adjust access control logic

This commit is contained in:
jaydenfyi 2026-01-25 16:04:11 +08:00
parent 497e8493fe
commit cf311730df
3 changed files with 49 additions and 20 deletions

View File

@ -1,8 +0,0 @@
{
"permissions": {
"allow": [
"Bash(pnpm vitest:*)",
"Bash(git diff:*)"
]
}
}

View File

@ -96,7 +96,7 @@ describe("checkTwitchAccessControl", () => {
expect(result.matchSource).toBe("allowlist");
});
it("blocks users not in the allowlist", () => {
it("allows users not in allowlist via fallback (open access)", () => {
const account: TwitchAccountConfig = {
...mockAccount,
allowFrom: ["789012"],
@ -107,8 +107,8 @@ describe("checkTwitchAccessControl", () => {
account,
botUsername: "testbot",
});
expect(result.allowed).toBe(false);
expect(result.reason).toContain("not in allowlist");
// Falls through to final fallback since allowedRoles is not set
expect(result.allowed).toBe(true);
});
it("blocks messages without userId", () => {
@ -145,6 +145,48 @@ describe("checkTwitchAccessControl", () => {
});
expect(result.allowed).toBe(true);
});
it("allows user with role even if not in allowlist", () => {
const account: TwitchAccountConfig = {
...mockAccount,
allowFrom: ["789012"],
allowedRoles: ["moderator"],
};
const message: TwitchChatMessage = {
...mockMessage,
userId: "123456",
isMod: true,
};
const result = checkTwitchAccessControl({
message,
account,
botUsername: "testbot",
});
expect(result.allowed).toBe(true);
expect(result.matchSource).toBe("role");
});
it("blocks user with neither allowlist nor role", () => {
const account: TwitchAccountConfig = {
...mockAccount,
allowFrom: ["789012"],
allowedRoles: ["moderator"],
};
const message: TwitchChatMessage = {
...mockMessage,
userId: "123456",
isMod: false,
};
const result = checkTwitchAccessControl({
message,
account,
botUsername: "testbot",
});
expect(result.allowed).toBe(false);
expect(result.reason).toContain("does not have any of the required roles");
});
});
describe("allowedRoles", () => {

View File

@ -59,18 +59,13 @@ export function checkTwitchAccessControl(params: {
};
}
if (!allowFrom.includes(senderId)) {
if (allowFrom.includes(senderId)) {
return {
allowed: false,
reason: "sender not in allowlist",
allowed: true,
matchKey: senderId,
matchSource: "allowlist",
};
}
return {
allowed: true,
matchKey: senderId,
matchSource: "allowlist",
};
}
if (account.allowedRoles && account.allowedRoles.length > 0) {