nyrn
/
openclaw
mirror of https://github.com/openclaw/openclaw.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
openclaw/extensions/telegram
History
HCL 4e45a663e7 fix(telegram): prevent silent wrong-bot routing when accountId not in config 
When a non-default accountId is specified but not found in the accounts
config, resolveTelegramToken() falls through to channel-level defaults
(botToken, tokenFile, env) — silently routing messages via the wrong
bot's token. This is a cross-bot message leak with no error or warning.

Root cause: extensions/telegram/src/token.ts:44-46, resolveAccountCfg()
returns undefined for unknown accountIds but code continues to fallbacks.
Introduced in e5bca0832f when Telegram moved to extensions/.

Fix: return { token: "", source: "none" } with a diagnostic log when
a non-default accountId is not found. Existing behavior for known
accounts (with or without per-account tokens) preserved.

Test: added "does not fall through when non-default accountId not in
config" — 1/1 new, 10/10 existing unaffected.

Closes #49383

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: HCL <chenglunhu@gmail.com>
 		2026-03-20 23:24:40 +05:30
..
src fix(telegram): prevent silent wrong-bot routing when accountId not in config 2026-03-20 23:24:40 +05:30
api.ts refactor: route extension seams through public apis 2026-03-19 03:20:10 +00:00
index.ts refactor: clean extension api boundaries 2026-03-17 09:38:21 -07:00
openclaw.plugin.json chore: Run `pnpm format:fix`. 2026-01-31 21:13:13 +09:00
package.json refactor: move bundled channel deps to plugin packages 2026-03-19 00:24:44 +00:00
runtime-api.ts Main recovery: restore formatter and contract checks (#49570) 2026-03-18 00:30:01 -07:00
setup-entry.ts refactor: clean extension api boundaries 2026-03-17 09:38:21 -07:00