Conversation
If a server is set up without any credentials, it currently will not be able to send messages, but it will accept all incoming requests. This scenario is rare, but possible, and in this PR we reject any incoming requests if credentials are not configured (and if skip_auth isn't explicitly set to True). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Tightens the default security posture of the Apps HttpServer by rejecting incoming requests when no app credentials are configured (unless skip_auth=True), addressing the case where a server could previously accept unauthenticated inbound traffic.
Changes:
- Reject incoming requests with
401whenskip_auth=Falseand no credentials/app ID are configured. - Add unit tests covering the “no credentials + skip_auth=False” rejection behavior.
- Minor test cleanup (rename handler argument in FastAPI adapter test).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| packages/apps/src/microsoft_teams/apps/http/http_server.py | Adds initialization warning for missing credentials and enforces 401 rejection when auth isn’t configured and auth isn’t skipped. |
| packages/apps/tests/test_http_server.py | Adds test coverage ensuring requests are rejected when credentials are missing and skip_auth is false. |
| except Exception as e: | ||
| logger.warning(f"JWT token validation failed: {e}") | ||
| return HttpResponse(status=401, body={"error": "Unauthorized"}) |
There was a problem hiding this comment.
Avoid f-strings in logger calls; they eagerly format even when the log level is disabled. Use logger's %-style formatting (or pass exc_info) so formatting is lazy and exception details can be captured consistently.
There was a problem hiding this comment.
Fixed in 74d73f5 — changed logger.warning(f"JWT token validation failed: {e}") to logger.warning("JWT token validation failed: %s", e) so the message is only formatted when the warning level is actually enabled.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Agent-Logs-Url: https://github.com/microsoft/teams.py/sessions/0f5b7128-a158-4a68-b142-9f772f93cdd2 Co-authored-by: heyitsaamir <48929123+heyitsaamir@users.noreply.github.com>
|
Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
If a server is set up without any credentials, it currently will not be able to send messages, but it will currently accept all incoming requests.
This scenario is rare, but possible, and in this PR we reject any incoming requests if creds are not setup (and if
skip_authisn't explicitly set toTrue).