admin/Moltbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: gate Teams media auth retries

Browse Source
This commit is contained in:
Peter Steinberger
2026-02-02 02:07:01 -08:00
parent f6d98a908a
commit 41cc5bcd4f
9 changed files with 115 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
extensions/msteams/src/attachments.test.ts
View File

@@ -241,6 +241,7 @@ describe("msteams attachments", () => {
maxBytes: 1024 * 1024,
tokenProvider: { getAccessToken: vi.fn(async () => "token") },
allowHosts: ["x"],
authAllowHosts: ["x"],
fetchFn: fetchMock as unknown as typeof fetch,
});
@@ -249,6 +250,41 @@ describe("msteams attachments", () => {
expect(fetchMock).toHaveBeenCalledTimes(2);
});
it("skips auth retries when the host is not in auth allowlist", async () => {
const { downloadMSTeamsAttachments } = await load();
const tokenProvider = { getAccessToken: vi.fn(async () => "token") };
const fetchMock = vi.fn(async (_url: string, opts?: RequestInit) => {
const hasAuth = Boolean(
opts &&
typeof opts === "object" &&
"headers" in opts &&
(opts.headers as Record<string, string>)?.Authorization,
);
if (!hasAuth) {
return new Response("forbidden", { status: 403 });
}
return new Response(Buffer.from("png"), {
status: 200,
headers: { "content-type": "image/png" },
});
});
const media = await downloadMSTeamsAttachments({
attachments: [
{ contentType: "image/png", contentUrl: "https://attacker.azureedge.net/img" },
],
maxBytes: 1024 * 1024,
tokenProvider,
allowHosts: ["azureedge.net"],
authAllowHosts: ["graph.microsoft.com"],
fetchFn: fetchMock as unknown as typeof fetch,
});
expect(media).toHaveLength(0);
expect(fetchMock).toHaveBeenCalledTimes(1);
expect(tokenProvider.getAccessToken).not.toHaveBeenCalled();
});
it("skips urls outside the allowlist", async () => {
const { downloadMSTeamsAttachments } = await load();
const fetchMock = vi.fn();

45
extensions/msteams/src/attachments/download.ts
View File

@@ -11,6 +11,7 @@ import {
isRecord,
isUrlAllowed,
normalizeContentType,
resolveAuthAllowedHosts,
resolveAllowedHosts,
} from "./shared.js";
@@ -85,6 +86,8 @@ async function fetchWithAuthFallback(params: {
url: string;
tokenProvider?: MSTeamsAccessTokenProvider;
fetchFn?: typeof fetch;
allowHosts: string[];
authAllowHosts: string[];
}): Promise<Response> {
const fetchFn = params.fetchFn ?? fetch;
const firstAttempt = await fetchFn(params.url);
@@ -97,6 +100,9 @@ async function fetchWithAuthFallback(params: {
if (firstAttempt.status !== 401 && firstAttempt.status !== 403) {
return firstAttempt;
}
if (!isUrlAllowed(params.url, params.authAllowHosts)) {
return firstAttempt;
}
const scopes = scopeCandidatesForUrl(params.url);
for (const scope of scopes) {
@@ -104,10 +110,30 @@ async function fetchWithAuthFallback(params: {
const token = await params.tokenProvider.getAccessToken(scope);
const res = await fetchFn(params.url, {
headers: { Authorization: `Bearer ${token}` },
redirect: "manual",
});
if (res.ok) {
return res;
}
const redirectUrl = readRedirectUrl(params.url, res);
if (redirectUrl && isUrlAllowed(redirectUrl, params.allowHosts)) {
const redirectRes = await fetchFn(redirectUrl);
if (redirectRes.ok) {
return redirectRes;
}
if (
(redirectRes.status === 401 || redirectRes.status === 403) &&
isUrlAllowed(redirectUrl, params.authAllowHosts)
) {
const redirectAuthRes = await fetchFn(redirectUrl, {
headers: { Authorization: `Bearer ${token}` },
redirect: "manual",
});
if (redirectAuthRes.ok) {
return redirectAuthRes;
}
}
}
} catch {
// Try the next scope.
}
@@ -116,6 +142,21 @@ async function fetchWithAuthFallback(params: {
return firstAttempt;
}
function readRedirectUrl(baseUrl: string, res: Response): string | null {
if (![301, 302, 303, 307, 308].includes(res.status)) {
return null;
}
const location = res.headers.get("location");
if (!location) {
return null;
}
try {
return new URL(location, baseUrl).toString();
} catch {
return null;
}
}
/**
* Download all file attachments from a Teams message (images, documents, etc.).
* Renamed from downloadMSTeamsImageAttachments to support all file types.
@@ -125,6 +166,7 @@ export async function downloadMSTeamsAttachments(params: {
maxBytes: number;
tokenProvider?: MSTeamsAccessTokenProvider;
allowHosts?: string[];
authAllowHosts?: string[];
fetchFn?: typeof fetch;
/** When true, embeds original filename in stored path for later extraction. */
preserveFilenames?: boolean;
@@ -134,6 +176,7 @@ export async function downloadMSTeamsAttachments(params: {
return [];
}
const allowHosts = resolveAllowedHosts(params.allowHosts);
const authAllowHosts = resolveAuthAllowedHosts(params.authAllowHosts);
// Download ANY downloadable attachment (not just images)
const downloadable = list.filter(isDownloadableAttachment);
@@ -199,6 +242,8 @@ export async function downloadMSTeamsAttachments(params: {
url: candidate.url,
tokenProvider: params.tokenProvider,
fetchFn: params.fetchFn,
allowHosts,
authAllowHosts,
});
if (!res.ok) {
continue;

2
extensions/msteams/src/attachments/graph.ts
View File

@@ -215,6 +215,7 @@ export async function downloadMSTeamsGraphMedia(params: {
tokenProvider?: MSTeamsAccessTokenProvider;
maxBytes: number;
allowHosts?: string[];
authAllowHosts?: string[];
fetchFn?: typeof fetch;
/** When true, embeds original filename in stored path for later extraction. */
preserveFilenames?: boolean;
@@ -336,6 +337,7 @@ export async function downloadMSTeamsGraphMedia(params: {
maxBytes: params.maxBytes,
tokenProvider: params.tokenProvider,
allowHosts,
authAllowHosts: params.authAllowHosts,
fetchFn: params.fetchFn,
preserveFilenames: params.preserveFilenames,
});

20
extensions/msteams/src/attachments/shared.ts
View File

@@ -48,6 +48,15 @@ export const DEFAULT_MEDIA_HOST_ALLOWLIST = [
"microsoft.com",
] as const;
export const DEFAULT_MEDIA_AUTH_HOST_ALLOWLIST = [
"api.botframework.com",
"botframework.com",
"graph.microsoft.com",
"graph.microsoft.us",
"graph.microsoft.de",
"graph.microsoft.cn",
] as const;
export const GRAPH_ROOT = "https://graph.microsoft.com/v1.0";
export function isRecord(value: unknown): value is Record<string, unknown> {
@@ -250,6 +259,17 @@ export function resolveAllowedHosts(input?: string[]): string[] {
return normalized;
}
export function resolveAuthAllowedHosts(input?: string[]): string[] {
if (!Array.isArray(input) || input.length === 0) {
return DEFAULT_MEDIA_AUTH_HOST_ALLOWLIST.slice();
}
const normalized = input.map(normalizeAllowHost).filter(Boolean);
if (normalized.includes("*")) {
return ["*"];
}
return normalized;
}
function isHostAllowed(host: string, allowlist: string[]): boolean {
if (allowlist.includes("*")) {
return true;

3
extensions/msteams/src/monitor-handler/inbound-media.ts
View File

@@ -18,6 +18,7 @@ export async function resolveMSTeamsInboundMedia(params: {
htmlSummary?: MSTeamsHtmlAttachmentSummary;
maxBytes: number;
allowHosts?: string[];
authAllowHosts?: string[];
tokenProvider: MSTeamsAccessTokenProvider;
conversationType: string;
conversationId: string;
@@ -46,6 +47,7 @@ export async function resolveMSTeamsInboundMedia(params: {
maxBytes,
tokenProvider,
allowHosts,
authAllowHosts: params.authAllowHosts,
preserveFilenames,
});
@@ -85,6 +87,7 @@ export async function resolveMSTeamsInboundMedia(params: {
tokenProvider,
maxBytes,
allowHosts,
authAllowHosts: params.authAllowHosts,
preserveFilenames,
});
attempts.push({

1
extensions/msteams/src/monitor-handler/message-handler.ts
View File

@@ -403,6 +403,7 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
maxBytes: mediaMaxBytes,
tokenProvider,
allowHosts: msteamsCfg?.mediaAllowHosts,
authAllowHosts: msteamsCfg?.mediaAuthAllowHosts,
conversationType,
conversationId,
conversationMessageId: conversationMessageId ?? undefined,