From 3f9d7916884b90e08caad68723be1a788134f653 Mon Sep 17 00:00:00 2001 From: patrick-motsch Date: Mon, 16 Feb 2026 20:37:09 +0100 Subject: [PATCH] disable auth: use system bot display name, do not send credentials to browser bot Co-authored-by: Cursor --- .../features/teamsbot/routeFeatureTeamsbot.py | 62 +++++++------------ 1 file changed, 24 insertions(+), 38 deletions(-) diff --git a/modules/features/teamsbot/routeFeatureTeamsbot.py b/modules/features/teamsbot/routeFeatureTeamsbot.py index 575094bf..7491e132 100644 --- a/modules/features/teamsbot/routeFeatureTeamsbot.py +++ b/modules/features/teamsbot/routeFeatureTeamsbot.py @@ -196,46 +196,32 @@ async def startSession( userId = str(context.user.id) effectiveConfig = _getEffectiveConfig(instanceId, userId, interface) - # Determine effective join mode - joinMode = body.joinMode - if not joinMode: - # Default: check if a system bot exists for this mandate - systemBot = interface.getActiveSystemBot(mandateId) - if systemBot: - joinMode = TeamsbotJoinMode.SYSTEM_BOT - elif effectiveConfig.botAccountEmail and effectiveConfig.botAccountPassword: - # Legacy fallback: credentials in config (will be removed in future) - joinMode = TeamsbotJoinMode.SYSTEM_BOT - else: - joinMode = TeamsbotJoinMode.ANONYMOUS - - # Resolve credentials based on join mode - effectiveEmail = None - effectivePassword = None - if joinMode == TeamsbotJoinMode.SYSTEM_BOT: - # First try: system bot from database (secure, encrypted) - systemBot = interface.getActiveSystemBot(mandateId) - if systemBot: - effectiveEmail = systemBot.get("email") - encPwd = systemBot.get("encryptedPassword") - if encPwd: - from modules.shared.configuration import handleSecretText - effectivePassword = handleSecretText(encPwd, userId="system", keyName="systemBotPassword") - - # Fallback: legacy credentials from config (will be deprecated) - if not effectiveEmail: - effectiveEmail = effectiveConfig.botAccountEmail - effectivePassword = effectiveConfig.botAccountPassword - elif joinMode == TeamsbotJoinMode.USER_ACCOUNT: - # TODO: Resolve OAuth token from user's Microsoft connection - logger.info(f"User account join mode requested but not yet implemented - falling back to anonymous") - joinMode = TeamsbotJoinMode.ANONYMOUS - # ANONYMOUS mode: no credentials + # Determine effective join mode and bot name. + # NOTE: Authentication is currently disabled. The bot always joins as an anonymous + # guest with the system bot's display name. See Teamsbot-Auth-Join-Learnings.md. + # Credentials are NOT sent to the browser bot. + joinMode = body.joinMode or TeamsbotJoinMode.ANONYMOUS + effectiveBotName = body.botName - # Build session config with resolved credentials and user settings + # If a system bot exists, use its display name as the bot name (e.g. "Nyla Larsson") + systemBot = interface.getActiveSystemBot(mandateId) + if systemBot: + if not effectiveBotName: + effectiveBotName = systemBot.get("name") or effectiveConfig.botName + logger.info(f"System bot found: {systemBot.get('name')} ({systemBot.get('email')}), using name: {effectiveBotName}") + + if not effectiveBotName: + effectiveBotName = effectiveConfig.botName + + # Update session with the effective bot name (may differ from initial creation) + if effectiveBotName != (body.botName or config.botName): + interface.updateSession(sessionId, {"botName": effectiveBotName}) + + # Build session config — no credentials sent (auth disabled) sessionConfig = effectiveConfig.model_copy(update={ - "botAccountEmail": effectiveEmail, - "botAccountPassword": effectivePassword, + "botAccountEmail": None, + "botAccountPassword": None, + "botName": effectiveBotName, }) # Start the bot in background (join meeting via bridge)