Skip to content

fix: skip JWT validation for OPTIONS preflight requests#359

Open
rajan-chari wants to merge 1 commit intomainfrom
fix/317-jwt-options-preflight
Open

fix: skip JWT validation for OPTIONS preflight requests#359
rajan-chari wants to merge 1 commit intomainfrom
fix/317-jwt-options-preflight

Conversation

@rajan-chari
Copy link
Copy Markdown
Contributor

@rajan-chari rajan-chari commented Apr 4, 2026
edited
Loading

Summary

  • Bug: create_jwt_validation_middleware validates all HTTP methods on protected paths. CORS preflight (OPTIONS /api/messages) has no Authorization header or JSON body, so the middleware rejects it with 401 (caught as 500 by the generic handler).
  • Fix: Add request.method == "OPTIONS" check to the early-return condition at jwt_middleware.py:38, allowing preflight requests to pass through without auth validation.
  • Test: New test test_options_preflight_bypasses_auth verifies OPTIONS requests on validated paths skip auth and call through.

Note: This fix addresses the auth-layer crash (500 → 405). Full CORS preflight support (returning 200 with proper headers) requires CORSMiddleware configuration, which is a separate enhancement — see the linked issue below.

Test plan

  • Existing JWT middleware tests pass (6/6)
  • New OPTIONS preflight test passes
  • CI green on 3.12/3.13/3.14
  • Bot deployment: POST without auth → 401 (unchanged)
  • Bot deployment: OPTIONS /api/messages → 405 (was 500)
  • Regression: normal authenticated POST flow (pending browser test)

Fixes #317

🤖 Generated with Claude Code

@rajan-chari
fix: skip JWT validation for OPTIONS preflight requests (#317)
c820438 
The JWT middleware validated all HTTP methods on protected paths, causing
CORS preflight (OPTIONS) requests to fail with 401/500 since they carry
no Authorization header or JSON body.

Add an early return for OPTIONS requests before auth checks, matching
the behavior of the TypeScript SDK. Includes a new test.

Fixes #317
Copilot AI review requested due to automatic review settings April 4, 2026 06:10
Copilot AI reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the FastAPI JWT validation middleware in microsoft-teams-apps to bypass authentication for CORS preflight OPTIONS requests, preventing unauthorized preflight requests to protected endpoints (e.g., /api/messages) from being rejected before reaching downstream CORS/route handling.

Changes:

  • Skip JWT validation when request.method == "OPTIONS" (in addition to non-validated paths).
  • Extend the JWT middleware test harness to allow specifying HTTP method on mocked requests.
  • Add a new test ensuring OPTIONS preflight requests bypass auth validation and call through.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
packages/apps/src/microsoft_teams/apps/auth/jwt_middleware.py Adds an early-return condition to bypass JWT validation for OPTIONS requests.
packages/apps/tests/test_jwt_middleware.py Updates request mock helper to include method and adds a regression test for OPTIONS preflight behavior.

packages/apps/tests/test_jwt_middleware.py

@pytest.mark.asyncio
async def test_options_preflight_bypasses_auth(self, mock_call_next):
"""OPTIONS preflight requests to validated paths bypass auth and call call_next directly."""
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docstring has a duplicated word (“call call_next”). Consider rephrasing to remove the duplication (e.g., “bypass auth and call_next directly”).

Copilot uses AI. Check for mistakes.
@rajan-chari
Copy link
Copy Markdown
Contributor Author

rajan-chari commented Apr 6, 2026

Manual Test Results — Echo Bot (Python)

Tested on branch fix/317-jwt-options-preflight. Python echo bot (pr340-echo) deployed to BAMI1 tenant via DevTunnel.

# Test Result Details
1 OPTIONS /api/messages PASS Returns 405 (Starlette route is POST-only). Before the fix, this was 500 (JWT middleware crashed parsing non-existent body). The middleware now correctly skips auth for OPTIONS. Full CORS preflight (200) requires CORSMiddleware — separate feature.
2 POST /api/messages (no auth) PASS Returns 401 — auth rejection still works correctly
3 Normal authenticated POST (Teams) N/A Not tested this session (browser tools unavailable). Change only touches OPTIONS path — POST flow is unaffected.

Code review

One-line change at jwt_middleware.py:38: adds request.method == "OPTIONS" check before auth validation. Minimal and correct — prevents the crash without overreaching into CORS territory.

CI: All green on Python 3.12/3.13/3.14.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lilyydu lilyydu lilyydu approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: JWT middleware returns 500 for OPTIONS preflight requests

3 participants

@rajan-chari @lilyydu