Reject unauthenticated when no credentials#506
Open
heyitsaamir wants to merge 5 commits intomainfrom
Open
Conversation
These two markdown files are all a human needs to write — the e2e testing skill generates and manages the actual Playwright test code from here. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…lowing Previously, deploying a bot without CLIENT_ID/CLIENT_SECRET caused the SDK to silently accept all requests with no authentication. This allowed an attacker to send crafted activities with a malicious serviceUrl, causing the bot to forward replies to the attacker's server (SSRF). Now, missing credentials without explicit skipAuth: true returns 401. A startup warning is logged to help developers diagnose the misconfiguration. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
corinagum
approved these changes
Apr 13, 2026
Collaborator
corinagum
left a comment
corinagum
left a comment
There was a problem hiding this comment.
LGTM - I noticed in PY that every request will show an error while in TS, initialize() will have an error and after that 401 is swallowed. Should we align behaviors?
Member
|
this is breaking the integration with agentsplayground, are we ok with this state? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
If a server is set up without any credentials, it currently will not be able to send messages, but it will currently accept all incoming requests.
This scenario is rare, but possible, and in this PR we reject any incoming requests if creds are not setup (and if
skipAuthisn't explicitly set to true)