rules: - name: LarkSuite Tenant Access Token id: kingfisher.lark.1 pattern: | (?xi) (?:lark|larksuite) (?:.|[\n\r]){0,64}? (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN|ACCESS_KEY) (?:.|[\n\r]){0,32}? \b ( t-[A-Z0-9_.]{14,50} ) \b min_entropy: 3.2 confidence: medium examples: - larksuite_tenant_access_token="t-AbCdEfGhIjKlMnOpQrStUvWxYz_1234" references: - https://open.larksuite.com/document/home/introduction-to-scope-and-authorization/access-credentials - https://open.larksuite.com/document/uAjLw4CM/ukTMukTMukTM/reference/im-v1/chat/list - https://open.larksuite.com/document/faq/trouble-shooting/how-to-fix-the-99991672-error - https://open.larksuite.com/document/ukTMukTMukTM/ugjM14COyUjL4ITN validation: type: Http content: request: method: GET url: https://open.larksuite.com/open-apis/im/v1/chats?page_size=1 headers: Accept: application/json Authorization: "Bearer {{ TOKEN }}" response_matcher: - report_response: true - type: StatusMatch status: [200, 400] - type: JsonValid # Verified if API says success (code=0) OR "No permission" (code=99991672), # which still indicates the token is recognized/valid but missing scopes. - type: WordMatch match_all_words: false words: - '"code":0' - '"code": 0' - '"code":99991672' - '"code": 99991672' - name: LarkSuite User Access Token id: kingfisher.lark.2 pattern: | (?xi) (?:lark|larksuite) (?:.|[\n\r]){0,64}? (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN|ACCESS_KEY) (?:.|[\n\r]){0,32}? \b ( u-[A-Z0-9_.]{14,50} ) \b min_entropy: 3.2 confidence: medium examples: - larksuite_user_access_token="u-ZyXwVuTsRqPoNmLkJiHgFeDcBa_5678" references: - https://open.larksuite.com/document/home/introduction-to-scope-and-authorization/access-credentials - https://open.larksuite.com/document/uAjLw4CM/ukTMukTMukTM/reference/im-v1/chat/list - https://open.larksuite.com/document/faq/trouble-shooting/how-to-fix-the-99991672-error - https://open.larksuite.com/document/ukTMukTMukTM/ugjM14COyUjL4ITN validation: type: Http content: request: method: GET url: https://open.larksuite.com/open-apis/im/v1/chats?page_size=1 headers: Accept: application/json Authorization: "Bearer {{ TOKEN }}" response_matcher: - report_response: true - type: StatusMatch status: [200, 400] - type: JsonValid - type: WordMatch match_all_words: false words: - '"code":0' - '"code": 0' - '"code":99991672' - '"code": 99991672' - name: LarkSuite App Access Token id: kingfisher.lark.3 pattern: | (?xi) (?:lark|larksuite) (?:.|[\n\r]){0,64}? (?:SECRET|PRIVATE|ACCESS|KEY|TOKEN|ACCESS_KEY) (?:.|[\n\r]){0,32}? \b ( a-[A-Z0-9_.]{30,35} ) \b min_entropy: 3.2 confidence: medium examples: - larksuite_app_access_token="a-QwBsTyUiOpBsDfGhJnLxYcVbN_9012" references: - https://open.larksuite.com/document/home/introduction-to-scope-and-authorization/access-credentials - https://open.larksuite.com/document/server-docs/getting-started/api-access-token/auth-v3/tenant_access_token - https://open.larksuite.com/document/server-docs/getting-started/api-access-token/auth-v3/app_access_token validation: type: Http content: request: method: POST # This endpoint checks app_access_token directly; no tenant_key involved. url: https://open.larksuite.com/open-apis/authen/v1/oidc/refresh_access_token headers: Accept: application/json Content-Type: application/x-www-form-urlencoded Authorization: "Bearer {{ TOKEN }}" # Send an intentionally bogus refresh_token. If the app_access_token is valid, # we should get some error other than "20014" (invalid app_access_token). body: > grant_type=refresh_token&refresh_token=kingfisher_invalid_refresh_token response_matcher: - report_response: true - type: StatusMatch status: [200] - type: JsonValid # If the app token is invalid, Lark uses 20014 (and sometimes 99991664 for invalid app token). - type: WordMatch negative: true match_all_words: false words: - '"code":20014' - '"code": 20014' - '"code":99991664' - '"code": 99991664'