Skip to content

feat/security header enhancement#1910

Open
kiraWangRuilong wants to merge 2 commits into
mainfrom
feat/security_header_enhancement
Open

feat/security header enhancement#1910
kiraWangRuilong wants to merge 2 commits into
mainfrom
feat/security_header_enhancement

Conversation

@kiraWangRuilong

@kiraWangRuilong kiraWangRuilong commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

Add baseline risk-control headers to Lark CLI requests, including terminal, OS, device model, and TAT/UAT token fingerprints.

Changes

  • Add X-Agent-Terminal-Type, X-Agent-Device-Type, and X-Agent-Os-Type headers.
  • Add lowercase SHA-256 TAT/UAT fingerprint headers (X-Agent-Tat-Hash, X-Agent-Uat-Hash).

Test Plan

  • Unit tests pass
  • Manual packet-capture verification confirms these new added headers are included

Related Issues

  • None

Summary by CodeRabbit

  • New Features

    • Added automatic SHA-256 access-token hashing for outgoing HTTP requests across cached clients, with consistent transport/middleware layering.
    • Expanded request security headers with User-Agent, X-Agent-* terminal/device/OS metadata, and X-Agent-TAT-Hash / X-Agent-UAT-Hash.
    • Enabled cross-platform device model detection for device-related headers.
  • Bug Fixes

    • Prevented stale TAT/UAT hash headers by clearing and reinjecting per request.
    • Removed restricted X-Agent-* headers when requests target non-allowed hosts.
  • Tests

    • Added/updated coverage for token hashing, transport layering order, header host restrictions, and device-model collection.

@CLAassistant

CLAassistant commented Jul 16, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions Bot added the size/L Large or sensitive change across domains or core paths label Jul 16, 2026
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Adds cross-platform device-model detection, security headers for terminal/device/OS metadata, classified access-token hashing, and request-time hashing in cached HTTP and Lark SDK transport chains.

Changes

Access-token metadata

Layer / File(s) Summary
Device model collection and platform mapping
internal/devicemodel/*
Adds cached, sanitized device-model discovery for Darwin, Linux, Windows, and unsupported platforms, with OS mapping and tests.
Security headers and token classification
internal/cmdutil/secheader.go, internal/cmdutil/secheader_test.go
Adds device metadata headers, SHA-256 token hashing, Bearer/JWT classification, host restrictions, and tests.
Hash transport and client-chain integration
internal/cmdutil/transport.go, internal/cmdutil/factory_default.go, internal/cmdutil/*_test.go
Adds AccessTokenHashTransport, wires it into both client chains, and verifies middleware ordering and header behavior.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant AccessTokenHashTransport
  participant SecurityPolicyTransport
  participant HTTPTransport
  Client->>AccessTokenHashTransport: Send request with bearer token
  AccessTokenHashTransport->>AccessTokenHashTransport: Clone request and inject token hash
  AccessTokenHashTransport->>SecurityPolicyTransport: Forward enriched request
  SecurityPolicyTransport->>HTTPTransport: Apply policy and send request
Loading

Possibly related PRs

  • larksuite/cli#596: Adds the BuildHeaderTransport layer that this change extends with access-token hashing.
  • larksuite/cli#1213: Changes transport fallback behavior in the same wrapper-chain area used by the new hash transport.

Suggested labels: feature

Suggested reviewers: liangshuo-1

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 35.85% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check ❓ Inconclusive The title is relevant but too generic to clearly identify the main change in the PR. Use a more specific title such as adding risk-control headers and access-token hashing to Lark CLI requests.
✅ Passed checks (3 passed)
Check name Status Explanation
Description check ✅ Passed The description matches the template sections and covers summary, changes, tests, and related issues.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/security_header_enhancement

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown

🚀 PR Preview Install Guide

🧰 CLI update

npm i -g https://pkg.pr.new/larksuite/cli/@larksuite/cli@49bb2d87beeaa9669a853ad753f936c7293cdec9

🧩 Skill update

npx skills add larksuite/cli#feat/security_header_enhancement -y -g

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown

PR Quality Summary

CI did not complete successfully. Use the failed check links below to decide whether this PR needs a code change or a rerun.

Failed checks

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/cmdutil/secheader.go`:
- Around line 268-320: The accessTokenKind flow currently classifies any
parseable JWT without access_mode as UAT; update jwtAccessMode to require an
explicit access-token marker before returning a JWT match, while preserving
app-only as TAT and delegated or omitted access_mode as UAT for valid access
tokens. Add a test covering non-access JWT payloads such as {}, null, or
equivalent markers and verify they produce no token-hash classification.

In `@internal/devicemodel/model_windows.go`:
- Around line 18-33: Update readDeviceModel to use an injectable
registry-reading helper, following the existing Darwin pattern, while preserving
systemInfoRegistryPaths priority and normalization behavior. Add adjacent tests
covering successful first-path lookup, registry open/read failures, empty
normalized values, and fallback to later paths or an empty result when none
succeed.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1307e12e-ff4f-46d3-9cb9-2bcfb8fa32b4

📥 Commits

Reviewing files that changed from the base of the PR and between 7f43b7e and 0d9564f.

📒 Files selected for processing (13)
  • internal/cmdutil/factory_default.go
  • internal/cmdutil/factory_http_test.go
  • internal/cmdutil/secheader.go
  • internal/cmdutil/secheader_test.go
  • internal/cmdutil/transport.go
  • internal/cmdutil/transport_test.go
  • internal/devicemodel/model.go
  • internal/devicemodel/model_darwin.go
  • internal/devicemodel/model_darwin_test.go
  • internal/devicemodel/model_linux.go
  • internal/devicemodel/model_other.go
  • internal/devicemodel/model_test.go
  • internal/devicemodel/model_windows.go

Comment thread internal/cmdutil/secheader.go
Comment thread internal/devicemodel/model_windows.go
@codecov

codecov Bot commented Jul 16, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 84.76821% with 23 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.98%. Comparing base (27df16d) to head (49bb2d8).

Files with missing lines Patch % Lines
internal/devicemodel/model.go 70.83% 12 Missing and 2 partials ⚠️
internal/cmdutil/secheader.go 90.00% 4 Missing and 4 partials ⚠️
internal/cmdutil/transport.go 87.50% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #1910      +/-   ##
==========================================
+ Coverage   74.96%   74.98%   +0.01%     
==========================================
  Files         892      894       +2     
  Lines       94077    94228     +151     
==========================================
+ Hits        70529    70657     +128     
- Misses      18137    18154      +17     
- Partials     5411     5417       +6     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@kiraWangRuilong
kiraWangRuilong force-pushed the feat/security_header_enhancement branch from 4a9de95 to ddefcd7 Compare July 16, 2026 08:59

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/cmdutil/secheader_test.go`:
- Around line 353-374: Update the table fixtures in the secheader tests so the
empty-token case contains no token body after the Bearer scheme, and make
unknownJWT include typ access_token while retaining its unsupported access_mode.
Keep the existing expected skipped outcomes, ensuring these cases reach the
intended empty-body and unknown-mode branches rather than being rejected for
unrelated reasons.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1474ade5-a44c-4773-988d-a905a040cc56

📥 Commits

Reviewing files that changed from the base of the PR and between 4a9de95 and ddefcd7.

📒 Files selected for processing (14)
  • internal/cmdutil/factory_default.go
  • internal/cmdutil/factory_http_test.go
  • internal/cmdutil/secheader.go
  • internal/cmdutil/secheader_test.go
  • internal/cmdutil/transport.go
  • internal/cmdutil/transport_test.go
  • internal/devicemodel/model.go
  • internal/devicemodel/model_darwin.go
  • internal/devicemodel/model_darwin_test.go
  • internal/devicemodel/model_linux.go
  • internal/devicemodel/model_other.go
  • internal/devicemodel/model_test.go
  • internal/devicemodel/model_windows.go
  • internal/devicemodel/model_windows_test.go
🚧 Files skipped from review as they are similar to previous changes (9)
  • internal/devicemodel/model_linux.go
  • internal/devicemodel/model_darwin.go
  • internal/devicemodel/model_darwin_test.go
  • internal/devicemodel/model_other.go
  • internal/devicemodel/model_windows_test.go
  • internal/devicemodel/model_windows.go
  • internal/cmdutil/transport.go
  • internal/cmdutil/factory_default.go
  • internal/cmdutil/secheader.go

Comment thread internal/cmdutil/secheader_test.go
@kiraWangRuilong
kiraWangRuilong force-pushed the feat/security_header_enhancement branch from ddefcd7 to 04b961f Compare July 16, 2026 09:18
@kiraWangRuilong kiraWangRuilong changed the title Feat/security header enhancement feat/security header enhancement Jul 16, 2026
@kiraWangRuilong
kiraWangRuilong force-pushed the feat/security_header_enhancement branch from db50326 to 624ef45 Compare July 16, 2026 12:52
Add X-Agent-Terminal-Type, X-Agent-Device-Type, X-Agent-Os-Type, X-Agent-Tat-Hash, X-Agent-Uat-Hash header
@kiraWangRuilong
kiraWangRuilong force-pushed the feat/security_header_enhancement branch from 624ef45 to 49bb2d8 Compare July 17, 2026 08:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/L Large or sensitive change across domains or core paths

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants