aa2eb48b9c
commit 8c7901c984
4 changed files with 24 additions and 16 deletions
--- a/extensions/twitch/src/access-control.test.ts
+++ b/extensions/twitch/src/access-control.test.ts
@@ -135,7 +135,7 @@ describe("checkTwitchAccessControl", () => {
      expect(result.matchSource).toBe("allowlist");
    });

-    it("allows users not in allowlist via fallback (open access)", () => {
+    it("blocks users not in allowlist when allowFrom is set", () => {
      const account: TwitchAccountConfig = {
        ...mockAccount,
        allowFrom: ["789012"],
@@ -150,8 +150,8 @@ describe("checkTwitchAccessControl", () => {
        account,
        botUsername: "testbot",
      });
-      // Falls through to final fallback since allowedRoles is not set
-      expect(result.allowed).toBe(true);
+      expect(result.allowed).toBe(false);
+      expect(result.reason).toContain("allowFrom");
    });

    it("blocks messages without userId", () => {
@@ -194,7 +194,7 @@ describe("checkTwitchAccessControl", () => {
      expect(result.allowed).toBe(true);
    });

-    it("allows user with role even if not in allowlist", () => {
+    it("blocks user with role when not in allowlist", () => {
      const account: TwitchAccountConfig = {
        ...mockAccount,
        allowFrom: ["789012"],
@@ -212,11 +212,11 @@ describe("checkTwitchAccessControl", () => {
        account,
        botUsername: "testbot",
      });
-      expect(result.allowed).toBe(true);
-      expect(result.matchSource).toBe("role");
+      expect(result.allowed).toBe(false);
+      expect(result.reason).toContain("allowFrom");
    });

-    it("blocks user with neither allowlist nor role", () => {
+    it("blocks user not in allowlist even when roles configured", () => {
      const account: TwitchAccountConfig = {
        ...mockAccount,
        allowFrom: ["789012"],
@@ -235,7 +235,7 @@ describe("checkTwitchAccessControl", () => {
        botUsername: "testbot",
      });
      expect(result.allowed).toBe(false);
-      expect(result.reason).toContain("does not have any of the required roles");
+      expect(result.reason).toContain("allowFrom");
    });
  });

--- a/extensions/twitch/src/access-control.ts
+++ b/extensions/twitch/src/access-control.ts
@@ -19,10 +19,10 @@ export type TwitchAccessControlResult = {
 * Priority order:
 * 1. If `requireMention` is true, message must mention the bot
 * 2. If `allowFrom` is set, sender must be in the allowlist (by user ID)
- * 3. If `allowedRoles` is set, sender must have at least one of the specified roles
+ * 3. If `allowedRoles` is set (and `allowFrom` is not), sender must have at least one role
 *
- * Note: You can combine `allowFrom` with `allowedRoles`. If a user is in `allowFrom`,
- * they bypass role checks. This is useful for allowing specific users regardless of role.
+ * Note: `allowFrom` is a hard allowlist. When set, only those user IDs are allowed.
+ * Use `allowedRoles` as an alternative when you don't want to maintain an allowlist.
 *
 * Available roles:
 * - "moderator": Moderators
@@ -66,6 +66,11 @@ export function checkTwitchAccessControl(params: {
        matchSource: "allowlist",
      };
    }
+
+    return {
+      allowed: false,
+      reason: "sender is not in allowFrom allowlist",
+    };
  }

  if (account.allowedRoles && account.allowedRoles.length > 0) {