fix: handle Feishu v2 webhook token auth

Author: serrrfirat

channels-src/feishu/Cargo.lock

@@ -15,6 +15,7 @@ wit-bindgen = "0.36"
 # Serialization
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
+subtle = "2.6"
 
 # Exclude from parent workspace (this is a standalone WASM component)
 

channels-src/feishu/Cargo.toml

@@ -63,7 +63,8 @@
       },
       "webhook": {
         "secret_header": "X-Feishu-Verification-Token",
-        "secret_name": "feishu_verification_token"
+        "secret_name": "feishu_verification_token",
+        "managed_by_host": false
       }
     }
   },

channels-src/feishu/feishu.capabilities.json

@@ -33,6 +33,7 @@ wit_bindgen::generate!({
 });
 
 use serde::{Deserialize, Serialize};
+use subtle::ConstantTimeEq;
 
 // Re-export generated types
 use exports::near::agent::channel::{
@@ -104,6 +105,10 @@ struct FeishuEventHeader {
     /// Tenant key.
     #[serde(default)]
     tenant_key: Option<String>,
+
+    /// Verification token for v2 event payloads.
+    #[serde(default)]
+    token: Option<String>,
 }
 
 /// Message receive event payload (im.message.receive_v1).
@@ -305,11 +310,8 @@ impl Guest for FeishuChannel {
         if let Some(ref app_secret) = config.app_secret {
             let _ = channel_host::workspace_write(APP_SECRET_PATH, app_secret);
         }
-        if let Some(ref verification_token) = config.verification_token {
-            let _ = channel_host::workspace_write(VERIFICATION_TOKEN_PATH, verification_token);
-        } else {
-            let _ = channel_host::workspace_write(VERIFICATION_TOKEN_PATH, "");
-        }
+        let verification_token = config.verification_token.as_deref().unwrap_or("");
+        let _ = channel_host::workspace_write(VERIFICATION_TOKEN_PATH, verification_token);
 
         if let Some(owner_id) = &config.owner_id {
             let _ = channel_host::workspace_write(OWNER_ID_PATH, owner_id);
@@ -391,7 +393,7 @@ impl Guest for FeishuChannel {
         if !is_authenticated_webhook(
             req.secret_validated,
             configured_token.as_deref(),
-            event.token.as_deref(),
+            request_verification_token(&event),
         ) {
             channel_host::log(
                 channel_host::LogLevel::Warn,
@@ -876,11 +878,21 @@ fn is_authenticated_webhook(
     }
 
     match (configured_token, request_token) {
-        (Some(expected), Some(provided)) => expected == provided,
+        (Some(expected), Some(provided)) => {
+            bool::from(expected.as_bytes().ct_eq(provided.as_bytes()))
+        }
         _ => false,
     }
 }
 
+fn request_verification_token(event: &FeishuEvent) -> Option<&str> {
+    event
+        .header
+        .as_ref()
+        .and_then(|header| header.token.as_deref())
+        .or(event.token.as_deref())
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -967,4 +979,36 @@ mod tests {
             "host authentication should take precedence over body token checks"
         );
     }
+
+    #[test]
+    fn request_verification_token_prefers_v2_header_token() {
+        let event: FeishuEvent = serde_json::from_str(
+            r#"{
+                "schema": "2.0",
+                "header": {
+                    "event_id": "evt_123",
+                    "event_type": "im.message.receive_v1",
+                    "token": "header-token"
+                },
+                "event": {}
+            }"#,
+        )
+        .unwrap();
+
+        assert_eq!(request_verification_token(&event), Some("header-token"));
+    }
+
+    #[test]
+    fn request_verification_token_falls_back_to_top_level_token() {
+        let event: FeishuEvent = serde_json::from_str(
+            r#"{
+                "type": "url_verification",
+                "challenge": "abc",
+                "token": "top-level-token"
+            }"#,
+        )
+        .unwrap();
+
+        assert_eq!(request_verification_token(&event), Some("top-level-token"));
+    }
 }

channels-src/feishu/src/lib.rs

@@ -317,6 +317,14 @@ impl LoadedChannel {
             .map(|f| f.webhook_secret_name())
             .unwrap_or_else(|| format!("{}_webhook_secret", self.channel.channel_name()))
     }
+
+    /// Whether the host should enforce generic webhook-secret validation.
+    pub fn webhook_secret_managed_by_host(&self) -> bool {
+        self.capabilities_file
+            .as_ref()
+            .map(|f| f.webhook_secret_managed_by_host())
+            .unwrap_or(true)
+    }
 }
 
 /// Results from loading multiple channels.

src/channels/wasm/loader.rs

@@ -185,6 +185,19 @@ impl ChannelCapabilitiesFile {
             .and_then(|w| w.secret_name.clone())
             .unwrap_or_else(|| format!("{}_webhook_secret", self.name))
     }
+
+    /// Whether the host should enforce generic webhook-secret validation.
+    ///
+    /// Defaults to true. Channels can opt out when they validate the shared
+    /// secret themselves using provider-specific request body fields.
+    pub fn webhook_secret_managed_by_host(&self) -> bool {
+        self.capabilities
+            .channel
+            .as_ref()
+            .and_then(|c| c.webhook.as_ref())
+            .and_then(|w| w.managed_by_host)
+            .unwrap_or(true)
+    }
 }
 
 /// Schema for channel capabilities.
@@ -302,6 +315,14 @@ pub struct WebhookSchema {
     /// Secret name in secrets store for HMAC-SHA256 signing (Slack-style).
     #[serde(default)]
     pub hmac_secret_name: Option<String>,
+
+    /// Whether the host/router should enforce generic webhook-secret
+    /// validation before the channel sees the request.
+    ///
+    /// Default: true. Set to false when the provider sends the shared secret
+    /// in a provider-specific request field rather than the configured header.
+    #[serde(default)]
+    pub managed_by_host: Option<bool>,
 }
 
 /// Setup configuration schema.
@@ -611,6 +632,25 @@ mod tests {
             Some("X-Telegram-Bot-Api-Secret-Token")
         );
         assert_eq!(file.webhook_secret_name(), "telegram_webhook_secret");
+        assert!(file.webhook_secret_managed_by_host());
+    }
+
+    #[test]
+    fn test_webhook_schema_can_disable_host_managed_secret_validation() {
+        let json = r#"{
+            "name": "feishu",
+            "capabilities": {
+                "channel": {
+                    "webhook": {
+                        "secret_name": "feishu_verification_token",
+                        "managed_by_host": false
+                    }
+                }
+            }
+        }"#;
+
+        let file = ChannelCapabilitiesFile::from_json(json).unwrap();
+        assert!(!file.webhook_secret_managed_by_host());
     }
 
     #[test]

src/channels/wasm/schema.rs

@@ -139,7 +139,11 @@ async fn register_channel(
     };
 
     let secret_header = loaded.webhook_secret_header().map(|s| s.to_string());
-    let host_webhook_secret = host_managed_webhook_secret(&channel_name, webhook_secret.clone());
+    let host_webhook_secret = if loaded.webhook_secret_managed_by_host() {
+        webhook_secret.clone()
+    } else {
+        None
+    };
 
     let webhook_path = format!("/webhook/{}", channel_name);
     let endpoints = vec![RegisteredEndpoint {
@@ -385,17 +389,6 @@ pub async fn inject_channel_credentials(
     Ok(count)
 }
 
-fn host_managed_webhook_secret(
-    channel_name: &str,
-    webhook_secret: Option<String>,
-) -> Option<String> {
-    if channel_name == "feishu" {
-        None
-    } else {
-        webhook_secret
-    }
-}
-
 /// Inject channel-specific secrets into the config JSON.
 ///
 /// Some channels (e.g., Feishu) need raw credential values in their config