npm - @openclaw/msteams - Versions diffs - 2026.3.13 → 2026.5.1-beta.1 - Mend

@openclaw/msteams 2026.3.13 → 2026.5.1-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (175) hide show

package/api.ts +3 -0
package/channel-config-api.ts +1 -0
package/channel-plugin-api.ts +2 -0
package/config-api.ts +4 -0
package/contract-api.ts +4 -0
package/index.ts +15 -12
package/openclaw.plugin.json +553 -1
package/package.json +46 -12
package/runtime-api.ts +73 -0
package/secret-contract-api.ts +5 -0
package/setup-entry.ts +13 -0
package/setup-plugin-api.ts +3 -0
package/src/ai-entity.ts +7 -0
package/src/approval-auth.ts +44 -0
package/src/attachments/bot-framework.test.ts +461 -0
package/src/attachments/bot-framework.ts +362 -0
package/src/attachments/download.ts +63 -19
package/src/attachments/graph.test.ts +416 -0
package/src/attachments/graph.ts +163 -72
package/src/attachments/html.ts +33 -1
package/src/attachments/payload.ts +1 -1
package/src/attachments/remote-media.test.ts +137 -0
package/src/attachments/remote-media.ts +75 -8
package/src/attachments/shared.test.ts +138 -1
package/src/attachments/shared.ts +193 -26
package/src/attachments/types.ts +10 -0
package/src/attachments.graph.test.ts +342 -0
package/src/attachments.helpers.test.ts +246 -0
package/src/attachments.test-helpers.ts +17 -0
package/src/attachments.test.ts +163 -418
package/src/attachments.ts +5 -5
package/src/block-streaming-config.test.ts +61 -0
package/src/channel-api.ts +1 -0
package/src/channel.actions.test.ts +742 -0
package/src/channel.directory.test.ts +145 -4
package/src/channel.runtime.ts +56 -0
package/src/channel.setup.ts +77 -0
package/src/channel.test.ts +128 -0
package/src/channel.ts +1077 -395
package/src/config-schema.ts +6 -0
package/src/config-ui-hints.ts +12 -0
package/src/conversation-store-fs.test.ts +4 -5
package/src/conversation-store-fs.ts +35 -51
package/src/conversation-store-helpers.test.ts +202 -0
package/src/conversation-store-helpers.ts +105 -0
package/src/conversation-store-memory.ts +27 -23
package/src/conversation-store.shared.test.ts +225 -0
package/src/conversation-store.ts +30 -0
package/src/directory-live.test.ts +156 -0
package/src/directory-live.ts +7 -4
package/src/doctor.ts +27 -0
package/src/errors.test.ts +64 -1
package/src/errors.ts +50 -9
package/src/feedback-reflection-prompt.ts +117 -0
package/src/feedback-reflection-store.ts +114 -0
package/src/feedback-reflection.test.ts +237 -0
package/src/feedback-reflection.ts +283 -0
package/src/file-consent-helpers.test.ts +83 -0
package/src/file-consent-helpers.ts +64 -11
package/src/file-consent-invoke.ts +150 -0
package/src/file-consent.test.ts +363 -0
package/src/file-consent.ts +165 -4
package/src/graph-chat.ts +5 -3
package/src/graph-group-management.test.ts +318 -0
package/src/graph-group-management.ts +168 -0
package/src/graph-members.test.ts +89 -0
package/src/graph-members.ts +48 -0
package/src/graph-messages.actions.test.ts +243 -0
package/src/graph-messages.read.test.ts +391 -0
package/src/graph-messages.search.test.ts +213 -0
package/src/graph-messages.test-helpers.ts +50 -0
package/src/graph-messages.ts +534 -0
package/src/graph-teams.test.ts +215 -0
package/src/graph-teams.ts +114 -0
package/src/graph-thread.test.ts +246 -0
package/src/graph-thread.ts +146 -0
package/src/graph-upload.test.ts +161 -4
package/src/graph-upload.ts +147 -56
package/src/graph.test.ts +516 -0
package/src/graph.ts +233 -21
package/src/inbound.test.ts +156 -1
package/src/inbound.ts +101 -1
package/src/media-helpers.ts +1 -1
package/src/mentions.test.ts +27 -18
package/src/mentions.ts +2 -2
package/src/messenger.test.ts +504 -23
package/src/messenger.ts +133 -52
package/src/monitor-handler/access.ts +125 -0
package/src/monitor-handler/inbound-media.test.ts +289 -0
package/src/monitor-handler/inbound-media.ts +57 -5
package/src/monitor-handler/message-handler-mock-support.test-support.ts +28 -0
package/src/monitor-handler/message-handler.authz.test.ts +588 -74
package/src/monitor-handler/message-handler.dm-media.test.ts +54 -0
package/src/monitor-handler/message-handler.test-support.ts +100 -0
package/src/monitor-handler/message-handler.thread-parent.test.ts +223 -0
package/src/monitor-handler/message-handler.thread-session.test.ts +77 -0
package/src/monitor-handler/message-handler.ts +470 -164
package/src/monitor-handler/reaction-handler.test.ts +267 -0
package/src/monitor-handler/reaction-handler.ts +210 -0
package/src/monitor-handler/thread-session.ts +17 -0
package/src/monitor-handler.adaptive-card.test.ts +162 -0
package/src/monitor-handler.feedback-authz.test.ts +314 -0
package/src/monitor-handler.file-consent.test.ts +281 -79
package/src/monitor-handler.sso.test.ts +563 -0
package/src/monitor-handler.test-helpers.ts +180 -0
package/src/monitor-handler.ts +459 -115
package/src/monitor-handler.types.ts +27 -0
package/src/monitor-types.ts +1 -0
package/src/monitor.lifecycle.test.ts +74 -10
package/src/monitor.test.ts +35 -1
package/src/monitor.ts +143 -46
package/src/oauth.flow.ts +77 -0
package/src/oauth.shared.ts +37 -0
package/src/oauth.test.ts +305 -0
package/src/oauth.token.ts +158 -0
package/src/oauth.ts +130 -0
package/src/outbound.test.ts +10 -11
package/src/outbound.ts +62 -44
package/src/pending-uploads-fs.test.ts +246 -0
package/src/pending-uploads-fs.ts +235 -0
package/src/pending-uploads.test.ts +173 -0
package/src/pending-uploads.ts +34 -2
package/src/policy.test.ts +11 -5
package/src/policy.ts +5 -5
package/src/polls.test.ts +106 -5
package/src/polls.ts +15 -7
package/src/presentation.ts +68 -0
package/src/probe.test.ts +27 -8
package/src/probe.ts +43 -9
package/src/reply-dispatcher.test.ts +437 -0
package/src/reply-dispatcher.ts +259 -73
package/src/reply-stream-controller.test.ts +235 -0
package/src/reply-stream-controller.ts +147 -0
package/src/resolve-allowlist.test.ts +105 -1
package/src/resolve-allowlist.ts +112 -7
package/src/runtime.ts +6 -3
package/src/sdk-types.ts +43 -3
package/src/sdk.test.ts +666 -0
package/src/sdk.ts +867 -16
package/src/secret-contract.ts +49 -0
package/src/secret-input.ts +1 -1
package/src/send-context.ts +76 -9
package/src/send.test.ts +389 -5
package/src/send.ts +140 -32
package/src/sent-message-cache.ts +30 -18
package/src/session-route.ts +40 -0
package/src/setup-core.ts +160 -0
package/src/setup-surface.test.ts +202 -0
package/src/setup-surface.ts +320 -0
package/src/sso-token-store.test.ts +72 -0
package/src/sso-token-store.ts +166 -0
package/src/sso.ts +300 -0
package/src/storage.ts +1 -1
package/src/store-fs.ts +2 -2
package/src/streaming-message.test.ts +262 -0
package/src/streaming-message.ts +297 -0
package/src/test-runtime.ts +1 -1
package/src/thread-parent-context.test.ts +224 -0
package/src/thread-parent-context.ts +159 -0
package/src/token.test.ts +237 -50
package/src/token.ts +162 -7
package/src/user-agent.test.ts +86 -0
package/src/user-agent.ts +53 -0
package/src/webhook-timeouts.ts +27 -0
package/src/welcome-card.test.ts +81 -0
package/src/welcome-card.ts +57 -0
package/test-api.ts +1 -0
package/tsconfig.json +16 -0
package/CHANGELOG.md +0 -107
package/src/file-lock.ts +0 -1
package/src/graph-users.test.ts +0 -66
package/src/onboarding.ts +0 -381
package/src/polls-store.test.ts +0 -38
package/src/revoked-context.test.ts +0 -39
package/src/token-response.test.ts +0 -23

package/src/monitor.lifecycle.test.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { EventEmitter } from "node:events";
-import type { OpenClawConfig, RuntimeEnv } from "openclaw/plugin-sdk/msteams";
+import type { Request, Response } from "express";
 import { afterEach, describe, expect, it, vi } from "vitest";
+import type { OpenClawConfig, RuntimeEnv } from "../runtime-api.js";
 import type { MSTeamsConversationStore } from "./conversation-store.js";
 import type { MSTeamsPollStore } from "./polls.js";
@@ -13,9 +14,14 @@ type FakeServer = EventEmitter & {
 const expressControl = vi.hoisted(() => ({
   mode: { value: "listening" as "listening" | "error" },
+  apps: [] as Array<{
+    use: ReturnType<typeof vi.fn>;
+    post: ReturnType<typeof vi.fn>;
+    listen: ReturnType<typeof vi.fn>;
+  }>,
 }));
-vi.mock("openclaw/plugin-sdk/msteams", () => ({
+vi.mock("../runtime-api.js", () => ({
   DEFAULT_WEBHOOK_MAX_BODY_BYTES: 1024 * 1024,
   normalizeSecretInputString: (value: unknown) =>
     typeof value === "string" && value.trim() ? value.trim() : undefined,
@@ -72,8 +78,14 @@ vi.mock("express", () => {
     }),
   });
+  const wrappedFactory = () => {
+    const app = factory();
+    expressControl.apps.push(app);
+    return app;
+  };
   return {
-    default: factory,
+    default: wrappedFactory,
     json,
   };
 });
@@ -88,11 +100,12 @@ const createMSTeamsAdapter = vi.hoisted(() =>
     process: vi.fn(async () => {}),
   })),
 );
+const jwtValidate = vi.hoisted(() => vi.fn().mockResolvedValue(true));
 const loadMSTeamsSdkWithAuth = vi.hoisted(() =>
   vi.fn(async () => ({
     sdk: {
-      ActivityHandler: class {},
-      MsalTokenProvider: class {},
+      ActivityHandler: function ActivityHandler() {},
+      MsalTokenProvider: function MsalTokenProvider() {},
       authorizeJWT:
         () => (_req: unknown, _res: unknown, next: ((err?: unknown) => void) | undefined) =>
           next?.(),
@@ -113,6 +126,12 @@ vi.mock("./resolve-allowlist.js", () => ({
 vi.mock("./sdk.js", () => ({
   createMSTeamsAdapter: () => createMSTeamsAdapter(),
   loadMSTeamsSdkWithAuth: () => loadMSTeamsSdkWithAuth(),
+  createMSTeamsTokenProvider: () => ({
+    getAccessToken: vi.fn().mockResolvedValue("mock-token"),
+  }),
+  createBotFrameworkJwtValidator: vi.fn().mockResolvedValue({
+    validate: jwtValidate,
+  }),
 }));
 vi.mock("./runtime.js", () => ({
@@ -172,6 +191,8 @@ describe("monitorMSTeamsProvider lifecycle", () => {
   afterEach(() => {
     vi.clearAllMocks();
     expressControl.mode.value = "listening";
+    expressControl.apps.length = 0;
+    jwtValidate.mockReset().mockResolvedValue(true);
   });
   it("stays active until aborted", async () => {
@@ -192,11 +213,9 @@ describe("monitorMSTeamsProvider lifecycle", () => {
     expect(early).toBe("pending");
     abort.abort();
-    await expect(task).resolves.toEqual(
-      expect.objectContaining({
-        shutdown: expect.any(Function),
-      }),
-    );
+    const result = await task;
+    expect(result.app).not.toBeNull();
+    await expect(result.shutdown()).resolves.toBeUndefined();
   });
   it("rejects startup when webhook port is already in use", async () => {
@@ -211,4 +230,49 @@ describe("monitorMSTeamsProvider lifecycle", () => {
       }),
     ).rejects.toThrow(/EADDRINUSE/);
   });
+  it("runs JWT validation before JSON body parsing", async () => {
+    const abort = new AbortController();
+    const task = monitorMSTeamsProvider({
+      cfg: createConfig(0),
+      runtime: createRuntime(),
+      abortSignal: abort.signal,
+      conversationStore: createStores().conversationStore,
+      pollStore: createStores().pollStore,
+    });
+    await new Promise<void>((resolve) => setTimeout(resolve, 0));
+    const app = expressControl.apps.at(-1);
+    expect(app).toBeDefined();
+    expect(app!.use).toHaveBeenCalledTimes(4);
+    const jsonMiddleware = vi.mocked((await import("express")).json).mock.results[0]?.value;
+    expect(jsonMiddleware).toBeDefined();
+    expect(app!.use.mock.calls[1]?.[0]).not.toBe(jsonMiddleware);
+    expect(app!.use.mock.calls[2]?.[0]).toBe(jsonMiddleware);
+    const jwtMiddleware = app!.use.mock.calls[1]?.[0] as (
+      req: Request,
+      res: Response,
+      next: (err?: unknown) => void,
+    ) => void;
+    const next = vi.fn();
+    jwtMiddleware(
+      { headers: { authorization: "Bearer token" } } as Request,
+      {
+        status: vi.fn().mockReturnThis(),
+        json: vi.fn(),
+      } as unknown as Response,
+      next,
+    );
+    await vi.waitFor(() => {
+      expect(jwtValidate).toHaveBeenCalledWith("Bearer token");
+      expect(next).toHaveBeenCalledTimes(1);
+    });
+    abort.abort();
+    await task;
+  });
 });

package/src/monitor.test.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import type { Server } from "node:http";
 import { createConnection, type AddressInfo } from "node:net";
 import express from "express";
 import { describe, expect, it } from "vitest";
-import { applyMSTeamsWebhookTimeouts } from "./monitor.js";
+import { applyMSTeamsWebhookTimeouts } from "./webhook-timeouts.js";
 async function closeServer(server: Server): Promise<void> {
   await new Promise<void>((resolve) => {
@@ -37,6 +37,21 @@ async function waitForSlowBodySocketClose(port: number, timeoutMs: number): Prom
 }
 describe("msteams monitor webhook hardening", () => {
+  it("applies default timeouts and header clamp", async () => {
+    const app = express();
+    const server = app.listen(0, "127.0.0.1");
+    await once(server, "listening");
+    try {
+      applyMSTeamsWebhookTimeouts(server);
+      expect(server.timeout).toBe(30_000);
+      expect(server.requestTimeout).toBe(30_000);
+      expect(server.headersTimeout).toBe(15_000);
+    } finally {
+      await closeServer(server);
+    }
+  });
   it("applies explicit webhook timeout values", async () => {
     const app = express();
     const server = app.listen(0, "127.0.0.1");
@@ -56,6 +71,25 @@ describe("msteams monitor webhook hardening", () => {
     }
   });
+  it("clamps headers timeout when explicit value exceeds request timeout", async () => {
+    const app = express();
+    const server = app.listen(0, "127.0.0.1");
+    await once(server, "listening");
+    try {
+      applyMSTeamsWebhookTimeouts(server, {
+        inactivityTimeoutMs: 12_000,
+        requestTimeoutMs: 9_000,
+        headersTimeoutMs: 15_000,
+      });
+      expect(server.timeout).toBe(12_000);
+      expect(server.requestTimeout).toBe(9_000);
+      expect(server.headersTimeout).toBe(9_000);
+    } finally {
+      await closeServer(server);
+    }
+  });
   it("drops slow-body webhook requests within configured inactivity timeout", async () => {
     const app = express();
     app.use(express.json({ limit: "1mb" }));

package/src/monitor.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import type { Server } from "node:http";
 import type { Request, Response } from "express";
 import {
   DEFAULT_WEBHOOK_MAX_BODY_BYTES,
@@ -7,7 +6,7 @@ import {
   summarizeMapping,
   type OpenClawConfig,
   type RuntimeEnv,
-} from "openclaw/plugin-sdk/msteams";
+} from "../runtime-api.js";
 import { createMSTeamsConversationStoreFs } from "./conversation-store-fs.js";
 import type { MSTeamsConversationStore } from "./conversation-store.js";
 import { formatUnknownError } from "./errors.js";
@@ -19,10 +18,18 @@ import {
   resolveMSTeamsUserAllowlist,
 } from "./resolve-allowlist.js";
 import { getMSTeamsRuntime } from "./runtime.js";
-import { createMSTeamsAdapter, loadMSTeamsSdkWithAuth } from "./sdk.js";
+import {
+  createBotFrameworkJwtValidator,
+  createMSTeamsAdapter,
+  createMSTeamsTokenProvider,
+  loadMSTeamsSdkWithAuth,
+} from "./sdk.js";
+import { createMSTeamsSsoTokenStoreFs } from "./sso-token-store.js";
+import type { MSTeamsSsoDeps } from "./sso.js";
 import { resolveMSTeamsCredentials } from "./token.js";
+import { applyMSTeamsWebhookTimeouts } from "./webhook-timeouts.js";
-export type MonitorMSTeamsOpts = {
+type MonitorMSTeamsOpts = {
   cfg: OpenClawConfig;
   runtime?: RuntimeEnv;
   abortSignal?: AbortSignal;
@@ -30,38 +37,12 @@ export type MonitorMSTeamsOpts = {
   pollStore?: MSTeamsPollStore;
 };
-export type MonitorMSTeamsResult = {
+type MonitorMSTeamsResult = {
   app: unknown;
   shutdown: () => Promise<void>;
 };
 const MSTEAMS_WEBHOOK_MAX_BODY_BYTES = DEFAULT_WEBHOOK_MAX_BODY_BYTES;
-const MSTEAMS_WEBHOOK_INACTIVITY_TIMEOUT_MS = 30_000;
-const MSTEAMS_WEBHOOK_REQUEST_TIMEOUT_MS = 30_000;
-const MSTEAMS_WEBHOOK_HEADERS_TIMEOUT_MS = 15_000;
-export type ApplyMSTeamsWebhookTimeoutsOpts = {
-  inactivityTimeoutMs?: number;
-  requestTimeoutMs?: number;
-  headersTimeoutMs?: number;
-};
-export function applyMSTeamsWebhookTimeouts(
-  httpServer: Server,
-  opts?: ApplyMSTeamsWebhookTimeoutsOpts,
-): void {
-  const inactivityTimeoutMs = opts?.inactivityTimeoutMs ?? MSTEAMS_WEBHOOK_INACTIVITY_TIMEOUT_MS;
-  const requestTimeoutMs = opts?.requestTimeoutMs ?? MSTEAMS_WEBHOOK_REQUEST_TIMEOUT_MS;
-  const headersTimeoutMs = Math.min(
-    opts?.headersTimeoutMs ?? MSTEAMS_WEBHOOK_HEADERS_TIMEOUT_MS,
-    requestTimeoutMs,
-  );
-  httpServer.setTimeout(inactivityTimeoutMs);
-  httpServer.requestTimeout = requestTimeoutMs;
-  httpServer.headersTimeout = headersTimeoutMs;
-}
 export async function monitorMSTeamsProvider(
   opts: MonitorMSTeamsOpts,
 ): Promise<MonitorMSTeamsResult> {
@@ -122,9 +103,8 @@ export async function monitorMSTeamsProvider(
   try {
     const allowEntries =
-      allowFrom
-        ?.map((entry) => cleanAllowEntry(String(entry)))
-        .filter((entry) => entry && entry !== "*") ?? [];
+      allowFrom?.map((entry) => cleanAllowEntry(entry)).filter((entry) => entry && entry !== "*") ??
+      [];
     if (allowEntries.length > 0) {
       const { additions } = await resolveAllowlistUsers("msteams users", allowEntries);
       allowFrom = mergeAllowlist({ existing: allowFrom, additions });
@@ -132,7 +112,7 @@ export async function monitorMSTeamsProvider(
     if (Array.isArray(groupAllowFrom) && groupAllowFrom.length > 0) {
       const groupEntries = groupAllowFrom
-        .map((entry) => cleanAllowEntry(String(entry)))
+        .map((entry) => cleanAllowEntry(entry))
         .filter((entry) => entry && entry !== "*");
       if (groupEntries.length > 0) {
         const { additions } = await resolveAllowlistUsers("msteams group users", groupEntries);
@@ -214,7 +194,7 @@ export async function monitorMSTeamsProvider(
       }
     }
   } catch (err) {
-    runtime.log?.(`msteams resolve failed; using config entries. ${String(err)}`);
+    runtime.log?.(`msteams resolve failed; using config entries. ${formatUnknownError(err)}`);
   }
   msteamsCfg = {
@@ -247,14 +227,32 @@ export async function monitorMSTeamsProvider(
   // Dynamic import to avoid loading SDK when provider is disabled
   const express = await import("express");
-  const { sdk, authConfig } = await loadMSTeamsSdkWithAuth(creds);
-  const { ActivityHandler, MsalTokenProvider, authorizeJWT } = sdk;
+  const { sdk, app } = await loadMSTeamsSdkWithAuth(creds);
-  // Auth configuration - create early so adapter is available for deliverReplies
-  const tokenProvider = new MsalTokenProvider(authConfig);
-  const adapter = createMSTeamsAdapter(authConfig, sdk);
+  // Build a token provider adapter for Graph API operations
+  const tokenProvider = createMSTeamsTokenProvider(app);
+  const adapter = createMSTeamsAdapter(app, sdk);
+  // Build SSO deps when the operator has opted in and a connection name
+  // is configured. Leaving `sso` undefined matches the pre-SSO behavior
+  // (the plugin will still ack signin invokes, but will not attempt a
+  // Bot Framework token exchange or persist anything).
+  let ssoDeps: MSTeamsSsoDeps | undefined;
+  if (msteamsCfg.sso?.enabled && msteamsCfg.sso.connectionName) {
+    ssoDeps = {
+      tokenProvider,
+      tokenStore: createMSTeamsSsoTokenStoreFs(),
+      connectionName: msteamsCfg.sso.connectionName,
+    };
+    log.debug?.("msteams sso enabled", {
+      connectionName: msteamsCfg.sso.connectionName,
+    });
+  }
-  const handler = registerMSTeamsHandlers(new ActivityHandler() as MSTeamsActivityHandler, {
+  // Build a simple ActivityHandler-compatible object
+  const handler = buildActivityHandler();
+  registerMSTeamsHandlers(handler, {
     cfg,
     runtime,
     appId,
@@ -265,10 +263,48 @@ export async function monitorMSTeamsProvider(
     conversationStore,
     pollStore,
     log,
+    sso: ssoDeps,
   });
   // Create Express server
   const expressApp = express.default();
+  // Cheap pre-parse auth gate: reject requests without a Bearer token before
+  // spending CPU/memory on JSON body parsing. This prevents unauthenticated
+  // request floods from forcing body parsing on internet-exposed webhooks.
+  expressApp.use((req: Request, res: Response, next: (err?: unknown) => void) => {
+    const auth = req.headers.authorization;
+    if (!auth || !auth.startsWith("Bearer ")) {
+      res.status(401).json({ error: "Unauthorized" });
+      return;
+    }
+    next();
+  });
+  // JWT validation — verify Bot Framework tokens using the Teams SDK's
+  // JwtValidator (validates signature via JWKS, audience, issuer, expiration).
+  const jwtValidator = await createBotFrameworkJwtValidator(creds);
+  expressApp.use((req: Request, res: Response, next: (err?: unknown) => void) => {
+    // Authorization header is guaranteed by the pre-parse auth gate above.
+    // `serviceUrl` is optional, so authenticate from headers alone before body
+    // I/O to avoid spending memory and CPU on unauthenticated requests.
+    const authHeader = req.headers.authorization!;
+    jwtValidator
+      .validate(authHeader)
+      .then((valid) => {
+        if (!valid) {
+          log.debug?.("JWT validation failed");
+          res.status(401).json({ error: "Unauthorized" });
+          return;
+        }
+        next();
+      })
+      .catch((err) => {
+        log.debug?.(`JWT validation error: ${formatUnknownError(err)}`);
+        res.status(401).json({ error: "Unauthorized" });
+      });
+  });
   expressApp.use(express.json({ limit: MSTEAMS_WEBHOOK_MAX_BODY_BYTES }));
   expressApp.use((err: unknown, _req: Request, res: Response, next: (err?: unknown) => void) => {
     if (err && typeof err === "object" && "status" in err && err.status === 413) {
@@ -277,7 +313,6 @@ export async function monitorMSTeamsProvider(
     }
     next(err);
   });
-  expressApp.use(authorizeJWT(authConfig));
   // Set up the messages endpoint - use configured path and /api/messages as fallback
   const configuredPath = msteamsCfg.webhook?.path ?? "/api/messages";
@@ -310,7 +345,7 @@ export async function monitorMSTeamsProvider(
     };
     const onError = (err: unknown) => {
       httpServer.off("listening", onListening);
-      log.error("msteams server error", { error: String(err) });
+      log.error("msteams server error", { error: formatUnknownError(err) });
       reject(err);
     };
     httpServer.once("listening", onListening);
@@ -319,7 +354,7 @@ export async function monitorMSTeamsProvider(
   applyMSTeamsWebhookTimeouts(httpServer);
   httpServer.on("error", (err) => {
-    log.error("msteams server error", { error: String(err) });
+    log.error("msteams server error", { error: formatUnknownError(err) });
   });
   const shutdown = async () => {
@@ -327,7 +362,7 @@ export async function monitorMSTeamsProvider(
     return new Promise<void>((resolve) => {
       httpServer.close((err) => {
         if (err) {
-          log.debug?.("msteams server close error", { error: String(err) });
+          log.debug?.("msteams server close error", { error: formatUnknownError(err) });
         }
         resolve();
       });
@@ -343,3 +378,65 @@ export async function monitorMSTeamsProvider(
   return { app: expressApp, shutdown };
 }
+/**
+ * Build a minimal ActivityHandler-compatible object that supports
+ * onMessage / onMembersAdded registration and a run() method.
+ */
+function buildActivityHandler(): MSTeamsActivityHandler {
+  type Handler = (context: unknown, next: () => Promise<void>) => Promise<void>;
+  const messageHandlers: Handler[] = [];
+  const membersAddedHandlers: Handler[] = [];
+  const reactionsAddedHandlers: Handler[] = [];
+  const reactionsRemovedHandlers: Handler[] = [];
+  const handler: MSTeamsActivityHandler = {
+    onMessage(cb) {
+      messageHandlers.push(cb);
+      return handler;
+    },
+    onMembersAdded(cb) {
+      membersAddedHandlers.push(cb);
+      return handler;
+    },
+    onReactionsAdded(cb) {
+      reactionsAddedHandlers.push(cb);
+      return handler;
+    },
+    onReactionsRemoved(cb) {
+      reactionsRemovedHandlers.push(cb);
+      return handler;
+    },
+    async run(context: unknown) {
+      const ctx = context as { activity?: { type?: string } };
+      const activityType = ctx?.activity?.type;
+      const noop = async () => {};
+      if (activityType === "message") {
+        for (const h of messageHandlers) {
+          await h(context, noop);
+        }
+      } else if (activityType === "conversationUpdate") {
+        for (const h of membersAddedHandlers) {
+          await h(context, noop);
+        }
+      } else if (activityType === "messageReaction") {
+        const activity = (
+          ctx as { activity?: { reactionsAdded?: unknown[]; reactionsRemoved?: unknown[] } }
+        )?.activity;
+        if (activity?.reactionsAdded?.length) {
+          for (const h of reactionsAddedHandlers) {
+            await h(context, noop);
+          }
+        }
+        if (activity?.reactionsRemoved?.length) {
+          for (const h of reactionsRemovedHandlers) {
+            await h(context, noop);
+          }
+        }
+      }
+    },
+  };
+  return handler;
+}

package/src/oauth.flow.ts ADDED Viewed

@@ -0,0 +1,77 @@
+import { generateHexPkceVerifierChallenge } from "openclaw/plugin-sdk/provider-auth";
+import {
+  generateOAuthState,
+  parseOAuthCallbackInput,
+  waitForLocalOAuthCallback,
+} from "openclaw/plugin-sdk/provider-auth-runtime";
+import { isWSL2Sync } from "openclaw/plugin-sdk/runtime-env";
+import {
+  MSTEAMS_DEFAULT_DELEGATED_SCOPES,
+  MSTEAMS_OAUTH_CALLBACK_PATH,
+  MSTEAMS_OAUTH_CALLBACK_PORT,
+  MSTEAMS_OAUTH_REDIRECT_URI,
+  buildMSTeamsAuthEndpoint,
+} from "./oauth.shared.js";
+export function shouldUseManualOAuthFlow(isRemote: boolean): boolean {
+  return isRemote || isWSL2Sync();
+}
+export function generatePkce(): { verifier: string; challenge: string } {
+  return generateHexPkceVerifierChallenge();
+}
+export { generateOAuthState };
+export function buildMSTeamsAuthUrl(params: {
+  tenantId: string;
+  clientId: string;
+  challenge: string;
+  /** Opaque CSRF state token — must NOT be the PKCE verifier. */
+  state: string;
+  scopes?: readonly string[];
+}): string {
+  const scopes = params.scopes ?? MSTEAMS_DEFAULT_DELEGATED_SCOPES;
+  const endpoint = buildMSTeamsAuthEndpoint(params.tenantId);
+  const query = new URLSearchParams({
+    client_id: params.clientId,
+    response_type: "code",
+    redirect_uri: MSTEAMS_OAUTH_REDIRECT_URI,
+    scope: scopes.join(" "),
+    code_challenge: params.challenge,
+    code_challenge_method: "S256",
+    state: params.state,
+    prompt: "consent",
+  });
+  return `${endpoint}?${query.toString()}`;
+}
+export function parseCallbackInput(
+  input: string,
+  // Kept in the signature for API symmetry with the caller's CSRF verify step.
+  // The caller compares the parsed `state` against the expected value.
+  _expectedState: string,
+): { code: string; state: string } | { error: string } {
+  return parseOAuthCallbackInput(input, {
+    missingState: "Missing 'state' parameter in URL. Paste the full redirect URL.",
+    invalidInput:
+      "Paste the full redirect URL (including code and state parameters), not just the authorization code.",
+  });
+}
+export async function waitForLocalCallback(params: {
+  expectedState: string;
+  timeoutMs: number;
+  onProgress?: (message: string) => void;
+}): Promise<{ code: string; state: string }> {
+  return await waitForLocalOAuthCallback({
+    expectedState: params.expectedState,
+    timeoutMs: params.timeoutMs,
+    port: MSTEAMS_OAUTH_CALLBACK_PORT,
+    callbackPath: MSTEAMS_OAUTH_CALLBACK_PATH,
+    redirectUri: MSTEAMS_OAUTH_REDIRECT_URI,
+    successTitle: "MSTeams Delegated OAuth complete",
+    progressMessage: `Waiting for OAuth callback on ${MSTEAMS_OAUTH_REDIRECT_URI}...`,
+    onProgress: params.onProgress,
+  });
+}

package/src/oauth.shared.ts ADDED Viewed

@@ -0,0 +1,37 @@
+export const MSTEAMS_OAUTH_REDIRECT_URI = "http://localhost:8086/oauth2callback";
+export const MSTEAMS_OAUTH_CALLBACK_PORT = 8086;
+export const MSTEAMS_OAUTH_CALLBACK_PATH = "/oauth2callback";
+export const MSTEAMS_DEFAULT_TOKEN_FETCH_TIMEOUT_MS = 10_000;
+export const MSTEAMS_DEFAULT_DELEGATED_SCOPES = [
+  "ChatMessage.Send",
+  "ChannelMessage.Send",
+  "Chat.ReadWrite",
+  "offline_access",
+] as const;
+export function buildMSTeamsAuthEndpoint(tenantId: string): string {
+  return `https://login.microsoftonline.com/${encodeURIComponent(tenantId)}/oauth2/v2.0/authorize`;
+}
+export function buildMSTeamsTokenEndpoint(tenantId: string): string {
+  return `https://login.microsoftonline.com/${encodeURIComponent(tenantId)}/oauth2/v2.0/token`;
+}
+export type MSTeamsDelegatedTokens = {
+  accessToken: string;
+  refreshToken: string;
+  /** Unix ms, 5-min buffer pre-applied */
+  expiresAt: number;
+  scopes: string[];
+  userPrincipalName?: string;
+};
+export type MSTeamsDelegatedOAuthContext = {
+  isRemote: boolean;
+  openUrl: (url: string) => Promise<void>;
+  log: (msg: string) => void;
+  note: (message: string, title?: string) => Promise<void>;
+  prompt: (message: string) => Promise<string>;
+  progress: { update: (msg: string) => void; stop: (msg?: string) => void };
+};