fix(zalouser): harden inbound sender id handling

steipete · steipete · commit ee1b1476310f · 2026-03-02T15:44:07.000Z
diff --git a/extensions/zalouser/src/monitor.account-scope.test.ts b/extensions/zalouser/src/monitor.account-scope.test.ts
@@ -2,7 +2,7 @@ import type { OpenClawConfig, PluginRuntime, RuntimeEnv } from "openclaw/plugin-
 import { describe, expect, it, vi } from "vitest";
 import { __testing } from "./monitor.js";
 import { setZalouserRuntime } from "./runtime.js";
-import type { ResolvedZalouserAccount, ZcaMessage } from "./types.js";
+import type { ResolvedZalouserAccount, ZaloInboundMessage } from "./types.js";
 
 const sendMessageZalouserMock = vi.hoisted(() => vi.fn(async () => {}));
 
@@ -72,17 +72,16 @@ describe("zalouser monitor pairing account scoping", () => {
       },
     };
 
-    const message: ZcaMessage = {
+    const message: ZaloInboundMessage = {
       threadId: "chat-1",
+      isGroup: false,
+      senderId: "attacker",
+      senderName: "Attacker",
+      groupName: undefined,
+      timestampMs: Date.now(),
       msgId: "msg-1",
-      type: 1,
       content: "hello",
-      timestamp: Math.floor(Date.now() / 1000),
-      metadata: {
-        isGroup: false,
-        fromId: "attacker",
-        senderName: "Attacker",
-      },
+      raw: { source: "test" },
     };
 
     const runtime: RuntimeEnv = {
diff --git a/extensions/zalouser/src/monitor.ts b/extensions/zalouser/src/monitor.ts
@@ -61,11 +61,14 @@ function logVerbose(core: ZalouserCoreRuntime, runtime: RuntimeEnv, message: str
   }
 }
 
-function isSenderAllowed(senderId: string, allowFrom: string[]): boolean {
+function isSenderAllowed(senderId: string | undefined, allowFrom: string[]): boolean {
   if (allowFrom.includes("*")) {
     return true;
   }
-  const normalizedSenderId = senderId.toLowerCase();
+  const normalizedSenderId = senderId?.trim().toLowerCase();
+  if (!normalizedSenderId) {
+    return false;
+  }
   return allowFrom.some((entry) => {
     const normalized = entry.toLowerCase().replace(/^(zalouser|zlu):/i, "");
     return normalized === normalizedSenderId;
@@ -133,7 +136,11 @@ async function processMessage(
   }
 
   const isGroup = message.isGroup;
-  const senderId = message.senderId;
+  const senderId = message.senderId?.trim();
+  if (!senderId) {
+    logVerbose(core, runtime, `zalouser: drop message ${chatId} (missing senderId)`);
+    return;
+  }
   const senderName = message.senderName ?? "";
   const groupName = message.groupName ?? "";
   const chatId = message.threadId;
