disable auth: use system bot display name, do not send credentials to browser bot

Co-authored-by: Cursor <cursoragent@cursor.com>

modules/features/teamsbot/routeFeatureTeamsbot.py

@@ -196,46 +196,32 @@ async def startSession(
     userId = str(context.user.id)
     effectiveConfig = _getEffectiveConfig(instanceId, userId, interface)
 
-    # Determine effective join mode
+    # Determine effective join mode and bot name.
-    joinMode = body.joinMode
+    # NOTE: Authentication is currently disabled. The bot always joins as an anonymous
-    if not joinMode:
+    # guest with the system bot's display name. See Teamsbot-Auth-Join-Learnings.md.
-        # Default: check if a system bot exists for this mandate
+    # Credentials are NOT sent to the browser bot.
-        systemBot = interface.getActiveSystemBot(mandateId)
+    joinMode = body.joinMode or TeamsbotJoinMode.ANONYMOUS
-        if systemBot:
+    effectiveBotName = body.botName
-            joinMode = TeamsbotJoinMode.SYSTEM_BOT
-        elif effectiveConfig.botAccountEmail and effectiveConfig.botAccountPassword:
-            # Legacy fallback: credentials in config (will be removed in future)
-            joinMode = TeamsbotJoinMode.SYSTEM_BOT
-        else:
-            joinMode = TeamsbotJoinMode.ANONYMOUS
-    
-    # Resolve credentials based on join mode
-    effectiveEmail = None
-    effectivePassword = None
-    if joinMode == TeamsbotJoinMode.SYSTEM_BOT:
-        # First try: system bot from database (secure, encrypted)
-        systemBot = interface.getActiveSystemBot(mandateId)
-        if systemBot:
-            effectiveEmail = systemBot.get("email")
-            encPwd = systemBot.get("encryptedPassword")
-            if encPwd:
-                from modules.shared.configuration import handleSecretText
-                effectivePassword = handleSecretText(encPwd, userId="system", keyName="systemBotPassword")
-        
-        # Fallback: legacy credentials from config (will be deprecated)
-        if not effectiveEmail:
-            effectiveEmail = effectiveConfig.botAccountEmail
-            effectivePassword = effectiveConfig.botAccountPassword
-    elif joinMode == TeamsbotJoinMode.USER_ACCOUNT:
-        # TODO: Resolve OAuth token from user's Microsoft connection
-        logger.info(f"User account join mode requested but not yet implemented - falling back to anonymous")
-        joinMode = TeamsbotJoinMode.ANONYMOUS
-    # ANONYMOUS mode: no credentials
 
-    # Build session config with resolved credentials and user settings
+    # If a system bot exists, use its display name as the bot name (e.g. "Nyla Larsson")
+    systemBot = interface.getActiveSystemBot(mandateId)
+    if systemBot:
+        if not effectiveBotName:
+            effectiveBotName = systemBot.get("name") or effectiveConfig.botName
+        logger.info(f"System bot found: {systemBot.get('name')} ({systemBot.get('email')}), using name: {effectiveBotName}")
+    
+    if not effectiveBotName:
+        effectiveBotName = effectiveConfig.botName
+
+    # Update session with the effective bot name (may differ from initial creation)
+    if effectiveBotName != (body.botName or config.botName):
+        interface.updateSession(sessionId, {"botName": effectiveBotName})
+
+    # Build session config — no credentials sent (auth disabled)
     sessionConfig = effectiveConfig.model_copy(update={
-        "botAccountEmail": effectiveEmail,
+        "botAccountEmail": None,
-        "botAccountPassword": effectivePassword,
+        "botAccountPassword": None,
+        "botName": effectiveBotName,
     })
 
     # Start the bot in background (join meeting via bridge)