[msteams] Inbound file attachments silently fail in DMs — file.download.info downloadUrl not rewritten to Graph shares endpoint

[cwatts-sage]

Bug type

Regression (worked before, now fails silently)

Summary

When a user sends a file attachment (drag-and-drop or attach from device) in a 1:1 Teams DM with the bot, the file is not downloaded. The agent receives a <media:document> (2 files) placeholder but no actual file content. No errors are logged — all failures are silently swallowed by catch {} blocks.

Steps to reproduce

1. Configure OpenClaw with msteams channel (Bot Framework, single tenant)
2. Set mediaAllowHosts: ["*"] and mediaAuthAllowHosts: ["*"]
3. In a 1:1 Teams DM with the bot, drag-and-drop a file (e.g. PDF, DOCX, XLSX)
4. Agent receives <media:document> placeholder text only — no file path, no file content
5. No new files appear in ~/.openclaw/media/inbound/

Root cause

In resolveDownloadCandidate() (extensions/msteams/src/attachments/download.ts), when the attachment has contentType === "application/vnd.microsoft.teams.file.download.info", the code extracts content.downloadUrl and uses it directly as the download URL.

This downloadUrl is a *.sharepoint.com URL (e.g. https://tenant-my.sharepoint.com/personal/user/Documents/file.pdf?...) that requires an authenticated session with SharePoint/Graph permissions.

The download flow then:

1. fetchWithAuthFallback → unauthenticated fetch → 401/403
2. Retry with Bot Framework token (https://api.botframework.com scope) → still 401 (token lacks SharePoint permissions)
3. Silent catch {} in downloadMSTeamsAttachments → returns empty array
4. Agent gets placeholder text only

Why the recent fix (PR #63942) does not cover this

PR #63942 (merged Apr 10, included in v2026.4.10) correctly rewrites SharePoint/OneDrive URLs via tryBuildGraphSharesUrlForSharedLink() — but only for the contentUrl path in resolveDownloadCandidate():

// contentUrl path — HAS the fix ✅
const sharesUrl = tryBuildGraphSharesUrlForSharedLink(contentUrl);
return { url: sharesUrl ?? contentUrl, ... };

The file.download.info branch returns content.downloadUrl directly without applying the same rewrite:

// file.download.info path — MISSING the fix ❌
if (contentType === "application/vnd.microsoft.teams.file.download.info") {
    const downloadUrl = att.content.downloadUrl;
    return { url: downloadUrl, ... };  // Raw SharePoint URL, no rewrite
}

Proposed fix

Apply tryBuildGraphSharesUrlForSharedLink() to downloadUrl in the file.download.info branch of resolveDownloadCandidate():

if (contentType === "application/vnd.microsoft.teams.file.download.info") {
    const downloadUrl = att.content.downloadUrl;
    const sharesUrl = tryBuildGraphSharesUrlForSharedLink(downloadUrl);
    return { url: sharesUrl ?? downloadUrl, fileHint, ... };
}

This ensures the SharePoint download URL is rewritten to graph.microsoft.com/v1.0/shares/{shareId}/driveItem/content, which the existing fetchWithAuthFallback can authenticate via the Graph scope token.

Additional issue: silent error swallowing

All catch {} blocks in the attachment download chain (downloadMSTeamsAttachments, downloadMSTeamsBotFrameworkAttachment, downloadAndStoreMSTeamsRemoteMedia) silently swallow errors and return empty results. This makes debugging impossible — there is zero log output when file downloads fail. Consider adding log.debug calls in these catch blocks.

Environment

• OpenClaw version: 2026.4.10 (44e5b62)
• Channel: msteams (Bot Framework, single tenant)
• Config: mediaAllowHosts: ["*"], mediaAuthAllowHosts: ["*"]
• Conversation type: 1:1 DM (conversation ID starts with a:)
• SharePoint connectivity: confirmed reachable from container (DNS resolves, HTTPS connects)

Related issues

• [msteams] Inbound media from OneDrive/SharePoint shared links fails — graph media fetch empty #55383 — [msteams] Inbound media from OneDrive/SharePoint shared links fails (closed, fix in PR fix(msteams): fetch OneDrive/SharePoint shared media via Graph shares endpoint (#55383) #63942 — same root cause, incomplete fix)
• fix(msteams): fetch OneDrive/SharePoint shared media via Graph shares endpoint (#55383) #63942 — fix(msteams): fetch OneDrive/SharePoint shared media via Graph shares endpoint (merged Apr 10 — only fixes contentUrl, not downloadUrl)
• MSTeams: Image attachments not downloaded in bot DM chats (3 bugs) #24797 — MSTeams: Image attachments not downloaded in bot DM chats (closed)
• [msteams] Inline image downloads fail in 1:1 chats — inbound media uses bot adapter token instead of MSAL Graph token #28014 — [msteams] Inline image downloads fail in 1:1 chats (closed as not planned)

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Summary
Keep open: current main still sends file.download.info content.downloadUrl values to the raw SharePoint/OneDrive URL path, while the existing Graph shares rewrite only covers contentUrl attachments.

Reproducibility: yes. A focused current-main unit reproduction can pass a file.download.info attachment with a SharePoint content.downloadUrl and a fetch mock that only succeeds for graph.microsoft.com/v1.0/shares/...; source inspection shows current main will fetch the raw URL instead.

Next step
This is a narrow, valid msteams bug with a clear file boundary, existing helper, and focused regression-test shape.

Review details

Best possible solution:

Apply the existing Graph shares rewrite to downloadUrl inside the file.download.info branch, preserve the current allowlist/auth fallback behavior, add a focused regression test, and include a user-facing changelog entry.

Do we have a high-confidence way to reproduce the issue?

Yes. A focused current-main unit reproduction can pass a file.download.info attachment with a SharePoint content.downloadUrl and a fetch mock that only succeeds for graph.microsoft.com/v1.0/shares/...; source inspection shows current main will fetch the raw URL instead.

Is this the best way to solve the issue?

Yes. Reusing tryBuildGraphSharesUrlForSharedLink(downloadUrl) at the early file.download.info return is the narrowest maintainable fix; the broader DM media issue should remain separate.

Acceptance criteria:

• pnpm test extensions/msteams/src/attachments.test.ts
• pnpm test extensions/msteams/src/attachments/shared.test.ts
• pnpm exec oxfmt --check --threads=1 extensions/msteams/src/attachments/download.ts extensions/msteams/src/attachments.test.ts CHANGELOG.md
• pnpm check:changed in Testbox before handoff

What I checked:

• Raw downloadUrl branch remains: resolveDownloadCandidate() special-cases application/vnd.microsoft.teams.file.download.info, reads att.content.downloadUrl, and returns url: downloadUrl without applying tryBuildGraphSharesUrlForSharedLink(). (extensions/msteams/src/attachments/download.ts:40, d583662fd905)
• Existing rewrite is only on contentUrl path: The Graph shares rewrite runs after the early file.download.info return, so it is unreachable for content.downloadUrl attachments. (extensions/msteams/src/attachments/download.ts:76, d583662fd905)
• Helper already provides the needed endpoint: tryBuildGraphSharesUrlForSharedLink() detects SharePoint/OneDrive shared-link hosts and builds https://graph.microsoft.com/v1.0/shares/{shareId}/driveItem/content. (extensions/msteams/src/attachments/shared.ts:175, d583662fd905)
• Regression coverage misses downloadUrl: The file.download.info test uses a normal download URL, while the Graph shares tests exercise contentType: "reference" with contentUrl, not content.downloadUrl. (extensions/msteams/src/attachments.test.ts:292, d583662fd905)
• Docs define this as supported behavior: The msteams docs say personal DM file attachments work with RSC only and Graph permissions add SharePoint/OneDrive attachment downloads. Public docs: docs/channels/msteams.md. (docs/channels/msteams.md:617, d583662fd905)
• Prior related fix scope: Commit 4fc5016 from PR fix(msteams): fetch OneDrive/SharePoint shared media via Graph shares endpoint (#55383) #63942 added the Graph shares helper and contentUrl/reference coverage for [msteams] Inbound media from OneDrive/SharePoint shared links fails — graph media fetch empty #55383; the issue discussion correctly notes that this did not cover the early file.download.info downloadUrl branch. (extensions/msteams/src/attachments/download.ts:76, 4fc5016f8fd2)

Likely related people:

• sudie-codes: Authored the merged Graph shares fix in PR fix(msteams): fetch OneDrive/SharePoint shared media via Graph shares endpoint (#55383) #63942 that introduced the helper and contentUrl/reference coverage this issue asks to reuse for file.download.info download URLs. (role: recent feature author; confidence: high; commits: 4fc5016f8fd2; files: extensions/msteams/src/attachments/download.ts, extensions/msteams/src/attachments/shared.ts, extensions/msteams/src/attachments.test.ts)
• BradGroux: Co-authored the merged PR fix(msteams): fetch OneDrive/SharePoint shared media via Graph shares endpoint (#55383) #63942 commit and later cross-referenced this issue from the Microsoft ecosystem tracker, so they are a likely maintainer routing candidate for the same msteams media area. (role: adjacent maintainer and co-author; confidence: high; commits: 4fc5016f8fd2; files: extensions/msteams/src/attachments/download.ts, extensions/msteams/src/attachments/shared.ts, extensions/msteams/src/attachments.test.ts)

Remaining risk / open question:

• No live Teams DM or tenant SharePoint download was exercised in this read-only review; the reproduction is source-level with a focused unit-test shape.
• The broader open bug(msteams): DM inline images and file attachments silently dropped #65329 covers other DM inline-media paths, so a repair should avoid broadening this issue beyond file.download.info SharePoint/OneDrive download URLs.

Codex review notes: model gpt-5.5, reasoning high; reviewed against d583662fd905.