fix(security): scope session tools and webhook secret fallback

2026-05-08 03:51:25 +00:00 · 2026-02-16 03:43:51 +01:00
parent fbe6d7c701
commit c6c53437f7
21 changed files with 796 additions and 22 deletions
--- a/src/telegram/monitor.test.ts
+++ b/src/telegram/monitor.test.ts
@@ -219,4 +219,27 @@ describe("monitorTelegramProvider (grammY)", () => {
    );
    expect(runSpy).not.toHaveBeenCalled();
  });
+
+  it("falls back to configured webhookSecret when not passed explicitly", async () => {
+    await monitorTelegramProvider({
+      token: "tok",
+      useWebhook: true,
+      webhookUrl: "https://example.test/telegram",
+      config: {
+        agents: { defaults: { maxConcurrent: 2 } },
+        channels: {
+          telegram: {
+            webhookSecret: "secret-from-config",
+          },
+        },
+      },
+    });
+
+    expect(startTelegramWebhookSpy).toHaveBeenCalledWith(
+      expect.objectContaining({
+        secret: "secret-from-config",
+      }),
+    );
+    expect(runSpy).not.toHaveBeenCalled();
+  });
 });
--- a/src/telegram/monitor.ts
+++ b/src/telegram/monitor.ts
@@ -158,7 +158,7 @@ export async function monitorTelegramProvider(opts: MonitorTelegramOpts = {}) {
        config: cfg,
        path: opts.webhookPath,
        port: opts.webhookPort,
-        secret: opts.webhookSecret,
+        secret: opts.webhookSecret ?? account.config.webhookSecret,
        host: opts.webhookHost ?? account.config.webhookHost,
        runtime: opts.runtime as RuntimeEnv,
        fetch: proxyFetch,