From b48f497f8db853341e453228c0e326a0e39ea36b Mon Sep 17 00:00:00 2001
From: chengyongru <chengyongru.ai@gmail.com>
Date: Thu, 16 Apr 2026 10:42:20 +0800
Subject: [PATCH] fix(msteams): add auth warning and restore unrelated
 pyproject change
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Warn when validate_inbound_auth is disabled (default) so operators are
aware the webhook accepts unverified requests.  Restore pymupdf to the
dev optional-dependencies group — its removal in the original PR was
unrelated to the Teams channel feature.
---
 nanobot/channels/msteams.py | 7 +++++++
 pyproject.toml              | 1 +
 2 files changed, 8 insertions(+)

diff --git a/nanobot/channels/msteams.py b/nanobot/channels/msteams.py
index d73ed53e3..2987b03f8 100644
--- a/nanobot/channels/msteams.py
+++ b/nanobot/channels/msteams.py
@@ -111,6 +111,13 @@ class MSTeamsChannel(BaseChannel):
             logger.error("MSTeams app_id/app_password not configured")
             return
 
+        if not self.config.validate_inbound_auth:
+            logger.warning(
+                "MSTeams inbound auth validation is DISABLED. "
+                "Anyone who knows the webhook URL can send messages as any user. "
+                "Set validateInboundAuth: true in config for production use."
+            )
+
         self._loop = asyncio.get_running_loop()
         self._http = httpx.AsyncClient(timeout=30.0)
         self._running = True
diff --git a/pyproject.toml b/pyproject.toml
index cb3f37d47..bb6ce1265 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -89,6 +89,7 @@ dev = [
     "aiohttp>=3.9.0,<4.0.0",
     "pytest-cov>=6.0.0,<7.0.0",
     "ruff>=0.1.0",
+    "pymupdf>=1.25.0",
 ]
 
 [project.scripts]