From f74393276827e0dbbccc81c94cc52f0bcf21b074 Mon Sep 17 00:00:00 2001
From: patrick-motsch <p.motsch@valueon.ch>
Date: Tue, 17 Feb 2026 00:03:01 +0100
Subject: [PATCH] fix: fallback to any active system bot if mandate mismatch,
 add credentialDebug to response

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .../features/teamsbot/routeFeatureTeamsbot.py | 30 +++++++++++++++----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/modules/features/teamsbot/routeFeatureTeamsbot.py b/modules/features/teamsbot/routeFeatureTeamsbot.py
index 1d0a5cb8..f83fc5d6 100644
--- a/modules/features/teamsbot/routeFeatureTeamsbot.py
+++ b/modules/features/teamsbot/routeFeatureTeamsbot.py
@@ -731,20 +731,39 @@ async def testAuth(
     # Load system bot credentials for the auth test variant
     email = None
     password = None
+    credentialDebug = {"mandateId": mandateId, "botFound": False, "botEmail": None, "botMandateId": None, "searchStrategy": "byMandate"}
+
     systemBot = interface.getActiveSystemBot(mandateId)
+
+    # Fallback: if no bot found for this mandate, search ALL system bots
+    if not systemBot:
+        logger.info(f"[test-auth] No bot for mandate {mandateId}, searching all system bots...")
+        credentialDebug["searchStrategy"] = "allBots"
+        allBots = interface.db.getRecordset(TeamsbotSystemBot, recordFilter={"isActive": True})
+        if allBots:
+            systemBot = allBots[0]
+            credentialDebug["allBotsCount"] = len(allBots)
+            credentialDebug["botMandateId"] = systemBot.get("mandateId")
+            logger.info(f"[test-auth] Found {len(allBots)} active bot(s), using first: {systemBot.get('email')} (mandate={systemBot.get('mandateId')})")
+
     if systemBot:
         email = systemBot.get("email")
         encryptedPwd = systemBot.get("encryptedPassword")
-        logger.info(f"[test-auth] System bot found: email={email}, hasEncryptedPwd={bool(encryptedPwd)}")
+        credentialDebug["botFound"] = True
+        credentialDebug["botEmail"] = email
+        logger.info(f"[test-auth] System bot: email={email}, hasEncryptedPwd={bool(encryptedPwd)}")
         if encryptedPwd:
             try:
                 from modules.shared.configuration import decryptValue
                 password = decryptValue(encryptedPwd, userId=str(context.user.id), keyName="systemBotPassword")
-                logger.info(f"[test-auth] Password decrypted successfully, length={len(password) if password else 0}")
+                credentialDebug["passwordDecrypted"] = True
+                logger.info(f"[test-auth] Password decrypted, length={len(password) if password else 0}")
             except Exception as e:
+                credentialDebug["passwordError"] = str(e)
                 logger.error(f"[test-auth] Password decryption failed: {e}")
     else:
-        logger.warn(f"[test-auth] No active system bot found for mandate {mandateId}")
+        logger.warning(f"[test-auth] No active system bot found anywhere")
+        credentialDebug["searchStrategy"] = "noneFound"
 
     # Forward to browser bot service
     browserBotUrl = effectiveConfig._getEffectiveBrowserBotUrl()
@@ -759,12 +778,13 @@ async def testAuth(
     }
 
     try:
-        # Generous timeout: 5 variants × ~45s each = ~225s max
         timeout = aiohttp.ClientTimeout(total=300)
         async with aiohttp.ClientSession(timeout=timeout) as session:
             async with session.post(f"{browserBotUrl}/api/bot/test-auth", json=payload) as resp:
                 if resp.status == 200:
-                    return await resp.json()
+                    result = await resp.json()
+                    result["credentialDebug"] = credentialDebug
+                    return result
                 else:
                     errorText = await resp.text()
                     logger.error(f"Auth test failed: {resp.status} - {errorText}")