fix(security): centralize dm/group allowlist auth composition

2026-05-09 09:47:40 +00:00 · 2026-02-26 16:35:18 +01:00
parent 7f863e22b0
commit 051fdcc428
8 changed files with 428 additions and 108 deletions
--- a/extensions/msteams/src/monitor-handler/message-handler.ts
+++ b/extensions/msteams/src/monitor-handler/message-handler.ts
@@ -146,18 +146,15 @@ export function createMSTeamsMessageHandler(deps: MSTeamsMessageHandlerDeps) {
    });
    const effectiveDmAllowFrom = resolvedAllowFromLists.effectiveAllowFrom;
    if (isDirectMessage && msteamsCfg) {
-      const allowFrom = dmAllowFrom;
-
      if (dmPolicy === "disabled") {
        log.debug?.("dropping dm (dms disabled)");
        return;
      }

      if (dmPolicy !== "open") {
-        const effectiveAllowFrom = [...allowFrom.map((v) => String(v)), ...storedAllowFrom];
        const allowNameMatching = isDangerousNameMatchingEnabled(msteamsCfg);
        const allowMatch = resolveMSTeamsAllowlistMatch({
-          allowFrom: effectiveAllowFrom,
+          allowFrom: effectiveDmAllowFrom,
          senderId,
          senderName,
          allowNameMatching,