refactor config and security to simplified the structure (#2068)

2026-06-12 18:08:54 +00:00 · 2026-03-28 00:03:34 +08:00
parent 98c78363b3
commit b646d3b8fe
48 changed files with 1566 additions and 2372 deletions
@@ -36,7 +36,7 @@ type DingTalkChannel struct {

 // NewDingTalkChannel creates a new DingTalk channel instance
 func NewDingTalkChannel(cfg config.DingTalkConfig, messageBus *bus.MessageBus) (*DingTalkChannel, error) {
-	if cfg.ClientID == "" || cfg.ClientSecret() == "" {
+	if cfg.ClientID == "" || cfg.ClientSecret.String() == "" {
 		return nil, fmt.Errorf("dingtalk client_id and client_secret are required")
 	}

@@ -53,7 +53,7 @@ func NewDingTalkChannel(cfg config.DingTalkConfig, messageBus *bus.MessageBus) (
 		BaseChannel:  base,
 		config:       cfg,
 		clientID:     cfg.ClientID,
-		clientSecret: cfg.ClientSecret(),
+		clientSecret: cfg.ClientSecret.String(),
 	}, nil
 }

@@ -53,7 +53,7 @@ func NewDiscordChannel(cfg config.DiscordConfig, bus *bus.MessageBus) (*DiscordC
 			discordgo.LogDebug:         logger.DEBUG,
 		}).Log

-	session, err := discordgo.New("Bot " + cfg.Token())
+	session, err := discordgo.New("Bot " + cfg.Token.String())
 	if err != nil {
 		return nil, fmt.Errorf("failed to create discord session: %w", err)
 	}
@@ -63,14 +63,14 @@ func NewFeishuChannel(cfg config.FeishuConfig, bus *bus.MessageBus) (*FeishuChan
 		BaseChannel: base,
 		config:      cfg,
 		tokenCache:  tc,
-		client:      lark.NewClient(cfg.AppID, cfg.AppSecret(), opts...),
+		client:      lark.NewClient(cfg.AppID, cfg.AppSecret.String(), opts...),
 	}
 	ch.SetOwner(ch)
 	return ch, nil
 }

 func (c *FeishuChannel) Start(ctx context.Context) error {
-	if c.config.AppID == "" || c.config.AppSecret() == "" {
+	if c.config.AppID == "" || c.config.AppSecret.String() == "" {
 		return fmt.Errorf("feishu app_id or app_secret is empty")
 	}

@@ -81,7 +81,7 @@ func (c *FeishuChannel) Start(ctx context.Context) error {
 		})
 	}

-	dispatcher := larkdispatcher.NewEventDispatcher(c.config.VerificationToken(), c.config.EncryptKey()).
+	dispatcher := larkdispatcher.NewEventDispatcher(c.config.VerificationToken.String(), c.config.EncryptKey.String()).
 		OnP2MessageReceiveV1(c.handleMessageReceive)

 	runCtx, cancel := context.WithCancel(ctx)
@@ -94,7 +94,7 @@ func (c *FeishuChannel) Start(ctx context.Context) error {
 	}
 	c.wsClient = larkws.NewClient(
 		c.config.AppID,
-		c.config.AppSecret(),
+		c.config.AppSecret.String(),
 		larkws.WithEventHandler(dispatcher),
 		larkws.WithDomain(domain),
 	)
@@ -17,8 +17,8 @@ import (
 // onConnect is called after a successful connection (and on reconnect).
 func (c *IRCChannel) onConnect(conn *ircevent.Connection) {
 	// NickServ auth (only if SASL is not configured)
-	if c.config.NickServPassword() != "" && c.config.SASLUser == "" {
-		conn.Privmsg("NickServ", "IDENTIFY "+c.config.NickServPassword())
+	if c.config.NickServPassword.String() != "" && c.config.SASLUser == "" {
+		conn.Privmsg("NickServ", "IDENTIFY "+c.config.NickServPassword.String())
 	}

 	// Join configured channels
@@ -68,7 +68,7 @@ func (c *IRCChannel) Start(ctx context.Context) error {
 		Nick:        c.config.Nick,
 		User:        user,
 		RealName:    realName,
-		Password:    c.config.Password(),
+		Password:    c.config.Password.String(),
 		UseTLS:      c.config.TLS,
 		RequestCaps: caps,
 		QuitMessage: "Goodbye",
@@ -83,9 +83,9 @@ func (c *IRCChannel) Start(ctx context.Context) error {
 	}

 	// SASL auth (takes priority over NickServ)
-	if c.config.SASLUser != "" && c.config.SASLPassword() != "" {
+	if c.config.SASLUser != "" && c.config.SASLPassword.String() != "" {
 		conn.SASLLogin = c.config.SASLUser
-		conn.SASLPassword = c.config.SASLPassword()
+		conn.SASLPassword = c.config.SASLPassword.String()
 	}

 	// Register event handlers
@@ -62,7 +62,7 @@ type LINEChannel struct {

 // NewLINEChannel creates a new LINE channel instance.
 func NewLINEChannel(cfg config.LINEConfig, messageBus *bus.MessageBus) (*LINEChannel, error) {
-	if cfg.ChannelSecret() == "" || cfg.ChannelAccessToken() == "" {
+	if cfg.ChannelSecret.String() == "" || cfg.ChannelAccessToken.String() == "" {
 		return nil, fmt.Errorf("line channel_secret and channel_access_token are required")
 	}

@@ -110,7 +110,7 @@ func (c *LINEChannel) fetchBotInfo() error {
 	if err != nil {
 		return err
 	}
-	req.Header.Set("Authorization", "Bearer "+c.config.ChannelAccessToken())
+	req.Header.Set("Authorization", "Bearer "+c.config.ChannelAccessToken.String())

 	resp, err := c.infoClient.Do(req)
 	if err != nil {
@@ -216,7 +216,7 @@ func (c *LINEChannel) verifySignature(body []byte, signature string) bool {
 		return false
 	}

-	mac := hmac.New(sha256.New, []byte(c.config.ChannelSecret()))
+	mac := hmac.New(sha256.New, []byte(c.config.ChannelSecret.String()))
 	mac.Write(body)
 	expected := base64.StdEncoding.EncodeToString(mac.Sum(nil))

@@ -655,7 +655,7 @@ func (c *LINEChannel) callAPI(ctx context.Context, endpoint string, payload any)
 	}

 	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Authorization", "Bearer "+c.config.ChannelAccessToken())
+	req.Header.Set("Authorization", "Bearer "+c.config.ChannelAccessToken.String())

 	resp, err := c.apiClient.Do(req)
 	if err != nil {
@@ -680,7 +680,7 @@ func (c *LINEChannel) downloadContent(messageID, filename string) string {
 	return utils.DownloadFile(url, filename, utils.DownloadOptions{
 		LoggerPrefix: "line",
 		ExtraHeaders: map[string]string{
-			"Authorization": "Bearer " + c.config.ChannelAccessToken(),
+			"Authorization": "Bearer " + c.config.ChannelAccessToken.String(),
 		},
 	})
 }
@@ -353,7 +353,7 @@ func (m *Manager) initChannel(name, displayName string) {
 func (m *Manager) initChannels(channels *config.ChannelsConfig) error {
 	logger.InfoC("channels", "Initializing channel manager")

-	if channels.Telegram.Enabled && channels.Telegram.Token() != "" {
+	if channels.Telegram.Enabled && channels.Telegram.Token.String() != "" {
 		m.initChannel("telegram", "Telegram")
 	}

@@ -370,7 +370,7 @@ func (m *Manager) initChannels(channels *config.ChannelsConfig) error {
 		m.initChannel("feishu", "Feishu")
 	}

-	if channels.Discord.Enabled && channels.Discord.Token() != "" {
+	if channels.Discord.Enabled && channels.Discord.Token.String() != "" {
 		m.initChannel("discord", "Discord")
 	}

@@ -386,18 +386,18 @@ func (m *Manager) initChannels(channels *config.ChannelsConfig) error {
 		m.initChannel("dingtalk", "DingTalk")
 	}

-	if channels.Slack.Enabled && channels.Slack.BotToken() != "" {
+	if channels.Slack.Enabled && channels.Slack.BotToken.String() != "" {
 		m.initChannel("slack", "Slack")
 	}

 	if channels.Matrix.Enabled &&
 		m.config.Channels.Matrix.Homeserver != "" &&
 		m.config.Channels.Matrix.UserID != "" &&
-		m.config.Channels.Matrix.AccessToken() != "" {
+		m.config.Channels.Matrix.AccessToken.String() != "" {
 		m.initChannel("matrix", "Matrix")
 	}

-	if channels.LINE.Enabled && channels.LINE.ChannelAccessToken() != "" {
+	if channels.LINE.Enabled && channels.LINE.ChannelAccessToken.String() != "" {
 		m.initChannel("line", "LINE")
 	}

@@ -405,15 +405,15 @@ func (m *Manager) initChannels(channels *config.ChannelsConfig) error {
 		m.initChannel("onebot", "OneBot")
 	}

-	if channels.WeCom.Enabled && channels.WeCom.BotID != "" && channels.WeCom.Secret() != "" {
+	if channels.WeCom.Enabled && channels.WeCom.BotID != "" && channels.WeCom.Secret.String() != "" {
 		m.initChannel("wecom", "WeCom")
 	}

-	if channels.Weixin.Enabled && channels.Weixin.Token() != "" {
+	if channels.Weixin.Enabled && channels.Weixin.Token.String() != "" {
 		m.initChannel("weixin", "Weixin")
 	}

-	if channels.Pico.Enabled && channels.Pico.Token() != "" {
+	if channels.Pico.Enabled && channels.Pico.Token.String() != "" {
 		m.initChannel("pico", "Pico")
 	}

@@ -33,35 +33,35 @@ func toChannelHashes(cfg *config.Config) map[string]string {
 func hiddenValues(key string, value map[string]any, ch config.ChannelsConfig) {
 	switch key {
 	case "pico":
-		value["token"] = ch.Pico.Token()
+		value["token"] = ch.Pico.Token.String()
 	case "telegram":
-		value["token"] = ch.Telegram.Token()
+		value["token"] = ch.Telegram.Token.String()
 	case "discord":
-		value["token"] = ch.Discord.Token()
+		value["token"] = ch.Discord.Token.String()
 	case "slack":
-		value["bot_token"] = ch.Slack.BotToken()
-		value["app_token"] = ch.Slack.AppToken()
+		value["bot_token"] = ch.Slack.BotToken.String()
+		value["app_token"] = ch.Slack.AppToken.String()
 	case "matrix":
-		value["token"] = ch.Matrix.AccessToken()
+		value["token"] = ch.Matrix.AccessToken.String()
 	case "onebot":
-		value["token"] = ch.OneBot.AccessToken()
+		value["token"] = ch.OneBot.AccessToken.String()
 	case "line":
-		value["token"] = ch.LINE.ChannelAccessToken()
-		value["secret"] = ch.LINE.ChannelSecret()
+		value["token"] = ch.LINE.ChannelAccessToken.String()
+		value["secret"] = ch.LINE.ChannelSecret.String()
 	case "wecom":
-		value["secret"] = ch.WeCom.Secret()
+		value["secret"] = ch.WeCom.Secret.String()
 	case "dingtalk":
-		value["secret"] = ch.QQ.AppSecret()
+		value["secret"] = ch.DingTalk.ClientSecret.String()
 	case "qq":
-		value["secret"] = ch.DingTalk.ClientSecret()
+		value["secret"] = ch.QQ.AppSecret.String()
 	case "irc":
-		value["password"] = ch.IRC.Password()
-		value["serv_password"] = ch.IRC.NickServPassword()
-		value["sasl_password"] = ch.IRC.SASLPassword()
+		value["password"] = ch.IRC.Password.String()
+		value["serv_password"] = ch.IRC.NickServPassword.String()
+		value["sasl_password"] = ch.IRC.SASLPassword.String()
 	case "feishu":
-		value["app_secret"] = ch.Feishu.AppSecret()
-		value["encrypt_key"] = ch.Feishu.EncryptKey()
-		value["verification_token"] = ch.Feishu.VerificationToken()
+		value["app_secret"] = ch.Feishu.AppSecret.String()
+		value["encrypt_key"] = ch.Feishu.EncryptKey.String()
+		value["verification_token"] = ch.Feishu.VerificationToken.String()
 	}
 }

@@ -125,45 +125,45 @@ func toChannelConfig(cfg *config.Config, list []string) (*config.ChannelsConfig,

 func updateKeys(newcfg, old *config.ChannelsConfig) {
 	if newcfg.Pico.Enabled {
-		newcfg.Pico.SetToken(old.Pico.Token())
+		newcfg.Pico.Token = old.Pico.Token
 	}
 	if newcfg.Telegram.Enabled {
-		newcfg.Telegram.SetToken(old.Telegram.Token())
+		newcfg.Telegram.Token = old.Telegram.Token
 	}
 	if newcfg.Discord.Enabled {
-		newcfg.Discord.SetToken(old.Discord.Token())
+		newcfg.Discord.Token = old.Discord.Token
 	}
 	if newcfg.Slack.Enabled {
-		newcfg.Slack.SetBotToken(old.Slack.BotToken())
-		newcfg.Slack.SetAppToken(old.Slack.AppToken())
+		newcfg.Slack.BotToken = old.Slack.BotToken
+		newcfg.Slack.AppToken = old.Slack.AppToken
 	}
 	if newcfg.Matrix.Enabled {
-		newcfg.Matrix.SetAccessToken(old.Matrix.AccessToken())
+		newcfg.Matrix.AccessToken = old.Matrix.AccessToken
 	}
 	if newcfg.OneBot.Enabled {
-		newcfg.OneBot.SetAccessToken(old.OneBot.AccessToken())
+		newcfg.OneBot.AccessToken = old.OneBot.AccessToken
 	}
 	if newcfg.LINE.Enabled {
-		newcfg.LINE.SetChannelAccessToken(old.LINE.ChannelAccessToken())
-		newcfg.LINE.SetChannelSecret(old.LINE.ChannelSecret())
+		newcfg.LINE.ChannelAccessToken = old.LINE.ChannelAccessToken
+		newcfg.LINE.ChannelSecret = old.LINE.ChannelSecret
 	}
 	if newcfg.WeCom.Enabled {
-		newcfg.WeCom.SetSecret(old.WeCom.Secret())
+		newcfg.WeCom.Secret = old.WeCom.Secret
 	}
 	if newcfg.DingTalk.Enabled {
-		newcfg.DingTalk.SetClientSecret(old.DingTalk.ClientSecret())
+		newcfg.DingTalk.ClientSecret = old.DingTalk.ClientSecret
 	}
 	if newcfg.QQ.Enabled {
-		newcfg.QQ.SetAppSecret(old.QQ.AppSecret())
+		newcfg.QQ.AppSecret = old.QQ.AppSecret
 	}
 	if newcfg.IRC.Enabled {
-		newcfg.IRC.SetPassword(old.IRC.Password())
-		newcfg.IRC.SetNickServPassword(old.IRC.NickServPassword())
-		newcfg.IRC.SetSASLPassword(old.IRC.SASLPassword())
+		newcfg.IRC.Password = old.IRC.Password
+		newcfg.IRC.NickServPassword = old.IRC.NickServPassword
+		newcfg.IRC.SASLPassword = old.IRC.SASLPassword
 	}
 	if newcfg.Feishu.Enabled {
-		newcfg.Feishu.SetAppSecret(old.Feishu.AppSecret())
-		newcfg.Feishu.SetEncryptKey(old.Feishu.EncryptKey())
-		newcfg.Feishu.SetVerificationToken(old.Feishu.VerificationToken())
+		newcfg.Feishu.AppSecret = old.Feishu.AppSecret
+		newcfg.Feishu.EncryptKey = old.Feishu.EncryptKey
+		newcfg.Feishu.VerificationToken = old.Feishu.VerificationToken
 	}
 }
@@ -41,11 +41,11 @@ func TestToChannelHashes(t *testing.T) {
 	cc, err := toChannelConfig(cfg3, added)
 	assert.NoError(t, err)
 	logger.Debugf("cc: %#v", cc.Telegram)
-	assert.Equal(t, "114314", cc.Telegram.Token())
+	assert.Equal(t, "114314", cc.Telegram.Token.String())
 	assert.Equal(t, true, cc.Telegram.Enabled)
 	cc, err = toChannelConfig(cfg2, added)
 	assert.NoError(t, err)
 	logger.Debugf("cc: %#v", cc.Telegram)
-	assert.Equal(t, "", cc.Telegram.Token())
+	assert.Equal(t, "", cc.Telegram.Token.String())
 	assert.Equal(t, false, cc.Telegram.Enabled)
 }
@@ -200,7 +200,7 @@ func NewMatrixChannel(
 ) (*MatrixChannel, error) {
 	homeserver := strings.TrimSpace(cfg.Homeserver)
 	userID := strings.TrimSpace(cfg.UserID)
-	accessToken := strings.TrimSpace(cfg.AccessToken())
+	accessToken := strings.TrimSpace(cfg.AccessToken.String())
 	if homeserver == "" {
 		return nil, fmt.Errorf("matrix homeserver is required")
 	}
@@ -184,8 +184,8 @@ func (c *OneBotChannel) connect() error {
 	dialer.HandshakeTimeout = 10 * time.Second

 	header := make(map[string][]string)
-	if c.config.AccessToken() != "" {
-		header["Authorization"] = []string{"Bearer " + c.config.AccessToken()}
+	if c.config.AccessToken.String() != "" {
+		header["Authorization"] = []string{"Bearer " + c.config.AccessToken.String()}
 	}

 	conn, resp, err := dialer.Dial(c.config.WSUrl, header)
@@ -81,8 +81,8 @@ func (c *PicoClientChannel) Stop(ctx context.Context) error {

 func (c *PicoClientChannel) dial() error {
 	header := http.Header{}
-	if c.config.Token != "" {
-		header.Set("Authorization", "Bearer "+c.config.Token)
+	if c.config.Token.String() != "" {
+		header.Set("Authorization", "Bearer "+c.config.Token.String())
 	}

 	ws, resp, err := websocket.DefaultDialer.DialContext(c.ctx, c.config.URL, header)
@@ -106,7 +106,7 @@ func TestClientChannel_ConnectAndSend(t *testing.T) {
 	mb := bus.NewMessageBus()
 	ch, err := NewPicoClientChannel(config.PicoClientConfig{
 		URL:          wsURL(srv.URL),
-		Token:        "test-token",
+		Token:        *config.NewSecureString("test-token"),
 		SessionID:    "sess-1",
 		PingInterval: 60,
 		ReadTimeout:  10,
@@ -139,7 +139,7 @@ func TestClientChannel_AuthFailure(t *testing.T) {

 	ch, err := NewPicoClientChannel(config.PicoClientConfig{
 		URL:   wsURL(srv.URL),
-		Token: "wrong-token",
+		Token: *config.NewSecureString("wrong-token"),
 	}, bus.NewMessageBus())
 	if err != nil {
 		t.Fatal(err)
@@ -65,7 +65,7 @@ type PicoChannel struct {

 // NewPicoChannel creates a new Pico Protocol channel.
 func NewPicoChannel(cfg config.PicoConfig, messageBus *bus.MessageBus) (*PicoChannel, error) {
-	if cfg.Token() == "" {
+	if cfg.Token.String() == "" {
 		return nil, fmt.Errorf("pico token is required")
 	}

@@ -381,7 +381,7 @@ func (c *PicoChannel) handleWebSocket(w http.ResponseWriter, r *http.Request) {
 //  2. Sec-WebSocket-Protocol "token.<value>" (for browsers that can't set headers)
 //  3. Query parameter "token" (only when AllowTokenQuery is on)
 func (c *PicoChannel) authenticate(r *http.Request) bool {
-	token := c.config.Token()
+	token := c.config.Token.String()
 	if token == "" {
 		return false
 	}
@@ -412,7 +412,7 @@ func (c *PicoChannel) authenticate(r *http.Request) bool {
 // matchedSubprotocol returns the "token.<value>" subprotocol that matches
 // the configured token, or "" if none do.
 func (c *PicoChannel) matchedSubprotocol(r *http.Request) string {
-	token := c.config.Token()
+	token := c.config.Token.String()
 	for _, proto := range websocket.Subprotocols(r) {
 		if after, ok := strings.CutPrefix(proto, "token."); ok && after == token {
 			return proto
@@ -98,7 +98,7 @@ func NewQQChannel(cfg config.QQConfig, messageBus *bus.MessageBus) (*QQChannel,
 }

 func (c *QQChannel) Start(ctx context.Context) error {
-	if c.config.AppID == "" || c.config.AppSecret() == "" {
+	if c.config.AppID == "" || c.config.AppSecret.String() == "" {
 		return fmt.Errorf("QQ app_id and app_secret not configured")
 	}

@@ -112,7 +112,7 @@ func (c *QQChannel) Start(ctx context.Context) error {
 	// create token source
 	credentials := &token.QQBotCredentials{
 		AppID:     c.config.AppID,
-		AppSecret: c.config.AppSecret(),
+		AppSecret: c.config.AppSecret.String(),
 	}
 	c.tokenSource = token.NewQQBotTokenSource(credentials)

@@ -37,13 +37,13 @@ type slackMessageRef struct {
 }

 func NewSlackChannel(cfg config.SlackConfig, messageBus *bus.MessageBus) (*SlackChannel, error) {
-	if cfg.BotToken() == "" || cfg.AppToken() == "" {
+	if cfg.BotToken.String() == "" || cfg.AppToken.String() == "" {
 		return nil, fmt.Errorf("slack bot_token and app_token are required")
 	}

 	api := slack.New(
-		cfg.BotToken(),
-		slack.OptionAppLevelToken(cfg.AppToken()),
+		cfg.BotToken.String(),
+		slack.OptionAppLevelToken(cfg.AppToken.String()),
 	)

 	socketClient := socketmode.New(api)
@@ -516,7 +516,7 @@ func (c *SlackChannel) downloadSlackFile(file slack.File) string {
 	return utils.DownloadFile(downloadURL, file.Name, utils.DownloadOptions{
 		LoggerPrefix: "slack",
 		ExtraHeaders: map[string]string{
-			"Authorization": "Bearer " + c.config.BotToken(),
+			"Authorization": "Bearer " + c.config.BotToken.String(),
 		},
 	})
 }
@@ -103,7 +103,7 @@ func TestNewSlackChannel(t *testing.T) {

 	t.Run("missing bot token", func(t *testing.T) {
 		cfg := config.SlackConfig{}
-		cfg.SetAppToken("xapp-test")
+		cfg.AppToken = *config.NewSecureString("xapp-test")
 		_, err := NewSlackChannel(cfg, msgBus)
 		if err == nil {
 			t.Error("expected error for missing bot_token, got nil")
@@ -112,7 +112,7 @@ func TestNewSlackChannel(t *testing.T) {

 	t.Run("missing app token", func(t *testing.T) {
 		cfg := config.SlackConfig{}
-		cfg.SetBotToken("xoxb-test")
+		cfg.BotToken = *config.NewSecureString("xoxb-test")
 		_, err := NewSlackChannel(cfg, msgBus)
 		if err == nil {
 			t.Error("expected error for missing app_token, got nil")
@@ -123,8 +123,8 @@ func TestNewSlackChannel(t *testing.T) {
 		cfg := config.SlackConfig{
 			AllowFrom: []string{"U123"},
 		}
-		cfg.SetBotToken("xoxb-test")
-		cfg.SetAppToken("xapp-test")
+		cfg.BotToken = *config.NewSecureString("xoxb-test")
+		cfg.AppToken = *config.NewSecureString("xapp-test")
 		ch, err := NewSlackChannel(cfg, msgBus)
 		if err != nil {
 			t.Fatalf("unexpected error: %v", err)
@@ -145,8 +145,8 @@ func TestSlackChannelIsAllowed(t *testing.T) {
 		cfg := config.SlackConfig{
 			AllowFrom: []string{},
 		}
-		cfg.SetBotToken("xoxb-test")
-		cfg.SetAppToken("xapp-test")
+		cfg.BotToken = *config.NewSecureString("xoxb-test")
+		cfg.AppToken = *config.NewSecureString("xapp-test")
 		ch, _ := NewSlackChannel(cfg, msgBus)
 		if !ch.IsAllowed("U_ANYONE") {
 			t.Error("empty allowlist should allow all users")
@@ -157,8 +157,8 @@ func TestSlackChannelIsAllowed(t *testing.T) {
 		cfg := config.SlackConfig{
 			AllowFrom: []string{"U_ALLOWED"},
 		}
-		cfg.SetBotToken("xoxb-test")
-		cfg.SetAppToken("xapp-test")
+		cfg.BotToken = *config.NewSecureString("xoxb-test")
+		cfg.AppToken = *config.NewSecureString("xapp-test")
 		ch, _ := NewSlackChannel(cfg, msgBus)
 		if !ch.IsAllowed("U_ALLOWED") {
 			t.Error("allowed user should pass allowlist check")
@@ -83,7 +83,7 @@ func NewTelegramChannel(cfg *config.Config, bus *bus.MessageBus) (*TelegramChann
 	}
 	opts = append(opts, telego.WithLogger(logger.NewLogger("telego")))

-	bot, err := telego.NewBot(telegramCfg.Token(), opts...)
+	bot, err := telego.NewBot(telegramCfg.Token.String(), opts...)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create telegram bot: %w", err)
 	}
@@ -109,7 +109,7 @@ func (s *recentMessageSet) Mark(id string) bool {
 }

 func NewChannel(cfg config.WeComConfig, messageBus *bus.MessageBus) (*WeComChannel, error) {
-	if cfg.BotID == "" || cfg.Secret() == "" {
+	if cfg.BotID == "" || cfg.Secret.String() == "" {
 		return nil, fmt.Errorf("wecom bot_id and secret are required")
 	}
 	if cfg.WebSocketURL == "" {
@@ -356,7 +356,7 @@ func (c *WeComChannel) runConnection() error {
 		Headers: wecomHeaders{ReqID: randomID(10)},
 		Body: map[string]string{
 			"bot_id": c.config.BotID,
-			"secret": c.config.Secret(),
+			"secret": c.config.Secret.String(),
 		},
 	}, wecomCommandTimeout); writeErr != nil {
 		return writeErr
@@ -46,7 +46,7 @@ func picoclawHomeDir() string {

 func buildWeixinSyncBufPath(cfg config.WeixinConfig) string {
 	key := "default"
-	token := strings.TrimSpace(cfg.Token())
+	token := strings.TrimSpace(cfg.Token.String())
 	if token != "" {
 		sum := sha256.Sum256([]byte(strings.TrimSpace(cfg.BaseURL) + "|" + token))
 		key = hex.EncodeToString(sum[:8])
@@ -42,7 +42,7 @@ func init() {

 // NewWeixinChannel creates a new WeixinChannel from config.
 func NewWeixinChannel(cfg config.WeixinConfig, messageBus *bus.MessageBus) (*WeixinChannel, error) {
-	api, err := NewApiClient(cfg.BaseURL, cfg.Token(), cfg.Proxy)
+	api, err := NewApiClient(cfg.BaseURL, cfg.Token.String(), cfg.Proxy)
 	if err != nil {
 		return nil, fmt.Errorf("weixin: failed to create API client: %w", err)
 	}