fix(telegram): block unauthorized DM media downloads

2026-05-11 15:13:43 +00:00 · 2026-02-24 23:43:37 +00:00
parent 5a64f6d766
commit 9514201fb9
8 changed files with 295 additions and 93 deletions
--- a/src/telegram/bot-message-context.ts
+++ b/src/telegram/bot-message-context.ts
@@ -33,17 +33,10 @@ import { readSessionUpdatedAt, resolveStorePath } from "../config/sessions.js";
 import type { DmPolicy, TelegramGroupConfig, TelegramTopicConfig } from "../config/types.js";
 import { logVerbose, shouldLogVerbose } from "../globals.js";
 import { recordChannelActivity } from "../infra/channel-activity.js";
-import { buildPairingReply } from "../pairing/pairing-messages.js";
-import { upsertChannelPairingRequest } from "../pairing/pairing-store.js";
 import { resolveAgentRoute } from "../routing/resolve-route.js";
 import { resolveThreadSessionKeys } from "../routing/session-key.js";
 import { withTelegramApiErrorLogging } from "./api-logging.js";
-import {
-  firstDefined,
-  isSenderAllowed,
-  normalizeAllowFromWithStore,
-  resolveSenderAllowMatch,
-} from "./bot-access.js";
+import { firstDefined, isSenderAllowed, normalizeAllowFromWithStore } from "./bot-access.js";
 import {
  buildGroupLabel,
  buildSenderLabel,
@@ -61,6 +54,7 @@ import {
  resolveTelegramThreadSpec,
 } from "./bot/helpers.js";
 import type { StickerMetadata, TelegramContext } from "./bot/types.js";
+import { enforceTelegramDmAccess } from "./dm-access.js";
 import { evaluateTelegramGroupBaseAccess } from "./group-access.js";
 import { resolveTelegramGroupPromptSettings } from "./group-config-helpers.js";
 import {
@@ -159,11 +153,6 @@ export const buildTelegramMessageContext = async ({
  resolveTelegramGroupConfig,
 }: BuildTelegramMessageContextParams) => {
  const msg = primaryCtx.message;
-  recordChannelActivity({
-    channel: "telegram",
-    accountId: account.accountId,
-    direction: "inbound",
-  });
  const chatId = msg.chat.id;
  const isGroup = msg.chat.type === "group" || msg.chat.type === "supergroup";
  const messageThreadId = (msg as { message_thread_id?: number }).message_thread_id;
@@ -268,87 +257,27 @@ export const buildTelegramMessageContext = async ({
    }
  };

-  // DM access control (secure defaults): "pairing" (default) / "allowlist" / "open" / "disabled"
-  if (!isGroup) {
-    if (dmPolicy === "disabled") {
-      return null;
-    }
-
-    if (dmPolicy !== "open") {
-      const senderUsername = msg.from?.username ?? "";
-      const senderUserId = msg.from?.id != null ? String(msg.from.id) : null;
-      const candidate = senderUserId ?? String(chatId);
-      const allowMatch = resolveSenderAllowMatch({
-        allow: effectiveDmAllow,
-        senderId: candidate,
-        senderUsername,
-      });
-      const allowMatchMeta = `matchKey=${allowMatch.matchKey ?? "none"} matchSource=${
-        allowMatch.matchSource ?? "none"
-      }`;
-      const allowed =
-        effectiveDmAllow.hasWildcard || (effectiveDmAllow.hasEntries && allowMatch.allowed);
-      if (!allowed) {
-        if (dmPolicy === "pairing") {
-          try {
-            const from = msg.from as
-              | {
-                  first_name?: string;
-                  last_name?: string;
-                  username?: string;
-                  id?: number;
-                }
-              | undefined;
-            const telegramUserId = from?.id ? String(from.id) : candidate;
-            const { code, created } = await upsertChannelPairingRequest({
-              channel: "telegram",
-              id: telegramUserId,
-              accountId: account.accountId,
-              meta: {
-                username: from?.username,
-                firstName: from?.first_name,
-                lastName: from?.last_name,
-              },
-            });
-            if (created) {
-              logger.info(
-                {
-                  chatId: String(chatId),
-                  senderUserId: senderUserId ?? undefined,
-                  username: from?.username,
-                  firstName: from?.first_name,
-                  lastName: from?.last_name,
-                  matchKey: allowMatch.matchKey ?? "none",
-                  matchSource: allowMatch.matchSource ?? "none",
-                },
-                "telegram pairing request",
-              );
-              await withTelegramApiErrorLogging({
-                operation: "sendMessage",
-                fn: () =>
-                  bot.api.sendMessage(
-                    chatId,
-                    buildPairingReply({
-                      channel: "telegram",
-                      idLine: `Your Telegram user id: ${telegramUserId}`,
-                      code,
-                    }),
-                  ),
-              });
-            }
-          } catch (err) {
-            logVerbose(`telegram pairing reply failed for chat ${chatId}: ${String(err)}`);
-          }
-        } else {
-          logVerbose(
-            `Blocked unauthorized telegram sender ${candidate} (dmPolicy=${dmPolicy}, ${allowMatchMeta})`,
-          );
-        }
-        return null;
-      }
-    }
+  if (
+    !(await enforceTelegramDmAccess({
+      isGroup,
+      dmPolicy,
+      msg,
+      chatId,
+      effectiveDmAllow,
+      accountId: account.accountId,
+      bot,
+      logger,
+    }))
+  ) {
+    return null;
  }

+  recordChannelActivity({
+    channel: "telegram",
+    accountId: account.accountId,
+    direction: "inbound",
+  });
+
  const botUsername = primaryCtx.me?.username?.toLowerCase();
  const allowForCommands = isGroup ? effectiveGroupAllow : effectiveDmAllow;
  const senderAllowedForCommands = isSenderAllowed({