refactor: add approval auth capabilities to more channels

2026-04-04 22:01:15 +00:00 · 2026-03-30 09:03:41 +09:00
parent 63cbc097b5
commit c2cbdea28c
37 changed files with 697 additions and 0 deletions
--- a/extensions/feishu/src/approval-auth.test.ts
+++ b/extensions/feishu/src/approval-auth.test.ts
@@ -0,0 +1,24 @@
+import { describe, expect, it } from "vitest";
+import { feishuApprovalAuth } from "./approval-auth.js";
+
+describe("feishuApprovalAuth", () => {
+  it("authorizes open_id approvers and ignores user_id-only allowlists", () => {
+    expect(
+      feishuApprovalAuth.authorizeActorAction({
+        cfg: { channels: { feishu: { allowFrom: ["ou_owner"] } } },
+        senderId: "ou_owner",
+        action: "approve",
+        approvalKind: "exec",
+      }),
+    ).toEqual({ authorized: true });
+
+    expect(
+      feishuApprovalAuth.authorizeActorAction({
+        cfg: { channels: { feishu: { allowFrom: ["user_123"] } } },
+        senderId: "ou_attacker",
+        action: "approve",
+        approvalKind: "exec",
+      }),
+    ).toEqual({ authorized: true });
+  });
+});
--- a/extensions/feishu/src/approval-auth.ts
+++ b/extensions/feishu/src/approval-auth.ts
@@ -0,0 +1,24 @@
+import {
+  createResolvedApproverActionAuthAdapter,
+  resolveApprovalApprovers,
+} from "openclaw/plugin-sdk/approval-runtime";
+import { resolveFeishuAccount } from "./accounts.js";
+import { normalizeFeishuTarget } from "./targets.js";
+
+function normalizeFeishuApproverId(value: string | number): string | undefined {
+  const normalized = normalizeFeishuTarget(String(value));
+  const trimmed = normalized?.trim().toLowerCase();
+  return trimmed?.startsWith("ou_") ? trimmed : undefined;
+}
+
+export const feishuApprovalAuth = createResolvedApproverActionAuthAdapter({
+  channelLabel: "Feishu",
+  resolveApprovers: ({ cfg, accountId }) => {
+    const account = resolveFeishuAccount({ cfg, accountId }).config;
+    return resolveApprovalApprovers({
+      allowFrom: account.allowFrom,
+      normalizeApprover: normalizeFeishuApproverId,
+    });
+  },
+  normalizeSenderId: (value) => normalizeFeishuApproverId(value),
+});
--- a/extensions/feishu/src/channel.ts
+++ b/extensions/feishu/src/channel.ts
@@ -42,6 +42,7 @@ import {
  listEnabledFeishuAccounts,
  resolveDefaultFeishuAccountId,
 } from "./accounts.js";
+import { feishuApprovalAuth } from "./approval-auth.js";
 import { FEISHU_CARD_INTERACTION_VERSION } from "./card-interaction.js";
 import { createFeishuClient } from "./client.js";
 import { FeishuConfigSchema } from "./config-schema.js";
@@ -612,6 +613,7 @@ export const feishuPlugin: ChannelPlugin<ResolvedFeishuAccount, FeishuProbeResul
            },
          }),
      },
+      auth: feishuApprovalAuth,
      actions: {
        describeMessageTool: describeFeishuMessageTool,
        handleAction: async (ctx) => {