f378f00bfb
When FEISHU_VERIFICATION_TOKEN is configured, an unauthenticated remote could previously prove endpoint control by sending a url_verification payload with any attacker-controlled challenge string — the handler reflected the challenge BEFORE running the token check. Move the verification_token check ahead of the url_verification echo so the challenge response is gated on a valid token. Add a regression test covering the wrong-token case. Also fix the stale test_connect_webhook_mode_starts_local_server fixture to set FEISHU_VERIFICATION_TOKEN (post #30746 webhook mode requires a secret). Salvaged from PR #29663 by @m0n3r0 — kept the url_verification reorder and its regression test; dropped the host-conditional weakening of the #30746 secret guard (we want webhook secrets required regardless of bind host, not only on 0.0.0.0/::). Docs updated to call out the gating. Co-authored-by: teknium1 <127238744+teknium1@users.noreply.github.com> |
||
|---|---|---|
| .. | ||
| _category_.json | ||
| bluebubbles.md | ||
| dingtalk.md | ||
| discord.md | ||
| email.md | ||
| feishu.md | ||
| google_chat.md | ||
| homeassistant.md | ||
| index.md | ||
| line.md | ||
| matrix.md | ||
| mattermost.md | ||
| msgraph-webhook.md | ||
| ntfy.md | ||
| open-webui.md | ||
| qqbot.md | ||
| signal.md | ||
| simplex.md | ||
| slack.md | ||
| sms.md | ||
| teams-meetings.md | ||
| teams.md | ||
| telegram.md | ||
| webhooks.md | ||
| wecom-callback.md | ||
| wecom.md | ||
| weixin.md | ||
| whatsapp.md | ||
| yuanbao.md | ||