fix: harden webhook auth-before-body handling

2026-05-09 19:14:33 +00:00 · 2026-03-02 17:20:46 +00:00
parent dded569626
commit d3e8b17aa6
15 changed files with 789 additions and 251 deletions
--- a/src/line/webhook-node.test.ts
+++ b/src/line/webhook-node.test.ts
@@ -126,6 +126,31 @@ describe("createLineNodeWebhookHandler", () => {
    expect(bot.handleWebhook).not.toHaveBeenCalled();
  });

+  it("uses strict pre-auth limits for signed POST requests", async () => {
+    const rawBody = JSON.stringify({ events: [{ type: "message" }] });
+    const bot = { handleWebhook: vi.fn(async () => {}) };
+    const runtime = { log: vi.fn(), error: vi.fn(), exit: vi.fn() };
+    const readBody = vi.fn(async (_req: IncomingMessage, maxBytes: number, timeoutMs?: number) => {
+      expect(maxBytes).toBe(64 * 1024);
+      expect(timeoutMs).toBe(5_000);
+      return rawBody;
+    });
+    const handler = createLineNodeWebhookHandler({
+      channelSecret: "secret",
+      bot,
+      runtime,
+      readBody,
+      maxBodyBytes: 1024 * 1024,
+    });
+
+    const { res } = createRes();
+    await runSignedPost({ handler, rawBody, secret: "secret", res });
+
+    expect(res.statusCode).toBe(200);
+    expect(readBody).toHaveBeenCalledTimes(1);
+    expect(bot.handleWebhook).toHaveBeenCalledTimes(1);
+  });
+
  it("rejects invalid signature", async () => {
    const rawBody = JSON.stringify({ events: [{ type: "message" }] });
    const { bot, handler } = createPostWebhookTestHarness(rawBody);
--- a/src/line/webhook-node.ts
+++ b/src/line/webhook-node.ts
@@ -11,20 +11,22 @@ import { validateLineSignature } from "./signature.js";
 import { isLineWebhookVerificationRequest, parseLineWebhookBody } from "./webhook-utils.js";

 const LINE_WEBHOOK_MAX_BODY_BYTES = 1024 * 1024;
+const LINE_WEBHOOK_PREAUTH_MAX_BODY_BYTES = 64 * 1024;
 const LINE_WEBHOOK_UNSIGNED_MAX_BODY_BYTES = 4 * 1024;
-const LINE_WEBHOOK_BODY_TIMEOUT_MS = 30_000;
+const LINE_WEBHOOK_PREAUTH_BODY_TIMEOUT_MS = 5_000;

 export async function readLineWebhookRequestBody(
  req: IncomingMessage,
  maxBytes = LINE_WEBHOOK_MAX_BODY_BYTES,
+  timeoutMs = LINE_WEBHOOK_PREAUTH_BODY_TIMEOUT_MS,
 ): Promise<string> {
  return await readRequestBodyWithLimit(req, {
    maxBytes,
-    timeoutMs: LINE_WEBHOOK_BODY_TIMEOUT_MS,
+    timeoutMs,
  });
 }

-type ReadBodyFn = (req: IncomingMessage, maxBytes: number) => Promise<string>;
+type ReadBodyFn = (req: IncomingMessage, maxBytes: number, timeoutMs?: number) => Promise<string>;

 export function createLineNodeWebhookHandler(params: {
  channelSecret: string;
@@ -64,9 +66,9 @@ export function createLineNodeWebhookHandler(params: {
            : undefined;
      const hasSignature = typeof signature === "string" && signature.trim().length > 0;
      const bodyLimit = hasSignature
-        ? maxBodyBytes
+        ? Math.min(maxBodyBytes, LINE_WEBHOOK_PREAUTH_MAX_BODY_BYTES)
        : Math.min(maxBodyBytes, LINE_WEBHOOK_UNSIGNED_MAX_BODY_BYTES);
-      const rawBody = await readBody(req, bodyLimit);
+      const rawBody = await readBody(req, bodyLimit, LINE_WEBHOOK_PREAUTH_BODY_TIMEOUT_MS);

      // Parse once; we may need it for verification requests and for event processing.
      const body = parseLineWebhookBody(rawBody);