fix(msteams): add auth warning and restore unrelated pyproject change

Warn when validate_inbound_auth is disabled (default) so operators are aware the webhook accepts unverified requests. Restore pymupdf to the dev optional-dependencies group — its removal in the original PR was unrelated to the Teams channel feature.
2026-05-10 11:45:53 +00:00 · 2026-04-16 10:42:20 +08:00 · 2026-04-16 10:42:20 +08:00 · b48f497f8d
commit b48f497f8d
parent 2f3a37cf8e
2 changed files with 8 additions and 0 deletions
--- a/nanobot/channels/msteams.py
+++ b/nanobot/channels/msteams.py
@ -111,6 +111,13 @@ class MSTeamsChannel(BaseChannel):
            logger.error("MSTeams app_id/app_password not configured")
            return

+        if not self.config.validate_inbound_auth:
+            logger.warning(
+                "MSTeams inbound auth validation is DISABLED. "
+                "Anyone who knows the webhook URL can send messages as any user. "
+                "Set validateInboundAuth: true in config for production use."
+            )
+
        self._loop = asyncio.get_running_loop()
        self._http = httpx.AsyncClient(timeout=30.0)
        self._running = True
--- a/pyproject.toml
+++ b/pyproject.toml
@ -89,6 +89,7 @@ dev = [
    "aiohttp>=3.9.0,<4.0.0",
    "pytest-cov>=6.0.0,<7.0.0",
    "ruff>=0.1.0",
+    "pymupdf>=1.25.0",
 ]

 [project.scripts]