Fix authenticated launcher anon removal in Teams hash-routed meeting URLs.

Remove anon from hash-query form (/_#/meet/...?...&anon=true) so auth sessions no longer drift into anon-like launch behavior. Made-with: Cursor
2026-02-27 10:13:00 +01:00 · 2026-02-27 10:13:00 +01:00 · 2ce93c58a5
commit 2ce93c58a5
parent 77ca96e23c
1 changed files with 27 additions and 8 deletions
--- a/src/bot/orchestrator.ts
+++ b/src/bot/orchestrator.ts
@ -120,6 +120,31 @@ export class BotOrchestrator {
    return null;
  }

+  /**
+   * Teams launcher commonly embeds meeting params in hash-routed paths:
+   *   /_#/meet/<id>?p=...&anon=true
+   * In this shape, "anon" is in the hash query (not URL.search).
+   */
+  private _stripAnonFromInnerMeetingUrl(innerUrlPath: string): string {
+    try {
+      const innerUrl = new URL(innerUrlPath, 'https://teams.microsoft.com');
+      innerUrl.searchParams.delete('anon');
+
+      const hash = innerUrl.hash || '';
+      if (hash.includes('?')) {
+        const [hashRoute, hashQuery] = hash.split('?', 2);
+        const hashParams = new URLSearchParams(hashQuery || '');
+        hashParams.delete('anon');
+        const cleanedHashQuery = hashParams.toString();
+        innerUrl.hash = cleanedHashQuery ? `${hashRoute}?${cleanedHashQuery}` : hashRoute;
+      }
+
+      return `${innerUrl.pathname}${innerUrl.search}${innerUrl.hash}`;
+    } catch {
+      return innerUrlPath;
+    }
+  }
+
  get sessionId(): string {
    return this._sessionId;
  }
@ -289,14 +314,8 @@ export class BotOrchestrator {
      // In auth mode that inner URL can still contain anon=true, which forces guest-like behavior.
      const encodedInnerUrl = urlObj.searchParams.get('url');
      if (encodedInnerUrl) {
-        try {
-          const inner = new URL(encodedInnerUrl, 'https://teams.microsoft.com');
-          inner.searchParams.delete('anon');
-          const innerPath = `${inner.pathname}${inner.search}${inner.hash}`;
-          urlObj.searchParams.set('url', innerPath);
-        } catch {
-          // keep original inner URL if parsing fails
-        }
+        const innerPath = this._stripAnonFromInnerMeetingUrl(encodedInnerUrl);
+        urlObj.searchParams.set('url', innerPath);
      }
      launchUrl = urlObj.toString();
    } catch { /* keep as-is */ }