fix(auth): prevent allowlist bypass via sender_id token splitting

2026-03-07 16:36:12 +00:00
parent 74066e2823
commit 057927cd24
4 changed files with 60 additions and 4 deletions
--- a/nanobot/channels/base.py
+++ b/nanobot/channels/base.py
@@ -66,10 +66,7 @@ class BaseChannel(ABC):
            return False
        if "*" in allow_list:
            return True
-        sender_str = str(sender_id)
-        return sender_str in allow_list or any(
-            p in allow_list for p in sender_str.split("|") if p
-        )
+        return str(sender_id) in allow_list

    async def _handle_message(
        self,