lex-microsoft_teams 0.5.2 → 0.5.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +2 -2
- data/CHANGELOG.md +34 -0
- data/CLAUDE.md +2 -2
- data/docs/plans/2026-03-19-teams-token-lifecycle-design.md +120 -0
- data/docs/plans/2026-03-19-teams-token-lifecycle-implementation.md +679 -0
- data/lib/legion/extensions/microsoft_teams/actors/auth_validator.rb +105 -0
- data/lib/legion/extensions/microsoft_teams/actors/cache_sync.rb +1 -5
- data/lib/legion/extensions/microsoft_teams/actors/direct_chat_poller.rb +2 -2
- data/lib/legion/extensions/microsoft_teams/actors/message_processor.rb +1 -1
- data/lib/legion/extensions/microsoft_teams/actors/observed_chat_poller.rb +1 -1
- data/lib/legion/extensions/microsoft_teams/actors/token_refresher.rb +103 -0
- data/lib/legion/extensions/microsoft_teams/client.rb +5 -2
- data/lib/legion/extensions/microsoft_teams/helpers/browser_auth.rb +1 -1
- data/lib/legion/extensions/microsoft_teams/helpers/callback_server.rb +7 -2
- data/lib/legion/extensions/microsoft_teams/helpers/client.rb +4 -0
- data/lib/legion/extensions/microsoft_teams/helpers/prompt_resolver.rb +2 -5
- data/lib/legion/extensions/microsoft_teams/helpers/subscription_registry.rb +1 -0
- data/lib/legion/extensions/microsoft_teams/helpers/token_cache.rb +66 -3
- data/lib/legion/extensions/microsoft_teams/local_cache/extractor.rb +1 -1
- data/lib/legion/extensions/microsoft_teams/local_cache/record_parser.rb +1 -1
- data/lib/legion/extensions/microsoft_teams/runners/bot.rb +4 -4
- data/lib/legion/extensions/microsoft_teams/runners/cache_ingest.rb +8 -9
- data/lib/legion/extensions/microsoft_teams/runners/channel_messages.rb +5 -5
- data/lib/legion/extensions/microsoft_teams/runners/channels.rb +6 -6
- data/lib/legion/extensions/microsoft_teams/runners/chats.rb +5 -5
- data/lib/legion/extensions/microsoft_teams/runners/meetings.rb +16 -16
- data/lib/legion/extensions/microsoft_teams/runners/messages.rb +5 -5
- data/lib/legion/extensions/microsoft_teams/runners/presence.rb +2 -2
- data/lib/legion/extensions/microsoft_teams/runners/subscriptions.rb +5 -5
- data/lib/legion/extensions/microsoft_teams/runners/teams.rb +3 -3
- data/lib/legion/extensions/microsoft_teams/runners/transcripts.rb +6 -6
- data/lib/legion/extensions/microsoft_teams/version.rb +1 -1
- metadata +5 -2
- data/lib/legion/extensions/microsoft_teams/transport.rb +0 -11
|
@@ -0,0 +1,679 @@
|
|
|
1
|
+
# Teams Token Lifecycle Implementation Plan
|
|
2
|
+
|
|
3
|
+
> **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task.
|
|
4
|
+
|
|
5
|
+
**Goal:** Add automatic delegated token validation on boot, periodic refresh, and browser re-auth for previously authenticated users.
|
|
6
|
+
|
|
7
|
+
**Architecture:** Two new actors (AuthValidator/Once, TokenRefresher/Every) plus two new methods on TokenCache. AuthValidator loads tokens on startup and recovers expired sessions. TokenRefresher keeps tokens fresh on a configurable 15-minute interval. Both trigger BrowserAuth for re-auth when a previously authenticated user's token cannot be refreshed.
|
|
8
|
+
|
|
9
|
+
**Tech Stack:** Ruby, RSpec, lex-microsoft_teams actor/helper conventions
|
|
10
|
+
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
### Task 1: Add `authenticated?` and `previously_authenticated?` to TokenCache
|
|
14
|
+
|
|
15
|
+
**Files:**
|
|
16
|
+
- Modify: `lib/legion/extensions/microsoft_teams/helpers/token_cache.rb:38-63`
|
|
17
|
+
- Test: `spec/legion/extensions/microsoft_teams/helpers/token_cache_spec.rb`
|
|
18
|
+
|
|
19
|
+
**Step 1: Write the failing tests**
|
|
20
|
+
|
|
21
|
+
Add to the end of `token_cache_spec.rb`, before the final `end`:
|
|
22
|
+
|
|
23
|
+
```ruby
|
|
24
|
+
describe '#authenticated?' do
|
|
25
|
+
it 'returns false when no delegated token is cached' do
|
|
26
|
+
expect(cache.authenticated?).to be false
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
it 'returns true when a delegated token is stored' do
|
|
30
|
+
cache.store_delegated_token(
|
|
31
|
+
access_token: 'tok', refresh_token: 'ref',
|
|
32
|
+
expires_in: 3600, scopes: 'scope1'
|
|
33
|
+
)
|
|
34
|
+
expect(cache.authenticated?).to be true
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
it 'returns false after clearing delegated token' do
|
|
38
|
+
cache.store_delegated_token(
|
|
39
|
+
access_token: 'tok', refresh_token: 'ref',
|
|
40
|
+
expires_in: 3600, scopes: 'scope1'
|
|
41
|
+
)
|
|
42
|
+
cache.clear_delegated_token!
|
|
43
|
+
expect(cache.authenticated?).to be false
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
describe '#previously_authenticated?' do
|
|
48
|
+
it 'returns false when no local file exists' do
|
|
49
|
+
expect(cache.previously_authenticated?).to be false
|
|
50
|
+
end
|
|
51
|
+
|
|
52
|
+
it 'returns true after save_to_local' do
|
|
53
|
+
cache.store_delegated_token(
|
|
54
|
+
access_token: 'tok', refresh_token: 'ref',
|
|
55
|
+
expires_in: 3600, scopes: 'scope1'
|
|
56
|
+
)
|
|
57
|
+
cache.save_to_local
|
|
58
|
+
expect(cache.previously_authenticated?).to be true
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
**Step 2: Run tests to verify they fail**
|
|
64
|
+
|
|
65
|
+
Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/helpers/token_cache_spec.rb -v`
|
|
66
|
+
Expected: FAIL — `NoMethodError: undefined method 'authenticated?'`
|
|
67
|
+
|
|
68
|
+
**Step 3: Write minimal implementation**
|
|
69
|
+
|
|
70
|
+
Add these two methods to `token_cache.rb` after `clear_delegated_token!` (around line 63), before the `load_from_vault` method:
|
|
71
|
+
|
|
72
|
+
```ruby
|
|
73
|
+
def authenticated?
|
|
74
|
+
@mutex.synchronize { !@delegated_cache.nil? }
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
def previously_authenticated?
|
|
78
|
+
File.exist?(local_token_path)
|
|
79
|
+
end
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
**Step 4: Run tests to verify they pass**
|
|
83
|
+
|
|
84
|
+
Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/helpers/token_cache_spec.rb -v`
|
|
85
|
+
Expected: All pass (including existing specs)
|
|
86
|
+
|
|
87
|
+
**Step 5: Run rubocop**
|
|
88
|
+
|
|
89
|
+
Run: `cd extensions/lex-microsoft_teams && bundle exec rubocop lib/legion/extensions/microsoft_teams/helpers/token_cache.rb`
|
|
90
|
+
Expected: No offenses
|
|
91
|
+
|
|
92
|
+
**Step 6: Commit**
|
|
93
|
+
|
|
94
|
+
```bash
|
|
95
|
+
cd extensions/lex-microsoft_teams
|
|
96
|
+
git add lib/legion/extensions/microsoft_teams/helpers/token_cache.rb spec/legion/extensions/microsoft_teams/helpers/token_cache_spec.rb
|
|
97
|
+
git commit -m "add authenticated? and previously_authenticated? to TokenCache"
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
---
|
|
101
|
+
|
|
102
|
+
### Task 2: Create AuthValidator actor
|
|
103
|
+
|
|
104
|
+
**Files:**
|
|
105
|
+
- Create: `lib/legion/extensions/microsoft_teams/actors/auth_validator.rb`
|
|
106
|
+
- Test: `spec/legion/extensions/microsoft_teams/actors/auth_validator_spec.rb`
|
|
107
|
+
|
|
108
|
+
**Step 1: Write the spec file**
|
|
109
|
+
|
|
110
|
+
Create `spec/legion/extensions/microsoft_teams/actors/auth_validator_spec.rb`:
|
|
111
|
+
|
|
112
|
+
```ruby
|
|
113
|
+
# frozen_string_literal: true
|
|
114
|
+
|
|
115
|
+
require 'spec_helper'
|
|
116
|
+
|
|
117
|
+
unless defined?(Legion::Extensions::Actors::Once)
|
|
118
|
+
module Legion
|
|
119
|
+
module Extensions
|
|
120
|
+
module Actors
|
|
121
|
+
class Once; end # rubocop:disable Lint/EmptyClass
|
|
122
|
+
end
|
|
123
|
+
end
|
|
124
|
+
end
|
|
125
|
+
end
|
|
126
|
+
|
|
127
|
+
$LOADED_FEATURES << 'legion/extensions/actors/once' unless $LOADED_FEATURES.include?('legion/extensions/actors/once')
|
|
128
|
+
|
|
129
|
+
require 'legion/extensions/microsoft_teams/actors/auth_validator'
|
|
130
|
+
|
|
131
|
+
RSpec.describe Legion::Extensions::MicrosoftTeams::Actor::AuthValidator do
|
|
132
|
+
subject(:actor) { described_class.allocate }
|
|
133
|
+
|
|
134
|
+
let(:token_cache) { instance_double(Legion::Extensions::MicrosoftTeams::Helpers::TokenCache) }
|
|
135
|
+
let(:browser_auth) { instance_double(Legion::Extensions::MicrosoftTeams::Helpers::BrowserAuth) }
|
|
136
|
+
|
|
137
|
+
before do
|
|
138
|
+
allow(actor).to receive(:token_cache).and_return(token_cache)
|
|
139
|
+
end
|
|
140
|
+
|
|
141
|
+
it 'has a 2 second delay' do
|
|
142
|
+
expect(actor.delay).to eq(2.0)
|
|
143
|
+
end
|
|
144
|
+
|
|
145
|
+
it 'does not generate tasks' do
|
|
146
|
+
expect(actor.generate_task?).to be false
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
it 'does not check subtasks' do
|
|
150
|
+
expect(actor.check_subtask?).to be false
|
|
151
|
+
end
|
|
152
|
+
|
|
153
|
+
describe '#manual' do
|
|
154
|
+
before do
|
|
155
|
+
allow(token_cache).to receive(:previously_authenticated?).and_return(false)
|
|
156
|
+
end
|
|
157
|
+
|
|
158
|
+
context 'when token loads and refreshes successfully' do
|
|
159
|
+
before do
|
|
160
|
+
allow(token_cache).to receive(:load_from_vault).and_return(true)
|
|
161
|
+
allow(token_cache).to receive(:cached_delegated_token).and_return('valid-token')
|
|
162
|
+
end
|
|
163
|
+
|
|
164
|
+
it 'logs success and does not trigger browser auth' do
|
|
165
|
+
expect(actor).not_to receive(:attempt_browser_reauth)
|
|
166
|
+
actor.manual
|
|
167
|
+
end
|
|
168
|
+
end
|
|
169
|
+
|
|
170
|
+
context 'when token loads but refresh fails and previously authenticated' do
|
|
171
|
+
before do
|
|
172
|
+
allow(token_cache).to receive(:load_from_vault).and_return(true)
|
|
173
|
+
allow(token_cache).to receive(:cached_delegated_token).and_return(nil)
|
|
174
|
+
allow(token_cache).to receive(:previously_authenticated?).and_return(true)
|
|
175
|
+
allow(actor).to receive(:attempt_browser_reauth).and_return(true)
|
|
176
|
+
end
|
|
177
|
+
|
|
178
|
+
it 'triggers browser re-auth' do
|
|
179
|
+
actor.manual
|
|
180
|
+
expect(actor).to have_received(:attempt_browser_reauth)
|
|
181
|
+
end
|
|
182
|
+
end
|
|
183
|
+
|
|
184
|
+
context 'when token loads but refresh fails and never authenticated' do
|
|
185
|
+
before do
|
|
186
|
+
allow(token_cache).to receive(:load_from_vault).and_return(true)
|
|
187
|
+
allow(token_cache).to receive(:cached_delegated_token).and_return(nil)
|
|
188
|
+
allow(token_cache).to receive(:previously_authenticated?).and_return(false)
|
|
189
|
+
end
|
|
190
|
+
|
|
191
|
+
it 'does not trigger browser re-auth' do
|
|
192
|
+
expect(actor).not_to receive(:attempt_browser_reauth)
|
|
193
|
+
actor.manual
|
|
194
|
+
end
|
|
195
|
+
end
|
|
196
|
+
|
|
197
|
+
context 'when no token file exists' do
|
|
198
|
+
before do
|
|
199
|
+
allow(token_cache).to receive(:load_from_vault).and_return(false)
|
|
200
|
+
allow(token_cache).to receive(:previously_authenticated?).and_return(false)
|
|
201
|
+
end
|
|
202
|
+
|
|
203
|
+
it 'does nothing silently' do
|
|
204
|
+
expect(actor).not_to receive(:attempt_browser_reauth)
|
|
205
|
+
actor.manual
|
|
206
|
+
end
|
|
207
|
+
end
|
|
208
|
+
|
|
209
|
+
context 'when no token loads but previously authenticated' do
|
|
210
|
+
before do
|
|
211
|
+
allow(token_cache).to receive(:load_from_vault).and_return(false)
|
|
212
|
+
allow(token_cache).to receive(:previously_authenticated?).and_return(true)
|
|
213
|
+
allow(actor).to receive(:attempt_browser_reauth).and_return(true)
|
|
214
|
+
end
|
|
215
|
+
|
|
216
|
+
it 'triggers browser re-auth' do
|
|
217
|
+
actor.manual
|
|
218
|
+
expect(actor).to have_received(:attempt_browser_reauth)
|
|
219
|
+
end
|
|
220
|
+
end
|
|
221
|
+
end
|
|
222
|
+
end
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
**Step 2: Run test to verify it fails**
|
|
226
|
+
|
|
227
|
+
Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/actors/auth_validator_spec.rb -v`
|
|
228
|
+
Expected: FAIL — `LoadError: cannot load such file -- legion/extensions/microsoft_teams/actors/auth_validator`
|
|
229
|
+
|
|
230
|
+
**Step 3: Write the actor**
|
|
231
|
+
|
|
232
|
+
Create `lib/legion/extensions/microsoft_teams/actors/auth_validator.rb`:
|
|
233
|
+
|
|
234
|
+
```ruby
|
|
235
|
+
# frozen_string_literal: true
|
|
236
|
+
|
|
237
|
+
module Legion
|
|
238
|
+
module Extensions
|
|
239
|
+
module MicrosoftTeams
|
|
240
|
+
module Actor
|
|
241
|
+
class AuthValidator < Legion::Extensions::Actors::Once
|
|
242
|
+
def use_runner? = false
|
|
243
|
+
def check_subtask? = false
|
|
244
|
+
def generate_task? = false
|
|
245
|
+
|
|
246
|
+
def delay
|
|
247
|
+
2.0
|
|
248
|
+
end
|
|
249
|
+
|
|
250
|
+
def enabled?
|
|
251
|
+
defined?(Legion::Extensions::MicrosoftTeams::Helpers::TokenCache)
|
|
252
|
+
rescue StandardError
|
|
253
|
+
false
|
|
254
|
+
end
|
|
255
|
+
|
|
256
|
+
def token_cache
|
|
257
|
+
@token_cache ||= Legion::Extensions::MicrosoftTeams::Helpers::TokenCache.new
|
|
258
|
+
end
|
|
259
|
+
|
|
260
|
+
def manual
|
|
261
|
+
loaded = token_cache.load_from_vault
|
|
262
|
+
|
|
263
|
+
if loaded
|
|
264
|
+
token = token_cache.cached_delegated_token
|
|
265
|
+
if token
|
|
266
|
+
log_info('Teams delegated auth restored')
|
|
267
|
+
elsif token_cache.previously_authenticated?
|
|
268
|
+
attempt_browser_reauth(token_cache)
|
|
269
|
+
end
|
|
270
|
+
elsif token_cache.previously_authenticated?
|
|
271
|
+
log_warn('Token file found but could not load, attempting re-authentication')
|
|
272
|
+
attempt_browser_reauth(token_cache)
|
|
273
|
+
else
|
|
274
|
+
log_debug('No Teams delegated auth configured, skipping')
|
|
275
|
+
end
|
|
276
|
+
rescue StandardError => e
|
|
277
|
+
log_error("AuthValidator: #{e.message}")
|
|
278
|
+
end
|
|
279
|
+
|
|
280
|
+
private
|
|
281
|
+
|
|
282
|
+
def attempt_browser_reauth(tc)
|
|
283
|
+
settings = teams_auth_settings
|
|
284
|
+
return false unless settings[:tenant_id] && settings[:client_id]
|
|
285
|
+
|
|
286
|
+
log_warn('Delegated token expired, opening browser for re-authentication...')
|
|
287
|
+
|
|
288
|
+
scopes = settings.dig(:delegated, :scopes) ||
|
|
289
|
+
Legion::Extensions::MicrosoftTeams::Helpers::BrowserAuth::DEFAULT_SCOPES
|
|
290
|
+
browser_auth = Legion::Extensions::MicrosoftTeams::Helpers::BrowserAuth.new(
|
|
291
|
+
tenant_id: settings[:tenant_id],
|
|
292
|
+
client_id: settings[:client_id],
|
|
293
|
+
scopes: scopes
|
|
294
|
+
)
|
|
295
|
+
|
|
296
|
+
result = browser_auth.authenticate
|
|
297
|
+
return false if result[:error]
|
|
298
|
+
|
|
299
|
+
body = result[:result]
|
|
300
|
+
tc.store_delegated_token(
|
|
301
|
+
access_token: body['access_token'],
|
|
302
|
+
refresh_token: body['refresh_token'],
|
|
303
|
+
expires_in: body['expires_in'],
|
|
304
|
+
scopes: scopes
|
|
305
|
+
)
|
|
306
|
+
tc.save_to_vault
|
|
307
|
+
log_info('Teams delegated auth restored via browser')
|
|
308
|
+
true
|
|
309
|
+
rescue StandardError => e
|
|
310
|
+
log_error("Browser re-auth failed: #{e.message}")
|
|
311
|
+
false
|
|
312
|
+
end
|
|
313
|
+
|
|
314
|
+
def teams_auth_settings
|
|
315
|
+
return {} unless defined?(Legion::Settings)
|
|
316
|
+
|
|
317
|
+
Legion::Settings.dig(:microsoft_teams, :auth) || {}
|
|
318
|
+
end
|
|
319
|
+
|
|
320
|
+
def log_info(msg)
|
|
321
|
+
Legion::Logging.info(msg) if defined?(Legion::Logging)
|
|
322
|
+
end
|
|
323
|
+
|
|
324
|
+
def log_warn(msg)
|
|
325
|
+
Legion::Logging.warn(msg) if defined?(Legion::Logging)
|
|
326
|
+
end
|
|
327
|
+
|
|
328
|
+
def log_debug(msg)
|
|
329
|
+
Legion::Logging.debug(msg) if defined?(Legion::Logging)
|
|
330
|
+
end
|
|
331
|
+
|
|
332
|
+
def log_error(msg)
|
|
333
|
+
Legion::Logging.error(msg) if defined?(Legion::Logging)
|
|
334
|
+
end
|
|
335
|
+
end
|
|
336
|
+
end
|
|
337
|
+
end
|
|
338
|
+
end
|
|
339
|
+
end
|
|
340
|
+
```
|
|
341
|
+
|
|
342
|
+
**Step 4: Run tests to verify they pass**
|
|
343
|
+
|
|
344
|
+
Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/actors/auth_validator_spec.rb -v`
|
|
345
|
+
Expected: All pass
|
|
346
|
+
|
|
347
|
+
**Step 5: Run rubocop**
|
|
348
|
+
|
|
349
|
+
Run: `cd extensions/lex-microsoft_teams && bundle exec rubocop lib/legion/extensions/microsoft_teams/actors/auth_validator.rb`
|
|
350
|
+
Expected: No offenses
|
|
351
|
+
|
|
352
|
+
**Step 6: Commit**
|
|
353
|
+
|
|
354
|
+
```bash
|
|
355
|
+
cd extensions/lex-microsoft_teams
|
|
356
|
+
git add lib/legion/extensions/microsoft_teams/actors/auth_validator.rb spec/legion/extensions/microsoft_teams/actors/auth_validator_spec.rb
|
|
357
|
+
git commit -m "add AuthValidator actor for boot-time token validation"
|
|
358
|
+
```
|
|
359
|
+
|
|
360
|
+
---
|
|
361
|
+
|
|
362
|
+
### Task 3: Create TokenRefresher actor
|
|
363
|
+
|
|
364
|
+
**Files:**
|
|
365
|
+
- Create: `lib/legion/extensions/microsoft_teams/actors/token_refresher.rb`
|
|
366
|
+
- Test: `spec/legion/extensions/microsoft_teams/actors/token_refresher_spec.rb`
|
|
367
|
+
|
|
368
|
+
**Step 1: Write the spec file**
|
|
369
|
+
|
|
370
|
+
Create `spec/legion/extensions/microsoft_teams/actors/token_refresher_spec.rb`:
|
|
371
|
+
|
|
372
|
+
```ruby
|
|
373
|
+
# frozen_string_literal: true
|
|
374
|
+
|
|
375
|
+
require 'spec_helper'
|
|
376
|
+
|
|
377
|
+
unless defined?(Legion::Extensions::Actors::Every)
|
|
378
|
+
module Legion
|
|
379
|
+
module Extensions
|
|
380
|
+
module Actors
|
|
381
|
+
class Every; end # rubocop:disable Lint/EmptyClass
|
|
382
|
+
end
|
|
383
|
+
end
|
|
384
|
+
end
|
|
385
|
+
end
|
|
386
|
+
|
|
387
|
+
$LOADED_FEATURES << 'legion/extensions/actors/every' unless $LOADED_FEATURES.include?('legion/extensions/actors/every')
|
|
388
|
+
|
|
389
|
+
require 'legion/extensions/microsoft_teams/actors/token_refresher'
|
|
390
|
+
|
|
391
|
+
RSpec.describe Legion::Extensions::MicrosoftTeams::Actor::TokenRefresher do
|
|
392
|
+
subject(:actor) { described_class.allocate }
|
|
393
|
+
|
|
394
|
+
let(:token_cache) { instance_double(Legion::Extensions::MicrosoftTeams::Helpers::TokenCache) }
|
|
395
|
+
|
|
396
|
+
before do
|
|
397
|
+
allow(actor).to receive(:token_cache).and_return(token_cache)
|
|
398
|
+
end
|
|
399
|
+
|
|
400
|
+
it 'has a default 900 second interval' do
|
|
401
|
+
expect(actor.time).to eq(900)
|
|
402
|
+
end
|
|
403
|
+
|
|
404
|
+
it 'does not run immediately on start' do
|
|
405
|
+
expect(actor.run_now?).to be false
|
|
406
|
+
end
|
|
407
|
+
|
|
408
|
+
it 'does not generate tasks' do
|
|
409
|
+
expect(actor.generate_task?).to be false
|
|
410
|
+
end
|
|
411
|
+
|
|
412
|
+
it 'does not check subtasks' do
|
|
413
|
+
expect(actor.check_subtask?).to be false
|
|
414
|
+
end
|
|
415
|
+
|
|
416
|
+
describe '#manual' do
|
|
417
|
+
context 'when not authenticated' do
|
|
418
|
+
before do
|
|
419
|
+
allow(token_cache).to receive(:authenticated?).and_return(false)
|
|
420
|
+
end
|
|
421
|
+
|
|
422
|
+
it 'skips refresh entirely' do
|
|
423
|
+
expect(token_cache).not_to receive(:cached_delegated_token)
|
|
424
|
+
actor.manual
|
|
425
|
+
end
|
|
426
|
+
end
|
|
427
|
+
|
|
428
|
+
context 'when authenticated and refresh succeeds' do
|
|
429
|
+
before do
|
|
430
|
+
allow(token_cache).to receive(:authenticated?).and_return(true)
|
|
431
|
+
allow(token_cache).to receive(:cached_delegated_token).and_return('refreshed-token')
|
|
432
|
+
allow(token_cache).to receive(:save_to_vault)
|
|
433
|
+
end
|
|
434
|
+
|
|
435
|
+
it 'saves the refreshed token' do
|
|
436
|
+
actor.manual
|
|
437
|
+
expect(token_cache).to have_received(:save_to_vault)
|
|
438
|
+
end
|
|
439
|
+
end
|
|
440
|
+
|
|
441
|
+
context 'when authenticated but refresh fails and previously authenticated' do
|
|
442
|
+
before do
|
|
443
|
+
allow(token_cache).to receive(:authenticated?).and_return(true)
|
|
444
|
+
allow(token_cache).to receive(:cached_delegated_token).and_return(nil)
|
|
445
|
+
allow(token_cache).to receive(:previously_authenticated?).and_return(true)
|
|
446
|
+
allow(actor).to receive(:attempt_browser_reauth).and_return(true)
|
|
447
|
+
end
|
|
448
|
+
|
|
449
|
+
it 'triggers browser re-auth' do
|
|
450
|
+
actor.manual
|
|
451
|
+
expect(actor).to have_received(:attempt_browser_reauth)
|
|
452
|
+
end
|
|
453
|
+
end
|
|
454
|
+
|
|
455
|
+
context 'when authenticated but refresh fails and never previously authenticated' do
|
|
456
|
+
before do
|
|
457
|
+
allow(token_cache).to receive(:authenticated?).and_return(true)
|
|
458
|
+
allow(token_cache).to receive(:cached_delegated_token).and_return(nil)
|
|
459
|
+
allow(token_cache).to receive(:previously_authenticated?).and_return(false)
|
|
460
|
+
end
|
|
461
|
+
|
|
462
|
+
it 'does not trigger browser re-auth' do
|
|
463
|
+
expect(actor).not_to receive(:attempt_browser_reauth)
|
|
464
|
+
actor.manual
|
|
465
|
+
end
|
|
466
|
+
end
|
|
467
|
+
end
|
|
468
|
+
end
|
|
469
|
+
```
|
|
470
|
+
|
|
471
|
+
**Step 2: Run test to verify it fails**
|
|
472
|
+
|
|
473
|
+
Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/actors/token_refresher_spec.rb -v`
|
|
474
|
+
Expected: FAIL — `LoadError: cannot load such file`
|
|
475
|
+
|
|
476
|
+
**Step 3: Write the actor**
|
|
477
|
+
|
|
478
|
+
Create `lib/legion/extensions/microsoft_teams/actors/token_refresher.rb`:
|
|
479
|
+
|
|
480
|
+
```ruby
|
|
481
|
+
# frozen_string_literal: true
|
|
482
|
+
|
|
483
|
+
module Legion
|
|
484
|
+
module Extensions
|
|
485
|
+
module MicrosoftTeams
|
|
486
|
+
module Actor
|
|
487
|
+
class TokenRefresher < Legion::Extensions::Actors::Every
|
|
488
|
+
DEFAULT_REFRESH_INTERVAL = 900 # 15 minutes
|
|
489
|
+
|
|
490
|
+
def runner_class = Legion::Extensions::MicrosoftTeams::Helpers::TokenCache
|
|
491
|
+
def runner_function = 'cached_delegated_token'
|
|
492
|
+
def run_now? = false
|
|
493
|
+
def use_runner? = false
|
|
494
|
+
def check_subtask? = false
|
|
495
|
+
def generate_task? = false
|
|
496
|
+
|
|
497
|
+
def time
|
|
498
|
+
settings = teams_auth_settings
|
|
499
|
+
delegated = settings[:delegated]
|
|
500
|
+
return DEFAULT_REFRESH_INTERVAL unless delegated.is_a?(Hash)
|
|
501
|
+
|
|
502
|
+
delegated[:refresh_interval] || DEFAULT_REFRESH_INTERVAL
|
|
503
|
+
end
|
|
504
|
+
|
|
505
|
+
def enabled?
|
|
506
|
+
defined?(Legion::Extensions::MicrosoftTeams::Helpers::TokenCache)
|
|
507
|
+
rescue StandardError
|
|
508
|
+
false
|
|
509
|
+
end
|
|
510
|
+
|
|
511
|
+
def token_cache
|
|
512
|
+
@token_cache ||= Legion::Extensions::MicrosoftTeams::Helpers::TokenCache.new
|
|
513
|
+
end
|
|
514
|
+
|
|
515
|
+
def manual
|
|
516
|
+
return unless token_cache.authenticated?
|
|
517
|
+
|
|
518
|
+
token = token_cache.cached_delegated_token
|
|
519
|
+
if token
|
|
520
|
+
token_cache.save_to_vault
|
|
521
|
+
elsif token_cache.previously_authenticated?
|
|
522
|
+
attempt_browser_reauth(token_cache)
|
|
523
|
+
end
|
|
524
|
+
rescue StandardError => e
|
|
525
|
+
log_error("TokenRefresher: #{e.message}")
|
|
526
|
+
end
|
|
527
|
+
|
|
528
|
+
private
|
|
529
|
+
|
|
530
|
+
def attempt_browser_reauth(tc)
|
|
531
|
+
settings = teams_auth_settings
|
|
532
|
+
return false unless settings[:tenant_id] && settings[:client_id]
|
|
533
|
+
|
|
534
|
+
log_warn('Delegated token expired, opening browser for re-authentication...')
|
|
535
|
+
|
|
536
|
+
scopes = settings.dig(:delegated, :scopes) ||
|
|
537
|
+
Legion::Extensions::MicrosoftTeams::Helpers::BrowserAuth::DEFAULT_SCOPES
|
|
538
|
+
browser_auth = Legion::Extensions::MicrosoftTeams::Helpers::BrowserAuth.new(
|
|
539
|
+
tenant_id: settings[:tenant_id],
|
|
540
|
+
client_id: settings[:client_id],
|
|
541
|
+
scopes: scopes
|
|
542
|
+
)
|
|
543
|
+
|
|
544
|
+
result = browser_auth.authenticate
|
|
545
|
+
return false if result[:error]
|
|
546
|
+
|
|
547
|
+
body = result[:result]
|
|
548
|
+
tc.store_delegated_token(
|
|
549
|
+
access_token: body['access_token'],
|
|
550
|
+
refresh_token: body['refresh_token'],
|
|
551
|
+
expires_in: body['expires_in'],
|
|
552
|
+
scopes: scopes
|
|
553
|
+
)
|
|
554
|
+
tc.save_to_vault
|
|
555
|
+
log_info('Teams delegated auth restored via browser')
|
|
556
|
+
true
|
|
557
|
+
rescue StandardError => e
|
|
558
|
+
log_error("Browser re-auth failed: #{e.message}")
|
|
559
|
+
false
|
|
560
|
+
end
|
|
561
|
+
|
|
562
|
+
def teams_auth_settings
|
|
563
|
+
return {} unless defined?(Legion::Settings)
|
|
564
|
+
|
|
565
|
+
Legion::Settings.dig(:microsoft_teams, :auth) || {}
|
|
566
|
+
end
|
|
567
|
+
|
|
568
|
+
def log_info(msg)
|
|
569
|
+
Legion::Logging.info(msg) if defined?(Legion::Logging)
|
|
570
|
+
end
|
|
571
|
+
|
|
572
|
+
def log_warn(msg)
|
|
573
|
+
Legion::Logging.warn(msg) if defined?(Legion::Logging)
|
|
574
|
+
end
|
|
575
|
+
|
|
576
|
+
def log_error(msg)
|
|
577
|
+
Legion::Logging.error(msg) if defined?(Legion::Logging)
|
|
578
|
+
end
|
|
579
|
+
end
|
|
580
|
+
end
|
|
581
|
+
end
|
|
582
|
+
end
|
|
583
|
+
end
|
|
584
|
+
```
|
|
585
|
+
|
|
586
|
+
**Step 4: Run tests to verify they pass**
|
|
587
|
+
|
|
588
|
+
Run: `cd extensions/lex-microsoft_teams && bundle exec rspec spec/legion/extensions/microsoft_teams/actors/token_refresher_spec.rb -v`
|
|
589
|
+
Expected: All pass
|
|
590
|
+
|
|
591
|
+
**Step 5: Run rubocop**
|
|
592
|
+
|
|
593
|
+
Run: `cd extensions/lex-microsoft_teams && bundle exec rubocop lib/legion/extensions/microsoft_teams/actors/token_refresher.rb`
|
|
594
|
+
Expected: No offenses
|
|
595
|
+
|
|
596
|
+
**Step 6: Commit**
|
|
597
|
+
|
|
598
|
+
```bash
|
|
599
|
+
cd extensions/lex-microsoft_teams
|
|
600
|
+
git add lib/legion/extensions/microsoft_teams/actors/token_refresher.rb spec/legion/extensions/microsoft_teams/actors/token_refresher_spec.rb
|
|
601
|
+
git commit -m "add TokenRefresher actor for periodic delegated token refresh"
|
|
602
|
+
```
|
|
603
|
+
|
|
604
|
+
---
|
|
605
|
+
|
|
606
|
+
### Task 4: Wire actors into entry point and run full suite
|
|
607
|
+
|
|
608
|
+
**Files:**
|
|
609
|
+
- Modify: `lib/legion/extensions/microsoft_teams.rb`
|
|
610
|
+
|
|
611
|
+
**Step 1: Add requires to the entry point**
|
|
612
|
+
|
|
613
|
+
In `lib/legion/extensions/microsoft_teams.rb`, the actor files are auto-discovered by the framework (loaded via `Legion::Extensions::Core`). However, to ensure they are available, verify the actors directory is loaded. No explicit require needed — actors are discovered by convention. But if other actors in this extension are explicitly required elsewhere, check that pattern.
|
|
614
|
+
|
|
615
|
+
Actually, reviewing the codebase: actors are NOT explicitly required in the entry point. They are auto-discovered by the framework via the `Actor` module namespace. The existing actors (CacheBulkIngest, CacheSync, DirectChatPoller, ObservedChatPoller, MessageProcessor) are all loaded this way. No change to `microsoft_teams.rb` is needed.
|
|
616
|
+
|
|
617
|
+
**Step 2: Run full spec suite**
|
|
618
|
+
|
|
619
|
+
Run: `cd extensions/lex-microsoft_teams && bundle exec rspec -v`
|
|
620
|
+
Expected: All specs pass (should be ~200+ now)
|
|
621
|
+
|
|
622
|
+
**Step 3: Run rubocop on entire repo**
|
|
623
|
+
|
|
624
|
+
Run: `cd extensions/lex-microsoft_teams && bundle exec rubocop`
|
|
625
|
+
Expected: No offenses
|
|
626
|
+
|
|
627
|
+
**Step 4: Verify spec count increased**
|
|
628
|
+
|
|
629
|
+
Expected: 188 (previous) + 5 (TokenCache) + 9 (AuthValidator) + 8 (TokenRefresher) = ~210 specs
|
|
630
|
+
|
|
631
|
+
**Step 5: Commit integration verification**
|
|
632
|
+
|
|
633
|
+
No files changed in this step — this is verification only.
|
|
634
|
+
|
|
635
|
+
---
|
|
636
|
+
|
|
637
|
+
### Task 5: Bump version and update changelog
|
|
638
|
+
|
|
639
|
+
**Files:**
|
|
640
|
+
- Modify: `lib/legion/extensions/microsoft_teams/version.rb`
|
|
641
|
+
- Modify: `CHANGELOG.md`
|
|
642
|
+
|
|
643
|
+
**Step 1: Bump version**
|
|
644
|
+
|
|
645
|
+
Change version from `0.5.3` to `0.5.4` in `version.rb`.
|
|
646
|
+
|
|
647
|
+
**Step 2: Update changelog**
|
|
648
|
+
|
|
649
|
+
Add entry at top of CHANGELOG.md:
|
|
650
|
+
|
|
651
|
+
```markdown
|
|
652
|
+
## [0.5.4] - 2026-03-19
|
|
653
|
+
|
|
654
|
+
### Added
|
|
655
|
+
- `TokenCache#authenticated?` predicate for runtime delegated token state
|
|
656
|
+
- `TokenCache#previously_authenticated?` predicate for persistent auth history
|
|
657
|
+
- `AuthValidator` actor (Once): validates and restores delegated tokens on boot
|
|
658
|
+
- `TokenRefresher` actor (Every, 15min configurable): keeps delegated tokens fresh
|
|
659
|
+
- Automatic browser re-auth when previously authenticated user's token expires
|
|
660
|
+
- `refresh_interval` config key at `settings[:microsoft_teams][:auth][:delegated]`
|
|
661
|
+
```
|
|
662
|
+
|
|
663
|
+
**Step 3: Commit**
|
|
664
|
+
|
|
665
|
+
```bash
|
|
666
|
+
cd extensions/lex-microsoft_teams
|
|
667
|
+
git add lib/legion/extensions/microsoft_teams/version.rb CHANGELOG.md
|
|
668
|
+
git commit -m "bump version to 0.5.4, update changelog"
|
|
669
|
+
```
|
|
670
|
+
|
|
671
|
+
---
|
|
672
|
+
|
|
673
|
+
### Task 6: Push
|
|
674
|
+
|
|
675
|
+
**Step 1: Push to remote**
|
|
676
|
+
|
|
677
|
+
```bash
|
|
678
|
+
cd extensions/lex-microsoft_teams && git push
|
|
679
|
+
```
|