security: fail closed when line webhook secret is missing (#17587)

davidahmann · davidahmann · commit 97d9f5b75550 · 2026-02-15T18:39:41.000-05:00
diff --git a/src/line/webhook.test.ts b/src/line/webhook.test.ts
@@ -1,6 +1,6 @@
 import crypto from "node:crypto";
 import { describe, expect, it, vi } from "vitest";
-import { createLineWebhookMiddleware } from "./webhook.js";
+import { createLineWebhookMiddleware, startLineWebhook } from "./webhook.js";
 
 const sign = (body: string, secret: string) =>
   crypto.createHmac("SHA256", secret).update(body).digest("base64");
@@ -18,6 +18,15 @@ const createRes = () => {
 };
 
 describe("createLineWebhookMiddleware", () => {
+  it("rejects startup when channel secret is missing", () => {
+    expect(() =>
+      startLineWebhook({
+        channelSecret: "   ",
+        onEvents: async () => {},
+      }),
+    ).toThrow(/requires a non-empty channel secret/i);
+  });
+
   it("parses JSON from raw string body", async () => {
     const onEvents = vi.fn(async () => {});
     const secret = "secret";
diff --git a/src/line/webhook.ts b/src/line/webhook.ts
@@ -101,9 +101,17 @@ export function startLineWebhook(options: StartLineWebhookOptions): {
   path: string;
   handler: (req: Request, res: Response, _next: NextFunction) => Promise<void>;
 } {
+  const channelSecret =
+    typeof options.channelSecret === "string" ? options.channelSecret.trim() : "";
+  if (!channelSecret) {
+    throw new Error(
+      "LINE webhook mode requires a non-empty channel secret. " +
+        "Set channels.line.channelSecret in your config.",
+    );
+  }
   const path = options.path ?? "/line/webhook";
   const middleware = createLineWebhookMiddleware({
-    channelSecret: options.channelSecret,
+    channelSecret,
     onEvents: options.onEvents,
     runtime: options.runtime,
   });
