b4fbd6fe9f
Deploy Site / deploy-vercel (push) Has been skipped
Deploy Site / deploy-docs (push) Has been skipped
Build Skills Index / build-index (push) Has been skipped
CI / Deny unrelated histories (push) Has been skipped
CI / Detect affected areas (push) Successful in 27m35s
CI / OSV scan (push) Failing after 4s
CI / Build&Test Docker image (push) Successful in 9s
CI / Supply-chain scan (push) Has been skipped
CI / Lint Docker scripts (push) Failing after 5m13s
CI / Check contributors (push) Failing after 12m8s
CI / Docs Site (push) Failing after 12m8s
CI / TypeScript (push) Failing after 12m8s
CI / Python lints (push) Failing after 12m9s
CI / Python tests (push) Failing after 12m9s
CI / Check uv.lock (push) Failing after 23m22s
CI / CI timing report (push) Has been cancelled
Build Skills Index / trigger-deploy (push) Has been cancelled
CI / All required checks pass (push) Has been cancelled
81 lines
3.5 KiB
JavaScript
81 lines
3.5 KiB
JavaScript
import test from 'node:test';
|
|
import assert from 'node:assert/strict';
|
|
import os from 'node:os';
|
|
import path from 'node:path';
|
|
import { mkdtempSync, rmSync, writeFileSync } from 'node:fs';
|
|
|
|
import {
|
|
expandWhatsAppIdentifiers,
|
|
matchesAllowedUser,
|
|
normalizeWhatsAppIdentifier,
|
|
parseAllowedUsers,
|
|
} from './allowlist.js';
|
|
|
|
test('normalizeWhatsAppIdentifier strips jid syntax and plus prefix', () => {
|
|
assert.equal(normalizeWhatsAppIdentifier('+19175395595@s.whatsapp.net'), '19175395595');
|
|
assert.equal(normalizeWhatsAppIdentifier('267383306489914@lid'), '267383306489914');
|
|
assert.equal(normalizeWhatsAppIdentifier('19175395595:12@s.whatsapp.net'), '19175395595');
|
|
});
|
|
|
|
test('expandWhatsAppIdentifiers resolves phone and lid aliases from session files', () => {
|
|
const sessionDir = mkdtempSync(path.join(os.tmpdir(), 'hermes-wa-allowlist-'));
|
|
|
|
try {
|
|
writeFileSync(path.join(sessionDir, 'lid-mapping-19175395595.json'), JSON.stringify('267383306489914'));
|
|
writeFileSync(path.join(sessionDir, 'lid-mapping-267383306489914_reverse.json'), JSON.stringify('19175395595'));
|
|
|
|
const aliases = expandWhatsAppIdentifiers('267383306489914@lid', sessionDir);
|
|
assert.deepEqual([...aliases].sort(), ['19175395595', '267383306489914']);
|
|
} finally {
|
|
rmSync(sessionDir, { recursive: true, force: true });
|
|
}
|
|
});
|
|
|
|
test('matchesAllowedUser accepts mapped lid sender when allowlist only contains phone number', () => {
|
|
const sessionDir = mkdtempSync(path.join(os.tmpdir(), 'hermes-wa-allowlist-'));
|
|
|
|
try {
|
|
writeFileSync(path.join(sessionDir, 'lid-mapping-19175395595.json'), JSON.stringify('267383306489914'));
|
|
writeFileSync(path.join(sessionDir, 'lid-mapping-267383306489914_reverse.json'), JSON.stringify('19175395595'));
|
|
|
|
const allowedUsers = parseAllowedUsers('+19175395595');
|
|
assert.equal(matchesAllowedUser('267383306489914@lid', allowedUsers, sessionDir), true);
|
|
assert.equal(matchesAllowedUser('188012763865257@lid', allowedUsers, sessionDir), false);
|
|
} finally {
|
|
rmSync(sessionDir, { recursive: true, force: true });
|
|
}
|
|
});
|
|
|
|
test('matchesAllowedUser treats * as allow-all wildcard', () => {
|
|
const sessionDir = mkdtempSync(path.join(os.tmpdir(), 'hermes-wa-allowlist-'));
|
|
|
|
try {
|
|
const allowedUsers = parseAllowedUsers('*');
|
|
assert.equal(matchesAllowedUser('19175395595@s.whatsapp.net', allowedUsers, sessionDir), true);
|
|
assert.equal(matchesAllowedUser('267383306489914@lid', allowedUsers, sessionDir), true);
|
|
} finally {
|
|
rmSync(sessionDir, { recursive: true, force: true });
|
|
}
|
|
});
|
|
|
|
test('matchesAllowedUser rejects everyone when allowlist is empty (#8389)', () => {
|
|
// Regression guard: empty allowlist used to return true (allow-everyone),
|
|
// which let any stranger DM the bridge and trigger a Python-side
|
|
// pairing-code reply. Secure default is now "reject unless explicitly
|
|
// configured"; operators who want an open bot must set `*`.
|
|
const sessionDir = mkdtempSync(path.join(os.tmpdir(), 'hermes-wa-allowlist-'));
|
|
|
|
try {
|
|
const empty = parseAllowedUsers('');
|
|
assert.equal(empty.size, 0);
|
|
assert.equal(matchesAllowedUser('19175395595@s.whatsapp.net', empty, sessionDir), false);
|
|
assert.equal(matchesAllowedUser('267383306489914@lid', empty, sessionDir), false);
|
|
|
|
// Null/undefined allowlist (defensive) also rejects.
|
|
assert.equal(matchesAllowedUser('19175395595@s.whatsapp.net', null, sessionDir), false);
|
|
assert.equal(matchesAllowedUser('19175395595@s.whatsapp.net', undefined, sessionDir), false);
|
|
} finally {
|
|
rmSync(sessionDir, { recursive: true, force: true });
|
|
}
|
|
});
|