Primary finding
Allowlist comparisons use normalized lists but compare against unnormalized candidates (can mis-block/allow DMs/groups)
highbughigh
- src/web/inbound/access-control.ts:70-74
- src/web/inbound/access-control.ts:142-147
- src/web/inbound/access-control.ts:75-79
- src/web/inbound/access-control.ts:106-109
- src/web/inbound/access-control.ts:58-59
The allowlists are normalized (digits-only) but comparisons use unnormalized candidates (params.from and params.senderE164). Formatting differences (e.g., leading '+', spaces) will cause includes() to fail, incorrectly blocking legitimate senders or allowing mismatches depending on data shape. Similarly, isSamePhone uses raw string equality and may misclassify the same phone due to formatting differences.
Recommendation
Normalize candidates before comparison: - For DMs: const candidate = normalizeE164(params.from); - For groups: const candidateSender = params.senderE164 ? normalizeE164(params.senderE164) : null; - For same-phone checks: compare normalizeE164(params.from) with normalizeE164(params.selfE164 ?? "").