npm - @openclaw/msteams - Versions diffs - 2026.2.24 → 2026.2.25 - Mend

@openclaw/msteams 2026.2.24 → 2026.2.25

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md +6 -0
package/package.json +1 -1
package/src/monitor-handler/message-handler.authz.test.ts +96 -0
package/src/monitor-handler/message-handler.ts +6 -6
package/src/monitor-handler.file-consent.test.ts +220 -0
package/src/monitor-handler.ts +20 -4

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,11 @@
 # Changelog
+## 2026.2.25
+### Changes
+- Version alignment with core OpenClaw release numbers.
 ## 2026.2.24
 ### Changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/msteams",
-  "version": "2026.2.24",
+  "version": "2026.2.25",
   "description": "OpenClaw Microsoft Teams channel plugin",
   "type": "module",
   "dependencies": {

package/src/monitor-handler/message-handler.authz.test.ts ADDED Viewed

@@ -0,0 +1,96 @@
+import type { OpenClawConfig, PluginRuntime, RuntimeEnv } from "openclaw/plugin-sdk";
+import { describe, expect, it, vi } from "vitest";
+import type { MSTeamsMessageHandlerDeps } from "../monitor-handler.js";
+import { setMSTeamsRuntime } from "../runtime.js";
+import { createMSTeamsMessageHandler } from "./message-handler.js";
+describe("msteams monitor handler authz", () => {
+  it("does not treat DM pairing-store entries as group allowlist entries", async () => {
+    const readAllowFromStore = vi.fn(async () => ["attacker-aad"]);
+    setMSTeamsRuntime({
+      logging: { shouldLogVerbose: () => false },
+      channel: {
+        debounce: {
+          resolveInboundDebounceMs: () => 0,
+          createInboundDebouncer: <T>(params: {
+            onFlush: (entries: T[]) => Promise<void>;
+          }): { enqueue: (entry: T) => Promise<void> } => ({
+            enqueue: async (entry: T) => {
+              await params.onFlush([entry]);
+            },
+          }),
+        },
+        pairing: {
+          readAllowFromStore,
+          upsertPairingRequest: vi.fn(async () => null),
+        },
+        text: {
+          hasControlCommand: () => false,
+        },
+      },
+    } as unknown as PluginRuntime);
+    const conversationStore = {
+      upsert: vi.fn(async () => undefined),
+    };
+    const deps: MSTeamsMessageHandlerDeps = {
+      cfg: {
+        channels: {
+          msteams: {
+            dmPolicy: "pairing",
+            allowFrom: [],
+            groupPolicy: "allowlist",
+            groupAllowFrom: [],
+          },
+        },
+      } as OpenClawConfig,
+      runtime: { error: vi.fn() } as unknown as RuntimeEnv,
+      appId: "test-app",
+      adapter: {} as MSTeamsMessageHandlerDeps["adapter"],
+      tokenProvider: {
+        getAccessToken: vi.fn(async () => "token"),
+      },
+      textLimit: 4000,
+      mediaMaxBytes: 1024 * 1024,
+      conversationStore:
+        conversationStore as unknown as MSTeamsMessageHandlerDeps["conversationStore"],
+      pollStore: {
+        recordVote: vi.fn(async () => null),
+      } as unknown as MSTeamsMessageHandlerDeps["pollStore"],
+      log: {
+        info: vi.fn(),
+        debug: vi.fn(),
+        error: vi.fn(),
+      } as unknown as MSTeamsMessageHandlerDeps["log"],
+    };
+    const handler = createMSTeamsMessageHandler(deps);
+    await handler({
+      activity: {
+        id: "msg-1",
+        type: "message",
+        text: "",
+        from: {
+          id: "attacker-id",
+          aadObjectId: "attacker-aad",
+          name: "Attacker",
+        },
+        recipient: {
+          id: "bot-id",
+          name: "Bot",
+        },
+        conversation: {
+          id: "19:group@thread.tacv2",
+          conversationType: "groupChat",
+        },
+        channelData: {},
+        attachments: [],
+      },
+      sendActivity: vi.fn(async () => undefined),
+    } as unknown as Parameters<typeof handler>[0]);
+    expect(readAllowFromStore).toHaveBeenCalledWith("msteams");
+    expect(conversationStore.upsert).not.toHaveBeenCalled();
+  });
+});

package/src/monitor-handler/message-handler.ts CHANGED Viewed

@@ -135,7 +135,8 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
     // Check DM policy for direct messages.
     const dmAllowFrom = msteamsCfg?.allowFrom ?? [];
-    const effectiveDmAllowFrom = [...dmAllowFrom.map((v) => String(v)), ...storedAllowFrom];
+    const configuredDmAllowFrom = dmAllowFrom.map((v) => String(v));
+    const effectiveDmAllowFrom = [...configuredDmAllowFrom, ...storedAllowFrom];
     if (isDirectMessage && msteamsCfg) {
       const allowFrom = dmAllowFrom;
@@ -189,9 +190,7 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
           (msteamsCfg.allowFrom && msteamsCfg.allowFrom.length > 0 ? msteamsCfg.allowFrom : []))
         : [];
     const effectiveGroupAllowFrom =
-      !isDirectMessage && msteamsCfg
-        ? [...groupAllowFrom.map((v) => String(v)), ...storedAllowFrom]
-        : [];
+      !isDirectMessage && msteamsCfg ? groupAllowFrom.map((v) => String(v)) : [];
     const teamId = activity.channelData?.team?.id;
     const teamName = activity.channelData?.team?.name;
     const channelName = activity.channelData?.channel?.name;
@@ -248,9 +247,10 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
       }
     }
+    const commandDmAllowFrom = isDirectMessage ? effectiveDmAllowFrom : configuredDmAllowFrom;
     const ownerAllowedForCommands = isMSTeamsGroupAllowed({
       groupPolicy: "allowlist",
-      allowFrom: effectiveDmAllowFrom,
+      allowFrom: commandDmAllowFrom,
       senderId,
       senderName,
       allowNameMatching: isDangerousNameMatchingEnabled(msteamsCfg),
@@ -266,7 +266,7 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
     const commandGate = resolveControlCommandGate({
       useAccessGroups,
       authorizers: [
-        { configured: effectiveDmAllowFrom.length > 0, allowed: ownerAllowedForCommands },
+        { configured: commandDmAllowFrom.length > 0, allowed: ownerAllowedForCommands },
         { configured: effectiveGroupAllowFrom.length > 0, allowed: groupAllowedForCommands },
       ],
       allowTextCommands: true,

package/src/monitor-handler.file-consent.test.ts ADDED Viewed

@@ -0,0 +1,220 @@
+import type { OpenClawConfig, PluginRuntime, RuntimeEnv } from "openclaw/plugin-sdk";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import type { MSTeamsConversationStore } from "./conversation-store.js";
+import type { MSTeamsAdapter } from "./messenger.js";
+import {
+  type MSTeamsActivityHandler,
+  type MSTeamsMessageHandlerDeps,
+  registerMSTeamsHandlers,
+} from "./monitor-handler.js";
+import { clearPendingUploads, getPendingUpload, storePendingUpload } from "./pending-uploads.js";
+import type { MSTeamsPollStore } from "./polls.js";
+import { setMSTeamsRuntime } from "./runtime.js";
+import type { MSTeamsTurnContext } from "./sdk-types.js";
+const fileConsentMockState = vi.hoisted(() => ({
+  uploadToConsentUrl: vi.fn(),
+}));
+vi.mock("./file-consent.js", async () => {
+  const actual = await vi.importActual<typeof import("./file-consent.js")>("./file-consent.js");
+  return {
+    ...actual,
+    uploadToConsentUrl: fileConsentMockState.uploadToConsentUrl,
+  };
+});
+const runtimeStub: PluginRuntime = {
+  logging: {
+    shouldLogVerbose: () => false,
+  },
+  channel: {
+    debounce: {
+      resolveInboundDebounceMs: () => 0,
+      createInboundDebouncer: () => ({
+        enqueue: async () => {},
+      }),
+    },
+  },
+} as unknown as PluginRuntime;
+function createDeps(): MSTeamsMessageHandlerDeps {
+  const adapter: MSTeamsAdapter = {
+    continueConversation: async () => {},
+    process: async () => {},
+  };
+  const conversationStore: MSTeamsConversationStore = {
+    upsert: async () => {},
+    get: async () => null,
+    list: async () => [],
+    remove: async () => false,
+    findByUserId: async () => null,
+  };
+  const pollStore: MSTeamsPollStore = {
+    createPoll: async () => {},
+    getPoll: async () => null,
+    recordVote: async () => null,
+  };
+  return {
+    cfg: {} as OpenClawConfig,
+    runtime: {
+      error: vi.fn(),
+    } as unknown as RuntimeEnv,
+    appId: "test-app-id",
+    adapter,
+    tokenProvider: {
+      getAccessToken: async () => "token",
+    },
+    textLimit: 4000,
+    mediaMaxBytes: 8 * 1024 * 1024,
+    conversationStore,
+    pollStore,
+    log: {
+      info: vi.fn(),
+      error: vi.fn(),
+      debug: vi.fn(),
+    },
+  };
+}
+function createActivityHandler(): MSTeamsActivityHandler {
+  let handler: MSTeamsActivityHandler;
+  handler = {
+    onMessage: () => handler,
+    onMembersAdded: () => handler,
+    run: async () => {},
+  };
+  return handler;
+}
+function createInvokeContext(params: {
+  conversationId: string;
+  uploadId: string;
+  action: "accept" | "decline";
+}): { context: MSTeamsTurnContext; sendActivity: ReturnType<typeof vi.fn> } {
+  const sendActivity = vi.fn(async () => ({ id: "activity-id" }));
+  const uploadInfo =
+    params.action === "accept"
+      ? {
+          name: "secret.txt",
+          uploadUrl: "https://upload.example.com/put",
+          contentUrl: "https://content.example.com/file",
+          uniqueId: "unique-id",
+          fileType: "txt",
+        }
+      : undefined;
+  return {
+    context: {
+      activity: {
+        type: "invoke",
+        name: "fileConsent/invoke",
+        conversation: { id: params.conversationId },
+        value: {
+          type: "fileUpload",
+          action: params.action,
+          uploadInfo,
+          context: { uploadId: params.uploadId },
+        },
+      },
+      sendActivity,
+      sendActivities: async () => [],
+    } as unknown as MSTeamsTurnContext,
+    sendActivity,
+  };
+}
+describe("msteams file consent invoke authz", () => {
+  beforeEach(() => {
+    setMSTeamsRuntime(runtimeStub);
+    clearPendingUploads();
+    fileConsentMockState.uploadToConsentUrl.mockReset();
+    fileConsentMockState.uploadToConsentUrl.mockResolvedValue(undefined);
+  });
+  it("uploads when invoke conversation matches pending upload conversation", async () => {
+    const uploadId = storePendingUpload({
+      buffer: Buffer.from("TOP_SECRET_VICTIM_FILE\n"),
+      filename: "secret.txt",
+      contentType: "text/plain",
+      conversationId: "19:victim@thread.v2",
+    });
+    const deps = createDeps();
+    const handler = registerMSTeamsHandlers(createActivityHandler(), deps);
+    const { context, sendActivity } = createInvokeContext({
+      conversationId: "19:victim@thread.v2;messageid=abc123",
+      uploadId,
+      action: "accept",
+    });
+    await handler.run?.(context);
+    expect(fileConsentMockState.uploadToConsentUrl).toHaveBeenCalledTimes(1);
+    expect(fileConsentMockState.uploadToConsentUrl).toHaveBeenCalledWith(
+      expect.objectContaining({
+        url: "https://upload.example.com/put",
+      }),
+    );
+    expect(getPendingUpload(uploadId)).toBeUndefined();
+    expect(sendActivity).toHaveBeenCalledWith(
+      expect.objectContaining({
+        type: "invokeResponse",
+      }),
+    );
+  });
+  it("rejects cross-conversation accept invoke and keeps pending upload", async () => {
+    const uploadId = storePendingUpload({
+      buffer: Buffer.from("TOP_SECRET_VICTIM_FILE\n"),
+      filename: "secret.txt",
+      contentType: "text/plain",
+      conversationId: "19:victim@thread.v2",
+    });
+    const deps = createDeps();
+    const handler = registerMSTeamsHandlers(createActivityHandler(), deps);
+    const { context, sendActivity } = createInvokeContext({
+      conversationId: "19:attacker@thread.v2",
+      uploadId,
+      action: "accept",
+    });
+    await handler.run?.(context);
+    expect(fileConsentMockState.uploadToConsentUrl).not.toHaveBeenCalled();
+    expect(getPendingUpload(uploadId)).toBeDefined();
+    expect(sendActivity).toHaveBeenCalledWith(
+      "The file upload request has expired. Please try sending the file again.",
+    );
+    expect(sendActivity).toHaveBeenCalledWith(
+      expect.objectContaining({
+        type: "invokeResponse",
+      }),
+    );
+  });
+  it("ignores cross-conversation decline invoke and keeps pending upload", async () => {
+    const uploadId = storePendingUpload({
+      buffer: Buffer.from("TOP_SECRET_VICTIM_FILE\n"),
+      filename: "secret.txt",
+      contentType: "text/plain",
+      conversationId: "19:victim@thread.v2",
+    });
+    const deps = createDeps();
+    const handler = registerMSTeamsHandlers(createActivityHandler(), deps);
+    const { context, sendActivity } = createInvokeContext({
+      conversationId: "19:attacker@thread.v2",
+      uploadId,
+      action: "decline",
+    });
+    await handler.run?.(context);
+    expect(fileConsentMockState.uploadToConsentUrl).not.toHaveBeenCalled();
+    expect(getPendingUpload(uploadId)).toBeDefined();
+    expect(sendActivity).toHaveBeenCalledTimes(1);
+    expect(sendActivity).toHaveBeenCalledWith(
+      expect.objectContaining({
+        type: "invokeResponse",
+      }),
+    );
+  });
+});

package/src/monitor-handler.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import type { OpenClawConfig, RuntimeEnv } from "openclaw/plugin-sdk";
 import type { MSTeamsConversationStore } from "./conversation-store.js";
 import { buildFileInfoCard, parseFileConsentInvoke, uploadToConsentUrl } from "./file-consent.js";
+import { normalizeMSTeamsConversationId } from "./inbound.js";
 import type { MSTeamsAdapter } from "./messenger.js";
 import { createMSTeamsMessageHandler } from "./monitor-handler/message-handler.js";
 import type { MSTeamsMonitorLogger } from "./monitor-types.js";
@@ -42,6 +43,8 @@ async function handleFileConsentInvoke(
   context: MSTeamsTurnContext,
   log: MSTeamsMonitorLogger,
 ): Promise<boolean> {
+  const expiredUploadMessage =
+    "The file upload request has expired. Please try sending the file again.";
   const activity = context.activity;
   if (activity.type !== "invoke" || activity.name !== "fileConsent/invoke") {
     return false;
@@ -57,9 +60,24 @@ async function handleFileConsentInvoke(
     typeof consentResponse.context?.uploadId === "string"
       ? consentResponse.context.uploadId
       : undefined;
+  const pendingFile = getPendingUpload(uploadId);
+  if (pendingFile) {
+    const pendingConversationId = normalizeMSTeamsConversationId(pendingFile.conversationId);
+    const invokeConversationId = normalizeMSTeamsConversationId(activity.conversation?.id ?? "");
+    if (!invokeConversationId || pendingConversationId !== invokeConversationId) {
+      log.info("file consent conversation mismatch", {
+        uploadId,
+        expectedConversationId: pendingConversationId,
+        receivedConversationId: invokeConversationId || undefined,
+      });
+      if (consentResponse.action === "accept") {
+        await context.sendActivity(expiredUploadMessage);
+      }
+      return true;
+    }
+  }
   if (consentResponse.action === "accept" && consentResponse.uploadInfo) {
-    const pendingFile = getPendingUpload(uploadId);
     if (pendingFile) {
       log.debug?.("user accepted file consent, uploading", {
         uploadId,
@@ -101,9 +119,7 @@ async function handleFileConsentInvoke(
       }
     } else {
       log.debug?.("pending file not found for consent", { uploadId });
-      await context.sendActivity(
-        "The file upload request has expired. Please try sending the file again.",
-      );
+      await context.sendActivity(expiredUploadMessage);
     }
   } else {
     // User declined