@openclaw/msteams 2026.2.25 → 2026.3.2

package/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## 2026.3.2
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.3.1
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
+## 2026.2.26
+
+### Changes
+
+- Version alignment with core OpenClaw release numbers.
+
 ## 2026.2.25
 
 ### Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openclaw/msteams",
-  "version": "2026.2.25",
+  "version": "2026.3.2",
   "description": "OpenClaw Microsoft Teams channel plugin",
   "type": "module",
   "dependencies": {

package/src/attachments/download.ts

@@ -6,11 +6,12 @@ import {
   isDownloadableAttachment,
   isRecord,
   isUrlAllowed,
+  type MSTeamsAttachmentFetchPolicy,
   normalizeContentType,
+  resolveMediaSsrfPolicy,
+  resolveAttachmentFetchPolicy,
   resolveRequestUrl,
-  resolveAuthAllowedHosts,
-  resolveAllowedHosts,
-  safeFetch,
+  safeFetchWithPolicy,
 } from "./shared.js";
 import type {
   MSTeamsAccessTokenProvider,
@@ -85,25 +86,22 @@ function scopeCandidatesForUrl(url: string): string[] {
   }
 }
 
+function isRedirectStatus(status: number): boolean {
+  return status === 301 || status === 302 || status === 303 || status === 307 || status === 308;
+}
+
 async function fetchWithAuthFallback(params: {
   url: string;
   tokenProvider?: MSTeamsAccessTokenProvider;
   fetchFn?: typeof fetch;
   requestInit?: RequestInit;
-  allowHosts: string[];
-  authAllowHosts: string[];
-  resolveFn?: (hostname: string) => Promise<{ address: string }>;
+  policy: MSTeamsAttachmentFetchPolicy;
 }): Promise<Response> {
-  const fetchFn = params.fetchFn ?? fetch;
-
-  // Use safeFetch for the initial attempt — redirect: "manual" with
-  // allowlist + DNS/IP validation on every hop (prevents SSRF via redirect).
-  const firstAttempt = await safeFetch({
+  const firstAttempt = await safeFetchWithPolicy({
     url: params.url,
-    allowHosts: params.allowHosts,
-    fetchFn,
+    policy: params.policy,
+    fetchFn: params.fetchFn,
     requestInit: params.requestInit,
-    resolveFn: params.resolveFn,
   });
   if (firstAttempt.ok) {
     return firstAttempt;
@@ -114,51 +112,37 @@ async function fetchWithAuthFallback(params: {
   if (firstAttempt.status !== 401 && firstAttempt.status !== 403) {
     return firstAttempt;
   }
-  if (!isUrlAllowed(params.url, params.authAllowHosts)) {
+  if (!isUrlAllowed(params.url, params.policy.authAllowHosts)) {
     return firstAttempt;
   }
 
   const scopes = scopeCandidatesForUrl(params.url);
+  const fetchFn = params.fetchFn ?? fetch;
   for (const scope of scopes) {
     try {
       const token = await params.tokenProvider.getAccessToken(scope);
       const authHeaders = new Headers(params.requestInit?.headers);
       authHeaders.set("Authorization", `Bearer ${token}`);
-      const authAttempt = await safeFetch({
+      const authAttempt = await safeFetchWithPolicy({
         url: params.url,
-        allowHosts: params.allowHosts,
+        policy: params.policy,
         fetchFn,
         requestInit: {
           ...params.requestInit,
           headers: authHeaders,
         },
-        resolveFn: params.resolveFn,
       });
       if (authAttempt.ok) {
         return authAttempt;
       }
-      if (authAttempt.status !== 401 && authAttempt.status !== 403) {
-        continue;
+      if (isRedirectStatus(authAttempt.status)) {
+        // Redirects in guarded fetch mode must propagate to the outer guard.
+        return authAttempt;
       }
-
-      const finalUrl =
-        typeof authAttempt.url === "string" && authAttempt.url ? authAttempt.url : "";
-      if (!finalUrl || finalUrl === params.url || !isUrlAllowed(finalUrl, params.authAllowHosts)) {
+      if (authAttempt.status !== 401 && authAttempt.status !== 403) {
+        // Preserve scope fallback semantics for non-auth failures.
         continue;
       }
-      const redirectedAuthAttempt = await safeFetch({
-        url: finalUrl,
-        allowHosts: params.allowHosts,
-        fetchFn,
-        requestInit: {
-          ...params.requestInit,
-          headers: authHeaders,
-        },
-        resolveFn: params.resolveFn,
-      });
-      if (redirectedAuthAttempt.ok) {
-        return redirectedAuthAttempt;
-      }
     } catch {
       // Try the next scope.
     }
@@ -180,15 +164,17 @@ export async function downloadMSTeamsAttachments(params: {
   fetchFn?: typeof fetch;
   /** When true, embeds original filename in stored path for later extraction. */
   preserveFilenames?: boolean;
-  /** Override DNS resolver for testing (anti-SSRF IP validation). */
-  resolveFn?: (hostname: string) => Promise<{ address: string }>;
 }): Promise<MSTeamsInboundMedia[]> {
   const list = Array.isArray(params.attachments) ? params.attachments : [];
   if (list.length === 0) {
     return [];
   }
-  const allowHosts = resolveAllowedHosts(params.allowHosts);
-  const authAllowHosts = resolveAuthAllowedHosts(params.authAllowHosts);
+  const policy = resolveAttachmentFetchPolicy({
+    allowHosts: params.allowHosts,
+    authAllowHosts: params.authAllowHosts,
+  });
+  const allowHosts = policy.allowHosts;
+  const ssrfPolicy = resolveMediaSsrfPolicy(allowHosts);
 
   // Download ANY downloadable attachment (not just images)
   const downloadable = list.filter(isDownloadableAttachment);
@@ -257,15 +243,14 @@ export async function downloadMSTeamsAttachments(params: {
         contentTypeHint: candidate.contentTypeHint,
         placeholder: candidate.placeholder,
         preserveFilenames: params.preserveFilenames,
+        ssrfPolicy,
         fetchImpl: (input, init) =>
           fetchWithAuthFallback({
             url: resolveRequestUrl(input),
             tokenProvider: params.tokenProvider,
             fetchFn: params.fetchFn,
             requestInit: init,
-            allowHosts,
-            authAllowHosts,
-            resolveFn: params.resolveFn,
+            policy,
           }),
       });
       out.push(media);

package/src/attachments/graph.ts

@@ -1,15 +1,19 @@
+import { fetchWithSsrFGuard, type SsrFPolicy } from "openclaw/plugin-sdk";
 import { getMSTeamsRuntime } from "../runtime.js";
 import { downloadMSTeamsAttachments } from "./download.js";
 import { downloadAndStoreMSTeamsRemoteMedia } from "./remote-media.js";
 import {
+  applyAuthorizationHeaderForUrl,
   GRAPH_ROOT,
   inferPlaceholder,
   isRecord,
   isUrlAllowed,
+  type MSTeamsAttachmentFetchPolicy,
   normalizeContentType,
+  resolveMediaSsrfPolicy,
+  resolveAttachmentFetchPolicy,
   resolveRequestUrl,
-  resolveAllowedHosts,
-  safeFetch,
+  safeFetchWithPolicy,
 } from "./shared.js";
 import type {
   MSTeamsAccessTokenProvider,
@@ -119,20 +123,31 @@ async function fetchGraphCollection<T>(params: {
   url: string;
   accessToken: string;
   fetchFn?: typeof fetch;
+  ssrfPolicy?: SsrFPolicy;
 }): Promise<{ status: number; items: T[] }> {
   const fetchFn = params.fetchFn ?? fetch;
-  const res = await fetchFn(params.url, {
-    headers: { Authorization: `Bearer ${params.accessToken}` },
+  const { response, release } = await fetchWithSsrFGuard({
+    url: params.url,
+    fetchImpl: fetchFn,
+    init: {
+      headers: { Authorization: `Bearer ${params.accessToken}` },
+    },
+    policy: params.ssrfPolicy,
+    auditContext: "msteams.graph.collection",
   });
-  const status = res.status;
-  if (!res.ok) {
-    return { status, items: [] };
-  }
   try {
-    const data = (await res.json()) as { value?: T[] };
-    return { status, items: Array.isArray(data.value) ? data.value : [] };
-  } catch {
-    return { status, items: [] };
+    const status = response.status;
+    if (!response.ok) {
+      return { status, items: [] };
+    }
+    try {
+      const data = (await response.json()) as { value?: T[] };
+      return { status, items: Array.isArray(data.value) ? data.value : [] };
+    } catch {
+      return { status, items: [] };
+    }
+  } finally {
+    await release();
   }
 }
 
@@ -164,11 +179,13 @@ async function downloadGraphHostedContent(params: {
   maxBytes: number;
   fetchFn?: typeof fetch;
   preserveFilenames?: boolean;
+  ssrfPolicy?: SsrFPolicy;
 }): Promise<{ media: MSTeamsInboundMedia[]; status: number; count: number }> {
   const hosted = await fetchGraphCollection<GraphHostedContent>({
     url: `${params.messageUrl}/hostedContents`,
     accessToken: params.accessToken,
     fetchFn: params.fetchFn,
+    ssrfPolicy: params.ssrfPolicy,
   });
   if (hosted.items.length === 0) {
     return { media: [], status: hosted.status, count: 0 };
@@ -227,7 +244,11 @@ export async function downloadMSTeamsGraphMedia(params: {
   if (!params.messageUrl || !params.tokenProvider) {
     return { media: [] };
   }
-  const allowHosts = resolveAllowedHosts(params.allowHosts);
+  const policy: MSTeamsAttachmentFetchPolicy = resolveAttachmentFetchPolicy({
+    allowHosts: params.allowHosts,
+    authAllowHosts: params.authAllowHosts,
+  });
+  const ssrfPolicy = resolveMediaSsrfPolicy(policy.allowHosts);
   const messageUrl = params.messageUrl;
   let accessToken: string;
   try {
@@ -241,64 +262,80 @@ export async function downloadMSTeamsGraphMedia(params: {
   const sharePointMedia: MSTeamsInboundMedia[] = [];
   const downloadedReferenceUrls = new Set<string>();
   try {
-    const msgRes = await fetchFn(messageUrl, {
-      headers: { Authorization: `Bearer ${accessToken}` },
+    const { response: msgRes, release } = await fetchWithSsrFGuard({
+      url: messageUrl,
+      fetchImpl: fetchFn,
+      init: {
+        headers: { Authorization: `Bearer ${accessToken}` },
+      },
+      policy: ssrfPolicy,
+      auditContext: "msteams.graph.message",
     });
-    if (msgRes.ok) {
-      const msgData = (await msgRes.json()) as {
-        body?: { content?: string; contentType?: string };
-        attachments?: Array<{
-          id?: string;
-          contentUrl?: string;
-          contentType?: string;
-          name?: string;
-        }>;
-      };
+    try {
+      if (msgRes.ok) {
+        const msgData = (await msgRes.json()) as {
+          body?: { content?: string; contentType?: string };
+          attachments?: Array<{
+            id?: string;
+            contentUrl?: string;
+            contentType?: string;
+            name?: string;
+          }>;
+        };
 
-      // Extract SharePoint file attachments (contentType: "reference")
-      // Download any file type, not just images
-      const spAttachments = (msgData.attachments ?? []).filter(
-        (a) => a.contentType === "reference" && a.contentUrl && a.name,
-      );
-      for (const att of spAttachments) {
-        const name = att.name ?? "file";
+        // Extract SharePoint file attachments (contentType: "reference")
+        // Download any file type, not just images
+        const spAttachments = (msgData.attachments ?? []).filter(
+          (a) => a.contentType === "reference" && a.contentUrl && a.name,
+        );
+        for (const att of spAttachments) {
+          const name = att.name ?? "file";
 
-        try {
-          // SharePoint URLs need to be accessed via Graph shares API
-          const shareUrl = att.contentUrl!;
-          if (!isUrlAllowed(shareUrl, allowHosts)) {
-            continue;
-          }
-          const encodedUrl = Buffer.from(shareUrl).toString("base64url");
-          const sharesUrl = `${GRAPH_ROOT}/shares/u!${encodedUrl}/driveItem/content`;
+          try {
+            // SharePoint URLs need to be accessed via Graph shares API
+            const shareUrl = att.contentUrl!;
+            if (!isUrlAllowed(shareUrl, policy.allowHosts)) {
+              continue;
+            }
+            const encodedUrl = Buffer.from(shareUrl).toString("base64url");
+            const sharesUrl = `${GRAPH_ROOT}/shares/u!${encodedUrl}/driveItem/content`;
 
-          const media = await downloadAndStoreMSTeamsRemoteMedia({
-            url: sharesUrl,
-            filePathHint: name,
-            maxBytes: params.maxBytes,
-            contentTypeHint: "application/octet-stream",
-            preserveFilenames: params.preserveFilenames,
-            fetchImpl: async (input, init) => {
-              const requestUrl = resolveRequestUrl(input);
-              const headers = new Headers(init?.headers);
-              headers.set("Authorization", `Bearer ${accessToken}`);
-              return await safeFetch({
-                url: requestUrl,
-                allowHosts,
-                fetchFn,
-                requestInit: {
-                  ...init,
+            const media = await downloadAndStoreMSTeamsRemoteMedia({
+              url: sharesUrl,
+              filePathHint: name,
+              maxBytes: params.maxBytes,
+              contentTypeHint: "application/octet-stream",
+              preserveFilenames: params.preserveFilenames,
+              ssrfPolicy,
+              fetchImpl: async (input, init) => {
+                const requestUrl = resolveRequestUrl(input);
+                const headers = new Headers(init?.headers);
+                applyAuthorizationHeaderForUrl({
                   headers,
-                },
-              });
-            },
-          });
-          sharePointMedia.push(media);
-          downloadedReferenceUrls.add(shareUrl);
-        } catch {
-          // Ignore SharePoint download failures.
+                  url: requestUrl,
+                  authAllowHosts: policy.authAllowHosts,
+                  bearerToken: accessToken,
+                });
+                return await safeFetchWithPolicy({
+                  url: requestUrl,
+                  policy,
+                  fetchFn,
+                  requestInit: {
+                    ...init,
+                    headers,
+                  },
+                });
+              },
+            });
+            sharePointMedia.push(media);
+            downloadedReferenceUrls.add(shareUrl);
+          } catch {
+            // Ignore SharePoint download failures.
+          }
         }
       }
+    } finally {
+      await release();
     }
   } catch {
     // Ignore message fetch failures.
@@ -310,12 +347,14 @@ export async function downloadMSTeamsGraphMedia(params: {
     maxBytes: params.maxBytes,
     fetchFn: params.fetchFn,
     preserveFilenames: params.preserveFilenames,
+    ssrfPolicy,
   });
 
   const attachments = await fetchGraphCollection<GraphAttachment>({
     url: `${messageUrl}/attachments`,
     accessToken,
     fetchFn: params.fetchFn,
+    ssrfPolicy,
   });
 
   const normalizedAttachments = attachments.items.map(normalizeGraphAttachment);
@@ -337,8 +376,8 @@ export async function downloadMSTeamsGraphMedia(params: {
     attachments: filteredAttachments,
     maxBytes: params.maxBytes,
     tokenProvider: params.tokenProvider,
-    allowHosts,
-    authAllowHosts: params.authAllowHosts,
+    allowHosts: policy.allowHosts,
+    authAllowHosts: policy.authAllowHosts,
     fetchFn: params.fetchFn,
     preserveFilenames: params.preserveFilenames,
   });

package/src/attachments/remote-media.ts

@@ -1,3 +1,4 @@
+import type { SsrFPolicy } from "openclaw/plugin-sdk";
 import { getMSTeamsRuntime } from "../runtime.js";
 import { inferPlaceholder } from "./shared.js";
 import type { MSTeamsInboundMedia } from "./types.js";
@@ -9,6 +10,7 @@ export async function downloadAndStoreMSTeamsRemoteMedia(params: {
   filePathHint: string;
   maxBytes: number;
   fetchImpl?: FetchLike;
+  ssrfPolicy?: SsrFPolicy;
   contentTypeHint?: string;
   placeholder?: string;
   preserveFilenames?: boolean;
@@ -18,6 +20,7 @@ export async function downloadAndStoreMSTeamsRemoteMedia(params: {
     fetchImpl: params.fetchImpl,
     filePathHint: params.filePathHint,
     maxBytes: params.maxBytes,
+    ssrfPolicy: params.ssrfPolicy,
   });
   const mime = await getMSTeamsRuntime().media.detectMime({
     buffer: fetched.buffer,

package/src/attachments/shared.test.ts

@@ -1,7 +1,16 @@
 import { describe, expect, it, vi } from "vitest";
-import { isPrivateOrReservedIP, resolveAndValidateIP, safeFetch } from "./shared.js";
-
-// ─── Helpers ─────────────────────────────────────────────────────────────────
+import {
+  applyAuthorizationHeaderForUrl,
+  isPrivateOrReservedIP,
+  isUrlAllowed,
+  resolveAndValidateIP,
+  resolveAttachmentFetchPolicy,
+  resolveAllowedHosts,
+  resolveAuthAllowedHosts,
+  resolveMediaSsrfPolicy,
+  safeFetch,
+  safeFetchWithPolicy,
+} from "./shared.js";
 
 const publicResolve = async () => ({ address: "13.107.136.10" });
 const privateResolve = (ip: string) => async () => ({ address: ip });
@@ -22,47 +31,36 @@ function mockFetchWithRedirect(redirectMap: Record<string, string>, finalBody =
   });
 }
 
-// ─── isPrivateOrReservedIP ───────────────────────────────────────────────────
+describe("msteams attachment allowlists", () => {
+  it("normalizes wildcard host lists", () => {
+    expect(resolveAllowedHosts(["*", "graph.microsoft.com"])).toEqual(["*"]);
+    expect(resolveAuthAllowedHosts(["*", "graph.microsoft.com"])).toEqual(["*"]);
+  });
 
-describe("isPrivateOrReservedIP", () => {
-  it.each([
-    ["10.0.0.1", true],
-    ["10.255.255.255", true],
-    ["172.16.0.1", true],
-    ["172.31.255.255", true],
-    ["172.15.0.1", false],
-    ["172.32.0.1", false],
-    ["192.168.0.1", true],
-    ["192.168.255.255", true],
-    ["127.0.0.1", true],
-    ["127.255.255.255", true],
-    ["169.254.0.1", true],
-    ["169.254.169.254", true],
-    ["0.0.0.0", true],
-    ["8.8.8.8", false],
-    ["13.107.136.10", false],
-    ["52.96.0.1", false],
-  ] as const)("IPv4 %s → %s", (ip, expected) => {
-    expect(isPrivateOrReservedIP(ip)).toBe(expected);
+  it("resolves a normalized attachment fetch policy", () => {
+    expect(
+      resolveAttachmentFetchPolicy({
+        allowHosts: ["sharepoint.com"],
+        authAllowHosts: ["graph.microsoft.com"],
+      }),
+    ).toEqual({
+      allowHosts: ["sharepoint.com"],
+      authAllowHosts: ["graph.microsoft.com"],
+    });
   });
 
-  it.each([
-    ["::1", true],
-    ["::", true],
-    ["fe80::1", true],
-    ["fc00::1", true],
-    ["fd12:3456::1", true],
-    ["2001:0db8::1", false],
-    ["2620:1ec:c11::200", false],
-    // IPv4-mapped IPv6 addresses
-    ["::ffff:127.0.0.1", true],
-    ["::ffff:10.0.0.1", true],
-    ["::ffff:192.168.1.1", true],
-    ["::ffff:169.254.169.254", true],
-    ["::ffff:8.8.8.8", false],
-    ["::ffff:13.107.136.10", false],
-  ] as const)("IPv6 %s → %s", (ip, expected) => {
-    expect(isPrivateOrReservedIP(ip)).toBe(expected);
+  it("requires https and host suffix match", () => {
+    const allowHosts = resolveAllowedHosts(["sharepoint.com"]);
+    expect(isUrlAllowed("https://contoso.sharepoint.com/file.png", allowHosts)).toBe(true);
+    expect(isUrlAllowed("http://contoso.sharepoint.com/file.png", allowHosts)).toBe(false);
+    expect(isUrlAllowed("https://evil.example.com/file.png", allowHosts)).toBe(false);
+  });
+
+  it("builds shared SSRF policy from suffix allowlist", () => {
+    expect(resolveMediaSsrfPolicy(["sharepoint.com"])).toEqual({
+      hostnameAllowlist: ["sharepoint.com", "*.sharepoint.com"],
+    });
+    expect(resolveMediaSsrfPolicy(["*"])).toBeUndefined();
   });
 
   it.each([
@@ -149,6 +147,39 @@ describe("safeFetch", () => {
     expect(fetchMock).toHaveBeenCalledTimes(2);
   });
 
+  it("returns the redirect response when dispatcher is provided by an outer guard", async () => {
+    const redirectedTo = "https://cdn.sharepoint.com/storage/file.pdf";
+    const fetchMock = mockFetchWithRedirect({
+      "https://teams.sharepoint.com/file.pdf": redirectedTo,
+    });
+    const res = await safeFetch({
+      url: "https://teams.sharepoint.com/file.pdf",
+      allowHosts: ["sharepoint.com"],
+      fetchFn: fetchMock as unknown as typeof fetch,
+      requestInit: { dispatcher: {} } as RequestInit,
+      resolveFn: publicResolve,
+    });
+    expect(res.status).toBe(302);
+    expect(res.headers.get("location")).toBe(redirectedTo);
+    expect(fetchMock).toHaveBeenCalledOnce();
+  });
+
+  it("still enforces allowlist checks before returning dispatcher-mode redirects", async () => {
+    const fetchMock = mockFetchWithRedirect({
+      "https://teams.sharepoint.com/file.pdf": "https://evil.example.com/steal",
+    });
+    await expect(
+      safeFetch({
+        url: "https://teams.sharepoint.com/file.pdf",
+        allowHosts: ["sharepoint.com"],
+        fetchFn: fetchMock as unknown as typeof fetch,
+        requestInit: { dispatcher: {} } as RequestInit,
+        resolveFn: publicResolve,
+      }),
+    ).rejects.toThrow("blocked by allowlist");
+    expect(fetchMock).toHaveBeenCalledOnce();
+  });
+
   it("blocks a redirect to a non-allowlisted host", async () => {
     const fetchMock = mockFetchWithRedirect({
       "https://teams.sharepoint.com/file.pdf": "https://evil.example.com/steal",
@@ -278,4 +309,70 @@ describe("safeFetch", () => {
       }),
     ).rejects.toThrow("blocked by allowlist");
   });
+
+  it("strips authorization across redirects outside auth allowlist", async () => {
+    const seenAuth: string[] = [];
+    const fetchMock = vi.fn(async (url: string, init?: RequestInit) => {
+      const auth = new Headers(init?.headers).get("authorization") ?? "";
+      seenAuth.push(`${url}|${auth}`);
+      if (url === "https://teams.sharepoint.com/file.pdf") {
+        return new Response(null, {
+          status: 302,
+          headers: { location: "https://cdn.sharepoint.com/storage/file.pdf" },
+        });
+      }
+      return new Response("ok", { status: 200 });
+    });
+
+    const headers = new Headers({ Authorization: "Bearer secret" });
+    const res = await safeFetch({
+      url: "https://teams.sharepoint.com/file.pdf",
+      allowHosts: ["sharepoint.com"],
+      authorizationAllowHosts: ["graph.microsoft.com"],
+      fetchFn: fetchMock as unknown as typeof fetch,
+      requestInit: { headers },
+      resolveFn: publicResolve,
+    });
+    expect(res.status).toBe(200);
+    expect(seenAuth[0]).toContain("Bearer secret");
+    expect(seenAuth[1]).toMatch(/\|$/);
+  });
+});
+
+describe("attachment fetch auth helpers", () => {
+  it("sets and clears authorization header by auth allowlist", () => {
+    const headers = new Headers();
+    applyAuthorizationHeaderForUrl({
+      headers,
+      url: "https://graph.microsoft.com/v1.0/me",
+      authAllowHosts: ["graph.microsoft.com"],
+      bearerToken: "token-1",
+    });
+    expect(headers.get("authorization")).toBe("Bearer token-1");
+
+    applyAuthorizationHeaderForUrl({
+      headers,
+      url: "https://evil.example.com/collect",
+      authAllowHosts: ["graph.microsoft.com"],
+      bearerToken: "token-1",
+    });
+    expect(headers.get("authorization")).toBeNull();
+  });
+
+  it("safeFetchWithPolicy forwards policy allowlists", async () => {
+    const fetchMock = vi.fn(async (_url: string, _init?: RequestInit) => {
+      return new Response("ok", { status: 200 });
+    });
+    const res = await safeFetchWithPolicy({
+      url: "https://teams.sharepoint.com/file.pdf",
+      policy: resolveAttachmentFetchPolicy({
+        allowHosts: ["sharepoint.com"],
+        authAllowHosts: ["graph.microsoft.com"],
+      }),
+      fetchFn: fetchMock as unknown as typeof fetch,
+      resolveFn: publicResolve,
+    });
+    expect(res.status).toBe(200);
+    expect(fetchMock).toHaveBeenCalledOnce();
+  });
 });