github/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-09 07:17:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(security): enforce account-scoped pairing APIs

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-26 21:57:10 +01:00
parent a0c5e28f3b
commit bce643a0bd
27 changed files with 331 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/discord/monitor/message-handler.preflight.ts
View File

@@ -25,12 +25,9 @@ import { enqueueSystemEvent } from "../../infra/system-events.js";
import { logDebug } from "../../logger.js";
import { getChildLogger } from "../../logging.js";
import { buildPairingReply } from "../../pairing/pairing-messages.js";
import {
readChannelAllowFromStore,
upsertChannelPairingRequest,
} from "../../pairing/pairing-store.js";
import { upsertChannelPairingRequest } from "../../pairing/pairing-store.js";
import { resolveAgentRoute } from "../../routing/resolve-route.js";
import { resolveAgentIdFromSessionKey } from "../../routing/session-key.js";
import { DEFAULT_ACCOUNT_ID, resolveAgentIdFromSessionKey } from "../../routing/session-key.js";
import { readStoreAllowFromForDmPolicy } from "../../security/dm-policy-shared.js";
import { fetchPluralKitMessageInfo } from "../pluralkit.js";
import { sendMessageDiscord } from "../send.js";
@@ -177,6 +174,7 @@ export async function preflightDiscordMessage(
}
const dmPolicy = params.discordConfig?.dmPolicy ?? params.discordConfig?.dm?.policy ?? "pairing";
const resolvedAccountId = params.accountId ?? DEFAULT_ACCOUNT_ID;
let commandAuthorized = true;
if (isDirectMessage) {
if (dmPolicy === "disabled") {
@@ -186,8 +184,8 @@ export async function preflightDiscordMessage(
if (dmPolicy !== "open") {
const storeAllowFrom = await readStoreAllowFromForDmPolicy({
provider: "discord",
accountId: resolvedAccountId,
dmPolicy,
readStore: (provider) => readChannelAllowFromStore(provider),
});
const effectiveAllowFrom = [...(params.allowFrom ?? []), ...storeAllowFrom];
const allowList = normalizeDiscordAllowList(effectiveAllowFrom, ["discord:", "user:", "pk:"]);
@@ -210,6 +208,7 @@ export async function preflightDiscordMessage(
const { code, created } = await upsertChannelPairingRequest({
channel: "discord",
id: author.id,
accountId: resolvedAccountId,
meta: {
tag: formatDiscordUserTag(author),
name: author.username ?? undefined,