fix(msteams): bound service error bodies

vincentkoc · vincentkoc · commit a5eddb91bbd8 · 2026-05-28T15:22:03.000+02:00
diff --git a/extensions/msteams/src/graph-upload.test.ts b/extensions/msteams/src/graph-upload.test.ts
@@ -22,6 +22,15 @@ function expectGraphUploadFetch(fetchFn: ReturnType<typeof vi.fn>, expectedUrl:
   expect(init?.headers?.["User-Agent"]).toMatch(/^teams\.ts\[apps\]\/.+ OpenClaw\/.+$/);
 }
 
+function bodyOnlyErrorResponse(body: string, status = 500): Response {
+  return {
+    ok: false,
+    status,
+    headers: new Headers(),
+    body: new Response(body).body,
+  } as unknown as Response;
+}
+
 describe("graph upload helpers", () => {
   const tokenProvider = {
     getAccessToken: vi.fn(async () => "graph-token"),
@@ -107,6 +116,31 @@ describe("graph upload helpers", () => {
       }),
     ).rejects.toThrow("SharePoint upload response missing required fields");
   });
+
+  it("bounds upload error bodies without requiring response.text()", async () => {
+    const fetchFn = vi.fn(async () =>
+      bodyOnlyErrorResponse(`${"upload-denied ".repeat(4096)}tail-marker`, 413),
+    );
+
+    let error: unknown;
+    try {
+      await uploadToSharePoint({
+        buffer: Buffer.from("world"),
+        filename: "large.txt",
+        siteId: "site-123",
+        tokenProvider,
+        fetchFn: fetchFn as unknown as typeof fetch,
+      });
+    } catch (caught) {
+      error = caught;
+    }
+
+    expect(error).toBeInstanceOf(Error);
+    const message = (error as Error).message;
+    expect(message).toContain("SharePoint upload failed (413): upload-denied");
+    expect(message).not.toContain("tail-marker");
+    expect(message.length).toBeLessThan(700);
+  });
 });
 
 describe("resolveGraphChatId", () => {
diff --git a/extensions/msteams/src/graph-upload.ts b/extensions/msteams/src/graph-upload.ts
@@ -10,6 +10,7 @@
  */
 
 import type { MSTeamsAccessTokenProvider } from "./attachments/types.js";
+import { createMSTeamsHttpError } from "./http-error.js";
 import { buildUserAgent } from "./user-agent.js";
 
 const GRAPH_ROOT = "https://graph.microsoft.com/v1.0";
@@ -50,8 +51,7 @@ export async function uploadToOneDrive(params: {
   });
 
   if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    throw new Error(`OneDrive upload failed: ${res.status} ${res.statusText} - ${body}`);
+    throw await createMSTeamsHttpError(res, "OneDrive upload failed");
   }
 
   const data = (await res.json()) as {
@@ -103,8 +103,7 @@ async function createSharingLink(params: {
   });
 
   if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    throw new Error(`Create sharing link failed: ${res.status} ${res.statusText} - ${body}`);
+    throw await createMSTeamsHttpError(res, "Create sharing link failed");
   }
 
   const data = (await res.json()) as {
@@ -198,8 +197,7 @@ export async function uploadToSharePoint(params: {
   );
 
   if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    throw new Error(`SharePoint upload failed: ${res.status} ${res.statusText} - ${body}`);
+    throw await createMSTeamsHttpError(res, "SharePoint upload failed");
   }
 
   const data = (await res.json()) as {
@@ -259,8 +257,7 @@ export async function getDriveItemProperties(params: {
   );
 
   if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    throw new Error(`Get driveItem properties failed: ${res.status} ${res.statusText} - ${body}`);
+    throw await createMSTeamsHttpError(res, "Get driveItem properties failed");
   }
 
   const data = (await res.json()) as {
@@ -371,8 +368,7 @@ async function getChatMembers(params: {
   });
 
   if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    throw new Error(`Get chat members failed: ${res.status} ${res.statusText} - ${body}`);
+    throw await createMSTeamsHttpError(res, "Get chat members failed");
   }
 
   const data = (await res.json()) as {
@@ -436,10 +432,7 @@ async function createSharePointSharingLink(params: {
   );
 
   if (!res.ok) {
-    const respBody = await res.text().catch(() => "");
-    throw new Error(
-      `Create SharePoint sharing link failed: ${res.status} ${res.statusText} - ${respBody}`,
-    );
+    throw await createMSTeamsHttpError(res, "Create SharePoint sharing link failed");
   }
 
   const data = (await res.json()) as {
diff --git a/extensions/msteams/src/graph.ts b/extensions/msteams/src/graph.ts
@@ -5,6 +5,7 @@ import { GRAPH_ROOT } from "./attachments/shared.js";
 const GRAPH_BETA = "https://graph.microsoft.com/beta";
 const NULL_BODY_STATUSES = new Set([101, 204, 205, 304]);
 import { createMSTeamsTokenProvider, loadMSTeamsSdkWithAuth } from "./sdk.js";
+import { createMSTeamsHttpError } from "./http-error.js";
 import { readAccessToken } from "./token-response.js";
 import { resolveDelegatedAccessToken, resolveMSTeamsCredentials } from "./token.js";
 import { buildUserAgent } from "./user-agent.js";
@@ -65,9 +66,9 @@ async function requestGraph(params: {
   });
   try {
     if (!response.ok) {
-      const text = await response.text().catch(() => "");
-      throw new Error(
-        `${params.errorPrefix ?? "Graph"} ${params.path} failed (${response.status}): ${text || "unknown error"}`,
+      throw await createMSTeamsHttpError(
+        response,
+        `${params.errorPrefix ?? "Graph"} ${params.path} failed`,
       );
     }
     const body = NULL_BODY_STATUSES.has(response.status) ? null : await response.arrayBuffer();
@@ -131,10 +132,7 @@ export async function fetchGraphAbsoluteUrl<T>(params: {
   });
   try {
     if (!response.ok) {
-      const text = await response.text().catch(() => "");
-      throw new Error(
-        `Graph ${params.url} failed (${response.status}): ${text || "unknown error"}`,
-      );
+      throw await createMSTeamsHttpError(response, `Graph ${params.url} failed`);
     }
     return await readProviderJsonResponse<T>(response, `Graph ${params.url} failed`);
   } finally {
diff --git a/extensions/msteams/src/http-error.test.ts b/extensions/msteams/src/http-error.test.ts
@@ -0,0 +1,36 @@
+import { describe, expect, it } from "vitest";
+import { createMSTeamsHttpError, readMSTeamsHttpErrorDetail } from "./http-error.js";
+
+function bodyOnlyErrorResponse(body: string, status = 429): Response {
+  return {
+    ok: false,
+    status,
+    headers: new Headers(),
+    body: new Response(body).body,
+  } as unknown as Response;
+}
+
+describe("msteams http errors", () => {
+  it("creates bounded provider errors without relying on response.text()", async () => {
+    const error = await createMSTeamsHttpError(
+      bodyOnlyErrorResponse(`${"x".repeat(24 * 1024)}tail-marker`),
+      "Teams request failed",
+    );
+
+    expect(error.message).toContain("Teams request failed (429):");
+    expect(error.message).not.toContain("tail-marker");
+    expect(error.message.length).toBeLessThan(700);
+    expect((error as { statusCode?: number }).statusCode).toBe(429);
+  });
+
+  it("returns a bounded response detail for non-throwing callers", async () => {
+    const detail = await readMSTeamsHttpErrorDetail(
+      bodyOnlyErrorResponse(`${"denied ".repeat(4096)}tail-marker`, 403),
+      "HTTP 403",
+    );
+
+    expect(detail).toContain("denied");
+    expect(detail).not.toContain("tail-marker");
+    expect(detail.length).toBeLessThan(700);
+  });
+});
diff --git a/extensions/msteams/src/http-error.ts b/extensions/msteams/src/http-error.ts
@@ -0,0 +1,19 @@
+import {
+  createProviderHttpError,
+  extractProviderErrorDetail,
+} from "openclaw/plugin-sdk/provider-http";
+
+export async function createMSTeamsHttpError(
+  response: Response,
+  label: string,
+  options?: { statusPrefix?: string },
+): Promise<Error> {
+  return await createProviderHttpError(response, label, options);
+}
+
+export async function readMSTeamsHttpErrorDetail(
+  response: Response,
+  fallback: string,
+): Promise<string> {
+  return (await extractProviderErrorDetail(response).catch(() => undefined)) ?? fallback;
+}
diff --git a/extensions/msteams/src/monitor-handler.sso.test.ts b/extensions/msteams/src/monitor-handler.sso.test.ts
@@ -127,13 +127,12 @@ function createFakeFetch(handlers: Array<(url: string, init?: unknown) => unknow
       status: number;
       body: unknown;
     };
-    return {
-      ok: response.ok,
+    const responseBody = response.body;
+    const isTextBody = typeof responseBody === "string";
+    return new Response(isTextBody ? responseBody : JSON.stringify(responseBody ?? ""), {
       status: response.status,
-      json: async () => response.body,
-      text: async () =>
-        typeof response.body === "string" ? response.body : JSON.stringify(response.body ?? ""),
-    };
+      headers: { "content-type": isTextBody ? "text/plain" : "application/json" },
+    });
   };
   return { fetchImpl, calls };
 }
diff --git a/extensions/msteams/src/oauth.token.ts b/extensions/msteams/src/oauth.token.ts
@@ -7,6 +7,7 @@ import {
   buildMSTeamsTokenEndpoint,
   type MSTeamsDelegatedTokens,
 } from "./oauth.shared.js";
+import { createMSTeamsHttpError } from "./http-error.js";
 
 /** Five-minute buffer subtracted from token expiry to avoid edge-case clock drift. */
 const EXPIRY_BUFFER_MS = 5 * 60 * 1000;
@@ -63,8 +64,7 @@ async function fetchMSTeamsTokens(params: {
 
   try {
     if (!response.ok) {
-      const errorText = await response.text();
-      throw new Error(`MSTeams ${params.failureLabel} failed (${response.status}): ${errorText}`);
+      throw await createMSTeamsHttpError(response, `MSTeams ${params.failureLabel} failed`);
     }
     return await readProviderJsonResponse<MSTeamsTokenResponse>(
       response,
diff --git a/extensions/msteams/src/sdk.ts b/extensions/msteams/src/sdk.ts
@@ -10,6 +10,7 @@ import {
   tryNormalizeBotFrameworkServiceUrl,
 } from "./bot-framework-service-url.js";
 import { formatUnknownError } from "./errors.js";
+import { createMSTeamsHttpError } from "./http-error.js";
 import type { MSTeamsAdapter } from "./messenger.js";
 import type { MSTeamsCredentials, MSTeamsFederatedCredentials } from "./token.js";
 import { buildUserAgent } from "./user-agent.js";
@@ -491,9 +492,8 @@ async function updateActivityViaRest(params: {
 
   try {
     if (!response.ok) {
-      const body = await response.text().catch(() => "");
-      throw Object.assign(new Error(`updateActivity failed: HTTP ${response.status} ${body}`), {
-        statusCode: response.status,
+      throw await createMSTeamsHttpError(response, "updateActivity failed", {
+        statusPrefix: "HTTP ",
       });
     }
 
@@ -538,9 +538,8 @@ async function deleteActivityViaRest(params: {
 
   try {
     if (!response.ok) {
-      const body = await response.text().catch(() => "");
-      throw Object.assign(new Error(`deleteActivity failed: HTTP ${response.status} ${body}`), {
-        statusCode: response.status,
+      throw await createMSTeamsHttpError(response, "deleteActivity failed", {
+        statusPrefix: "HTTP ",
       });
     }
   } finally {
diff --git a/extensions/msteams/src/sso.ts b/extensions/msteams/src/sso.ts
@@ -25,6 +25,7 @@
  */
 
 import type { MSTeamsAccessTokenProvider } from "./attachments/types.js";
+import { readMSTeamsHttpErrorDetail } from "./http-error.js";
 import type { MSTeamsSsoTokenStore } from "./sso-token-store.js";
 import { buildUserAgent } from "./user-agent.js";
 
@@ -49,17 +50,8 @@ type BotFrameworkUserTokenResponse = {
 
 export type MSTeamsSsoFetch = (
   input: string,
-  init?: {
-    method?: string;
-    headers?: Record<string, string>;
-    body?: string;
-  },
-) => Promise<{
-  ok: boolean;
-  status: number;
-  json(): Promise<unknown>;
-  text(): Promise<string>;
-}>;
+  init?: RequestInit,
+) => Promise<Response>;
 
 export type MSTeamsSsoDeps = {
   tokenProvider: MSTeamsAccessTokenProvider;
@@ -162,8 +154,8 @@ async function callUserTokenService(
     body: params.body === undefined ? undefined : JSON.stringify(params.body),
   });
   if (!response.ok) {
-    const text = await response.text().catch(() => "");
-    return { error: text || `HTTP ${response.status}`, status: response.status };
+    const error = await readMSTeamsHttpErrorDetail(response, `HTTP ${response.status}`);
+    return { error, status: response.status };
   }
   let parsed: unknown;
   try {
diff --git a/src/agents/provider-http-errors.test.ts b/src/agents/provider-http-errors.test.ts
@@ -39,6 +39,45 @@ describe("provider error utils", () => {
     expect(extractProviderRequestId(response)).toBe("fallback_req");
   });
 
+  it("preserves OAuth error descriptions as actionable details", async () => {
+    const response = new Response(
+      JSON.stringify({
+        error: "invalid_request",
+        error_description: "AADSTS7000215: Invalid client secret provided.",
+      }),
+      { status: 400 },
+    );
+
+    await expect(assertOkOrThrowProviderError(response, "OAuth token exchange failed")).rejects
+      .toThrow(
+        "OAuth token exchange failed (400): AADSTS7000215: Invalid client secret provided. [code=invalid_request]",
+      );
+  });
+
+  it("keeps HTTP status metadata when error body reads fail", async () => {
+    const response = {
+      ok: false,
+      status: 503,
+      headers: new Headers(),
+      body: {
+        getReader: () => ({
+          read: async () => {
+            throw new Error("broken response stream");
+          },
+          cancel: async () => undefined,
+        }),
+      },
+    } as unknown as Response;
+
+    await expect(assertOkOrThrowProviderError(response, "Provider API error")).rejects
+      .toMatchObject({
+        name: "ProviderHttpError",
+        status: 503,
+        statusCode: 503,
+        message: "Provider API error (503)",
+      } satisfies Partial<ProviderHttpError>);
+  });
+
   it("attaches structured provider error metadata", async () => {
     const response = new Response(
       JSON.stringify({
diff --git a/src/agents/provider-http-errors.ts b/src/agents/provider-http-errors.ts
