Security hardening: token validation and service URL improvements#370
Open
Security hardening: token validation and service URL improvements#370
Conversation
3 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Security hardening for token validation and inbound serviceUrl handling, plus preventing DevTools from running in production.
Changes:
- Added
serviceUrldomain allowlist validation (withadditional_allowed_domains) and strengthened JWT scope checks to exact set membership. - Added issuer-validation warning when Entra validation is configured without a tenant ID.
- Added a production-environment guard to prevent the DevTools plugin from starting, with accompanying unit tests.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| packages/devtools/src/microsoft_teams/devtools/devtools_plugin.py | Blocks DevTools plugin initialization when environment indicates production. |
| packages/devtools/tests/test_devtools_plugin.py | Adds tests for DevTools production guard and basic plugin initialization behavior. |
| packages/apps/src/microsoft_teams/apps/auth/token_validator.py | Adds service URL allowlist logic, warning for missing tenant ID, and exact scope matching. |
| packages/apps/src/microsoft_teams/apps/http/http_server.py | Adds serviceUrl allowlist validation and plumbs additional_allowed_domains into server init. |
| packages/apps/src/microsoft_teams/apps/options.py | Adds additional_allowed_domains to app options/internal options. |
| packages/apps/src/microsoft_teams/apps/app.py | Passes additional_allowed_domains from app options into server initialization. |
| packages/apps/tests/test_token_validator.py | Adds unit tests for domain allowlist, exact scope matching, and issuer warning. |
| packages/apps/tests/test_http_server.py | Adds unit tests for idempotent initialize, endpoint validation, auth rejection, and serviceUrl allowlist behavior. |
| packages/apps/tests/test_app.py | Adds unit test for merging app options with defaults. |
| examples/cards/src/main.py | Formatting-only change (single-line method chaining). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security hardening for token validation, service URL handling, and development tooling.
serviceUrlagainst allowed hostnames from the configured cloud environment preset. Configurable viaadditional_allowed_domainsfor non-standard channels or sovereign clouds without presets.Test plan
PYTHON_ENV=production