Skip to content

Commit 20394bd

Browse files
stevengumstevengum
authored
trust reference.serviceUrl if credentials.appId is truthy (#1889)
* trust reference.serviceUrl if credentials.appId is truthy * address @stevengum's PR feedback how meta
1 parent d49e3e6 commit 20394bd

File tree

2 files changed

+63
-22
lines changed

2 files changed

+63
-22
lines changed

libraries/botbuilder/src/botFrameworkAdapter.ts

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -272,12 +272,19 @@ export class BotFrameworkAdapter extends BotAdapter implements ExtendedUserToken
272272

273273
let credentials: AppCredentials = this.credentials;
274274

275-
// If the provided OAuthScope doesn't match the current one on the instance's credentials, create
276-
// a new AppCredentials with the correct OAuthScope.
277-
if (credentials.oAuthScope !== audience) {
278-
// The BotFrameworkAdapter JavaScript implementation supports one Bot per instance, so get
279-
// the botAppId from the credentials.
280-
credentials = await this.buildCredentials(this.credentials.appId, audience);
275+
// For authenticated flows (where the bot has an AppId), the ConversationReference's serviceUrl needs
276+
// to be trusted for the bot to acquire a token when sending activities to the conversation.
277+
// For anonymous flows, the serviceUrl should not be trusted.
278+
if (credentials.appId) {
279+
AppCredentials.trustServiceUrl(reference.serviceUrl);
280+
281+
// If the provided OAuthScope doesn't match the current one on the instance's credentials, create
282+
// a new AppCredentials with the correct OAuthScope.
283+
if (credentials.oAuthScope !== audience) {
284+
// The BotFrameworkAdapter JavaScript implementation supports one Bot per instance, so get
285+
// the botAppId from the credentials.
286+
credentials = await this.buildCredentials(credentials.appId, audience);
287+
}
281288
}
282289

283290
const connectorClient = this.createConnectorClientInternal(reference.serviceUrl, credentials);

libraries/botbuilder/tests/botFrameworkAdapter.test.js

Lines changed: 50 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -467,22 +467,6 @@ describe(`BotFrameworkAdapter`, function () {
467467
});
468468
});
469469

470-
it(`should continueConversation().`, function (done) {
471-
let called = false;
472-
const adapter = new AdapterUnderTest();
473-
adapter.continueConversation(reference, (context) => {
474-
assert(context, `context not passed.`);
475-
assert(context.activity, `context has no request.`);
476-
assert(context.activity.type === 'event', `request has invalid type.`);
477-
assert(context.activity.from && context.activity.from.id === reference.user.id, `request has invalid from.id.`);
478-
assert(context.activity.recipient && context.activity.recipient.id === reference.bot.id, `request has invalid recipient.id.`);
479-
called = true;
480-
}).then(() => {
481-
assert(called, `bot logic not called.`);
482-
done();
483-
});
484-
});
485-
486470
it(`should createConversation().`, function (done) {
487471
let called = false;
488472
const adapter = new AdapterUnderTest();
@@ -1198,6 +1182,56 @@ describe(`BotFrameworkAdapter`, function () {
11981182
});
11991183

12001184
describe('continueConversation', function() {
1185+
it(`should succeed.`, function (done) {
1186+
let called = false;
1187+
const adapter = new AdapterUnderTest();
1188+
adapter.continueConversation(reference, (context) => {
1189+
assert(context, `context not passed.`);
1190+
assert(context.activity, `context has no request.`);
1191+
assert(context.activity.type === 'event', `request has invalid type.`);
1192+
assert(context.activity.from && context.activity.from.id === reference.user.id, `request has invalid from.id.`);
1193+
assert(context.activity.recipient && context.activity.recipient.id === reference.bot.id, `request has invalid recipient.id.`);
1194+
called = true;
1195+
}).then(() => {
1196+
assert(called, `bot logic not called.`);
1197+
done();
1198+
});
1199+
});
1200+
1201+
it(`should not trust reference.serviceUrl if there is no AppId on the credentials.`, function (done) {
1202+
let called = false;
1203+
const adapter = new AdapterUnderTest();
1204+
adapter.continueConversation(reference, (context) => {
1205+
assert(context, `context not passed.`);
1206+
assert(context.activity, `context has no request.`);
1207+
assert(context.activity.type === 'event', `request has invalid type.`);
1208+
assert(context.activity.from && context.activity.from.id === reference.user.id, `request has invalid from.id.`);
1209+
assert(context.activity.recipient && context.activity.recipient.id === reference.bot.id, `request has invalid recipient.id.`);
1210+
assert(!MicrosoftAppCredentials.isTrustedServiceUrl('https://example.org/channel'));
1211+
called = true;
1212+
}).then(() => {
1213+
assert(called, `bot logic not called.`);
1214+
done();
1215+
});
1216+
});
1217+
1218+
it(`should trust reference.serviceUrl if there is an AppId on the credentials.`, function (done) {
1219+
let called = false;
1220+
const adapter = new AdapterUnderTest({ appId: '2id', appPassword: '2pw' });
1221+
adapter.continueConversation(reference, (context) => {
1222+
assert(context, `context not passed.`);
1223+
assert(context.activity, `context has no request.`);
1224+
assert(context.activity.type === 'event', `request has invalid type.`);
1225+
assert(context.activity.from && context.activity.from.id === reference.user.id, `request has invalid from.id.`);
1226+
assert(context.activity.recipient && context.activity.recipient.id === reference.bot.id, `request has invalid recipient.id.`);
1227+
assert(MicrosoftAppCredentials.isTrustedServiceUrl('https://example.org/channel'));
1228+
called = true;
1229+
}).then(() => {
1230+
assert(called, `bot logic not called.`);
1231+
done();
1232+
});
1233+
});
1234+
12011235
it(`should work with oAuthScope and logic passed in.`, async () => {
12021236
let called = false;
12031237
const adapter = new AdapterUnderTest();

0 commit comments

Comments
 (0)