From dfc169d31db285f70df1e31cac77b08130ea062c Mon Sep 17 00:00:00 2001 From: heyitsaamir Date: Tue, 5 May 2026 20:56:13 +0000 Subject: [PATCH] fix(msteams): allow Bearer-token retry on Skype CDN attachment downloads MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Teams puts inline DM images and clipboard-pasted images on *.asm.skype.com URLs (e.g. us-api.asm.skype.com/v1/objects//views/imgo). The download path in attachments/download.ts already does a plain GET first and falls back to a Bearer-token retry on 401/403 — but the retry was gated on the URL being in DEFAULT_MEDIA_AUTH_HOST_ALLOWLIST. asm.skype.com hosts were in DEFAULT_MEDIA_HOST_ALLOWLIST (download permitted) but not in the auth-host list, so a 401 plain-GET response skipped the retry and surfaced as a missing image to the agent. Add asm.skype.com and ams.skype.com to the auth allowlist so openclaw attempts the Bearer-token retry consistently, matching how it treats the other CDN/Bot-Framework hosts already in the list. Note: this does not unblock all clipboard-pasted DM images — for at least some tenants asm.skype.com rejects the Bot Framework token (returns 401 even with auth). Routing those URLs through /v3/attachments/... the way #62219 already handles HTML-wrapped attachments is a separate follow-up. The +button 'Upload from this device' path works today because Teams generates an attachment with an HTML wrapper that triggers the existing BF v3 attachments fallback in monitor-handler/inbound-media.ts. --- extensions/msteams/src/attachments/shared.ts | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/extensions/msteams/src/attachments/shared.ts b/extensions/msteams/src/attachments/shared.ts index b970116ec11..ff379588a08 100644 --- a/extensions/msteams/src/attachments/shared.ts +++ b/extensions/msteams/src/attachments/shared.ts @@ -71,8 +71,16 @@ const DEFAULT_MEDIA_AUTH_HOST_ALLOWLIST = [ "api.botframework.com", "botframework.com", // Bot Framework Service URL (smba.trafficmanager.net) used for outbound - // replies and inbound attachment downloads (clipboard-pasted images). + // replies and the BF v3 attachments proxy. "smba.trafficmanager.net", + // Skype/ASM CDN — Teams puts clipboard-pasted images and inline DM images + // directly on `*.asm.skype.com` URLs (e.g. `us-api.asm.skype.com/v1/objects/.../views/imgo`). + // The endpoint requires auth and accepts Bot Framework tokens for bot + // conversation attachments. Without these hosts in the auth-allowlist, + // openclaw's auth-fallback skips the retry and the plain GET 401 surfaces + // as a missing image to the agent. + "asm.skype.com", + "ams.skype.com", "graph.microsoft.com", "graph.microsoft.us", "graph.microsoft.de",