@microsoft/agents-hosting 1.5.0-beta.6.ga236d9a19c → 1.5.1

package/dist/src/app/auth/handlers/azureBotAuthorization.js

@@ -8,14 +8,17 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AzureBotAuthorization = void 0;
-const logger_1 = require("@microsoft/agents-activity/logger");
 const types_1 = require("../types");
 const messageFactory_1 = require("../../../messageFactory");
 const cards_1 = require("../../../cards");
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const handlerStorage_1 = require("../handlerStorage");
+const utils_1 = require("../utils");
 const agents_activity_1 = require("@microsoft/agents-activity");
-const logger = (0, logger_1.debug)('agents:authorization:azurebot');
+const agents_telemetry_1 = require("@microsoft/agents-telemetry");
+const observability_1 = require("../../../observability");
+const errorHelper_1 = require("../../../errorHelper");
+const logger = (0, agents_telemetry_1.debug)('agents:authorization:azurebot');
 const DEFAULT_SIGN_IN_ATTEMPTS = 2;
 var Category;
 (function (Category) {
@@ -29,72 +32,56 @@ class AzureBotAuthorization {
     /**
      * Creates an instance of the AzureBotAuthorization.
      * @param id The unique identifier for the handler.
-     * @param options The settings for the handler.
-     * @param app The agent application instance.
+     * @param options The settings for the handler (must be fully resolved).
+     * @param settings The authorization handler settings.
      */
     constructor(id, options, settings) {
         this.id = id;
+        this.options = options;
         this.settings = settings;
+        this.type = 'azurebot';
         this._key = `${AzureBotAuthorization.name}/${this.id}`;
         /**
          * Predefined messages with dynamic placeholders.
          */
         this.messages = {
             invalidCode: (code) => {
-                var _a, _b;
-                const message = (_b = (_a = this._options.messages) === null || _a === void 0 ? void 0 : _a.invalidCode) !== null && _b !== void 0 ? _b : 'Invalid **{code}** code entered. Please try again with a new sign-in request.';
+                var _a;
+                const message = (_a = this.options.invalidSignInRetryMessage) !== null && _a !== void 0 ? _a : 'Invalid **{code}** code entered. Please try again with a new sign-in request.';
                 return message.replaceAll('{code}', code);
             },
             invalidCodeFormat: (attemptsLeft) => {
-                var _a, _b;
-                const message = (_b = (_a = this._options.messages) === null || _a === void 0 ? void 0 : _a.invalidCodeFormat) !== null && _b !== void 0 ? _b : 'Please enter a valid **6-digit** code format (_e.g. 123456_).\r\n**{attemptsLeft} attempt(s) left...**';
+                var _a;
+                const message = (_a = this.options.invalidSignInRetryMessageFormat) !== null && _a !== void 0 ? _a : 'Please enter a valid **6-digit** code format (_e.g. 123456_).\r\n**{attemptsLeft} attempt(s) left...**';
                 return message.replaceAll('{attemptsLeft}', attemptsLeft.toString());
             },
             maxAttemptsExceeded: (maxAttempts) => {
-                var _a, _b;
-                const message = (_b = (_a = this._options.messages) === null || _a === void 0 ? void 0 : _a.maxAttemptsExceeded) !== null && _b !== void 0 ? _b : 'You have exceeded the maximum number of sign-in attempts ({maxAttempts}). Please try again with a new sign-in request.';
+                var _a;
+                const message = (_a = this.options.invalidSignInRetryMaxExceededMessage) !== null && _a !== void 0 ? _a : 'You have exceeded the maximum number of sign-in attempts ({maxAttempts}). Please try again with a new sign-in request.';
                 return message.replaceAll('{maxAttempts}', maxAttempts.toString());
             },
         };
         if (!this.settings.storage) {
-            throw new Error(this.prefix('The \'storage\' option is not available in the app options. Ensure that the app is properly configured.'));
+            throw agents_activity_1.ExceptionHelper.generateException(Error, errorHelper_1.Errors.StorageOptionNotAvailable);
         }
         if (!this.settings.connections) {
-            throw new Error(this.prefix('The \'connections\' option is not available in the app options. Ensure that the app is properly configured.'));
+            throw agents_activity_1.ExceptionHelper.generateException(Error, errorHelper_1.Errors.ConnectionsOptionNotAvailable);
+        }
+        if (!options.azureBotOAuthConnectionName) {
+            throw agents_activity_1.ExceptionHelper.generateException(Error, errorHelper_1.Errors.AzureBotOAuthConnectionNameRequired);
         }
-        this._options = this.loadOptions(options);
     }
     /**
-     * Loads and validates the authorization handler options.
+     * The OBO scopes configured for this handler.
      */
-    loadOptions(settings) {
-        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p, _q, _r;
-        const result = {
-            name: (_a = settings.name) !== null && _a !== void 0 ? _a : (process.env[`${this.id}_connectionName`]),
-            title: (_c = (_b = settings.title) !== null && _b !== void 0 ? _b : (process.env[`${this.id}_connectionTitle`])) !== null && _c !== void 0 ? _c : 'Sign-in',
-            text: (_e = (_d = settings.text) !== null && _d !== void 0 ? _d : (process.env[`${this.id}_connectionText`])) !== null && _e !== void 0 ? _e : 'Please sign-in to continue',
-            maxAttempts: (_f = settings.maxAttempts) !== null && _f !== void 0 ? _f : parseInt(process.env[`${this.id}_maxAttempts`]),
-            messages: {
-                invalidCode: (_h = (_g = settings.messages) === null || _g === void 0 ? void 0 : _g.invalidCode) !== null && _h !== void 0 ? _h : process.env[`${this.id}_messages_invalidCode`],
-                invalidCodeFormat: (_k = (_j = settings.messages) === null || _j === void 0 ? void 0 : _j.invalidCodeFormat) !== null && _k !== void 0 ? _k : process.env[`${this.id}_messages_invalidCodeFormat`],
-                maxAttemptsExceeded: (_m = (_l = settings.messages) === null || _l === void 0 ? void 0 : _l.maxAttemptsExceeded) !== null && _m !== void 0 ? _m : process.env[`${this.id}_messages_maxAttemptsExceeded`],
-            },
-            obo: {
-                connection: (_p = (_o = settings.obo) === null || _o === void 0 ? void 0 : _o.connection) !== null && _p !== void 0 ? _p : process.env[`${this.id}_obo_connection`],
-                scopes: (_r = (_q = settings.obo) === null || _q === void 0 ? void 0 : _q.scopes) !== null && _r !== void 0 ? _r : this.loadScopes(process.env[`${this.id}_obo_scopes`]),
-            },
-            enableSso: process.env[`${this.id}_enableSso`] !== 'false' // default value is true
-        };
-        if (!result.name) {
-            throw new Error(this.prefix(`The 'name' property or '${this.id}_connectionName' env variable is required to initialize the handler.`));
-        }
-        return result;
+    get scopes() {
+        return this.options.oboScopes;
     }
     /**
      * Maximum number of attempts for magic code entry.
      */
     get maxAttempts() {
-        const attempts = this._options.maxAttempts;
+        const attempts = this.options.invalidSignInRetryMax;
         const result = typeof attempts === 'number' && Number.isFinite(attempts) ? Math.round(attempts) : NaN;
         return result > 0 ? result : DEFAULT_SIGN_IN_ATTEMPTS;
     }
@@ -120,18 +107,19 @@ class AzureBotAuthorization {
      */
     async token(context, options) {
         var _a;
-        let { token } = this.getContext(context);
-        if (!(token === null || token === void 0 ? void 0 : token.trim())) {
-            const { activity } = context;
-            const userTokenClient = await this.getUserTokenClient(context);
-            // Using getTokenOrSignInResource instead of getUserToken to avoid HTTP 404 errors.
-            const { tokenResponse } = await userTokenClient.getTokenOrSignInResource((_a = activity.from) === null || _a === void 0 ? void 0 : _a.id, this._options.name, activity.channelId, activity.getConversationReference(), activity.relatesTo, '');
-            token = tokenResponse === null || tokenResponse === void 0 ? void 0 : tokenResponse.token;
-        }
-        if (!(token === null || token === void 0 ? void 0 : token.trim())) {
-            return { token: undefined };
+        const oboScopes = (options === null || options === void 0 ? void 0 : options.scopes) && options.scopes.length > 0 ? options.scopes : this.options.oboScopes;
+        // OBO token acquisition
+        if (oboScopes && oboScopes.length > 0) {
+            const oboConnection = (_a = options === null || options === void 0 ? void 0 : options.connection) !== null && _a !== void 0 ? _a : this.options.oboConnectionName;
+            const token = await this.getOBOToken(context, oboConnection, oboScopes);
+            return { token };
         }
-        return await this.handleOBO(token, options);
+        // Regular token acquisition
+        return (0, agents_telemetry_1.trace)(observability_1.AuthorizationTraceDefinitions.azureBotToken, async ({ record }) => {
+            record({ handlerId: this.id, connectionName: this.options.azureBotOAuthConnectionName });
+            const token = await this.getBaseToken(context);
+            return { token };
+        });
     }
     /**
      * Signs out the user from the service.
@@ -139,17 +127,20 @@ class AzureBotAuthorization {
      * @returns True if the signout was successful, false otherwise.
      */
     async signout(context) {
-        var _a;
-        const user = (_a = context.activity.from) === null || _a === void 0 ? void 0 : _a.id;
-        const channel = context.activity.channelId;
-        const connection = this._options.name;
-        if (!channel || !user) {
-            throw new Error(this.prefix('Both \'activity.channelId\' and \'activity.from.id\' are required to perform signout.'));
-        }
-        logger.debug(this.prefix(`Signing out User '${user}' from => Channel: '${channel}', Connection: '${connection}'`), context.activity);
-        const userTokenClient = await this.getUserTokenClient(context);
-        await userTokenClient.signOut(user, connection, channel);
-        return true;
+        return (0, agents_telemetry_1.trace)(observability_1.AuthorizationTraceDefinitions.azureBotSignout, async ({ record }) => {
+            var _a;
+            const user = (_a = context.activity.from) === null || _a === void 0 ? void 0 : _a.id;
+            const channel = context.activity.channelId;
+            const connection = this.options.azureBotOAuthConnectionName;
+            record({ handlerId: this.id, connectionName: connection, channelId: channel !== null && channel !== void 0 ? channel : 'unknown' });
+            if (!channel || !user) {
+                throw agents_activity_1.ExceptionHelper.generateException(Error, errorHelper_1.Errors.ChannelIdAndFromIdRequiredForSignout);
+            }
+            logger.debug(this.prefix(`Signing out User '${user}' from => Channel: '${channel}', Connection: '${connection}'`), context.activity);
+            const userTokenClient = await this.getUserTokenClient(context);
+            await userTokenClient.signOut(user, connection, channel);
+            return true;
+        });
     }
     /**
      * Initiates the sign-in process for the handler.
@@ -158,118 +149,172 @@ class AzureBotAuthorization {
      * @returns The status of the sign-in attempt.
      */
     async signin(context, active) {
-        var _a, _b, _c;
-        const { activity } = context;
-        const [category] = (_b = (_a = activity.name) === null || _a === void 0 ? void 0 : _a.split('/')) !== null && _b !== void 0 ? _b : [Category.UNKNOWN];
-        const storage = new handlerStorage_1.HandlerStorage(this.settings.storage, context);
-        if (!active) {
-            return this.setToken(storage, context);
-        }
-        logger.debug(this.prefix('Sign-in active session detected'), active.activity);
-        if (active.attemptsLeft <= 0) {
-            logger.warn(this.prefix('Maximum sign-in attempts exceeded'), activity);
-            await context.sendActivity(messageFactory_1.MessageFactory.text(this.messages.maxAttemptsExceeded(this.maxAttempts)));
-            return types_1.AuthorizationHandlerStatus.REJECTED;
-        }
-        if (category === Category.SIGNIN) {
-            await storage.write({ ...active, category });
-            const status = await this.handleSignInActivities(context);
-            if (status !== types_1.AuthorizationHandlerStatus.IGNORED) {
-                return status;
-            }
-        }
-        else if (active.category === Category.SIGNIN && activity.channelId === agents_activity_1.Channels.Msteams) {
-            // Specific to MS Teams, M365 does not send signin/verifyState when user consent is required.
-            // This is only for safety in case of unexpected behaviors during the MS Teams sign-in process,
-            // e.g., user interrupts the flow by clicking the Consent Cancel button.
-            logger.warn(this.prefix('The incoming activity will be revalidated due to a change in the sign-in flow'), activity);
-            return types_1.AuthorizationHandlerStatus.REVALIDATE;
-        }
-        const { status, code } = await this.codeVerification(storage, context, active);
-        if (status !== types_1.AuthorizationHandlerStatus.APPROVED) {
-            return status;
-        }
-        try {
-            const result = await this.setToken(storage, context, active, code);
-            if (result !== types_1.AuthorizationHandlerStatus.APPROVED) {
-                await this.sendInvokeResponse(context, { status: 404 });
-                return result;
+        return (0, agents_telemetry_1.trace)(observability_1.AuthorizationTraceDefinitions.azureBotSignin, async ({ record, actions }) => {
+            var _a, _b, _c, _d;
+            const reason = { message: '' };
+            let status;
+            const { activity } = context;
+            const [category] = (_b = (_a = activity.name) === null || _a === void 0 ? void 0 : _a.split('/')) !== null && _b !== void 0 ? _b : [Category.UNKNOWN];
+            const storage = new handlerStorage_1.HandlerStorage(this.settings.storage, context);
+            try {
+                if (!active) {
+                    status = await this.setToken(storage, context, undefined, undefined, reason);
+                    return status;
+                }
+                logger.debug(this.prefix('Sign-in active session detected'), active.activity);
+                if (active.attemptsLeft <= 0) {
+                    reason.message = 'Maximum sign-in attempts exceeded';
+                    logger.warn(this.prefix(reason.message), activity);
+                    await context.sendActivity(messageFactory_1.MessageFactory.text(this.messages.maxAttemptsExceeded(this.maxAttempts)));
+                    status = types_1.AuthorizationHandlerStatus.REJECTED;
+                    return status;
+                }
+                if (category === Category.SIGNIN) {
+                    await storage.write({ ...active, category });
+                    status = await this.handleSignInActivities(context, reason);
+                    if (status !== types_1.AuthorizationHandlerStatus.IGNORED) {
+                        return status;
+                    }
+                }
+                else if (active.category === Category.SIGNIN && activity.channelId === agents_activity_1.Channels.Msteams) {
+                    // Specific to MS Teams, M365 does not send signin/verifyState when user consent is required.
+                    // This is only for safety in case of unexpected behaviors during the MS Teams sign-in process,
+                    // e.g., user interrupts the flow by clicking the Consent Cancel button.
+                    reason.message = 'The incoming activity will be revalidated due to a change in the sign-in flow';
+                    logger.warn(this.prefix(reason.message), activity);
+                    status = types_1.AuthorizationHandlerStatus.REVALIDATE;
+                    return status;
+                }
+                const verification = await this.codeVerification(storage, context, active, reason);
+                status = verification.status;
+                if (status !== types_1.AuthorizationHandlerStatus.APPROVED) {
+                    return status;
+                }
+                try {
+                    const result = await this.setToken(storage, context, active, verification.code, reason);
+                    status = result;
+                    if (result !== types_1.AuthorizationHandlerStatus.APPROVED) {
+                        await (0, utils_1.sendInvokeResponse)(context, { status: 404 });
+                        return result;
+                    }
+                    await (0, utils_1.sendInvokeResponse)(context, { status: 200 });
+                    await ((_c = this._onSuccess) === null || _c === void 0 ? void 0 : _c.call(this, context));
+                    return result;
+                }
+                catch (error) {
+                    await (0, utils_1.sendInvokeResponse)(context, { status: 500 });
+                    if (error instanceof Error) {
+                        error.message = this.prefix(error.message);
+                    }
+                    throw error;
+                }
             }
-            await this.sendInvokeResponse(context, { status: 200 });
-            await ((_c = this._onSuccess) === null || _c === void 0 ? void 0 : _c.call(this, context));
-            return result;
-        }
-        catch (error) {
-            await this.sendInvokeResponse(context, { status: 500 });
-            if (error instanceof Error) {
-                error.message = this.prefix(error.message);
+            finally {
+                await actions.link(storage);
+                record({
+                    handlerId: this.id,
+                    status: status !== null && status !== void 0 ? status : 'unknown',
+                    statusReason: reason.message,
+                    connectionName: (_d = this.options.azureBotOAuthConnectionName) !== null && _d !== void 0 ? _d : 'unknown'
+                });
             }
-            throw error;
-        }
+        });
     }
     /**
-     * Handles on-behalf-of token acquisition.
+     * Retrieves the base token from the turn state or the user token client.
+     * @param context The turn context.
+     * @returns The token string or undefined if not available.
      */
-    async handleOBO(token, options) {
-        var _a, _b, _c;
-        const oboConnection = (_a = options === null || options === void 0 ? void 0 : options.connection) !== null && _a !== void 0 ? _a : (_b = this._options.obo) === null || _b === void 0 ? void 0 : _b.connection;
-        const oboScopes = (options === null || options === void 0 ? void 0 : options.scopes) && options.scopes.length > 0 ? options.scopes : (_c = this._options.obo) === null || _c === void 0 ? void 0 : _c.scopes;
-        if (!oboScopes || oboScopes.length === 0) {
-            return { token };
-        }
-        if (!this.isExchangeable(token)) {
-            throw new Error(this.prefix('The current token is not exchangeable for an on-behalf-of flow. Ensure the token audience starts with \'api://\'.'));
-        }
-        try {
-            const provider = oboConnection ? this.settings.connections.getConnection(oboConnection) : this.settings.connections.getDefaultConnection();
-            const newToken = await provider.acquireTokenOnBehalfOf(oboScopes, token);
-            logger.debug(this.prefix('Successfully acquired on-behalf-of token'), { connection: oboConnection, scopes: oboScopes });
-            return { token: newToken };
-        }
-        catch (error) {
-            logger.error(this.prefix('Failed to exchange on-behalf-of token'), { connection: oboConnection, scopes: oboScopes }, error);
-            return { token: undefined };
+    async getBaseToken(context) {
+        var _a;
+        const { token } = this.getContext(context);
+        if (!(token === null || token === void 0 ? void 0 : token.trim())) {
+            const { activity } = context;
+            const userTokenClient = await this.getUserTokenClient(context);
+            // Using getTokenOrSignInResource instead of getUserToken to avoid HTTP 404 errors.
+            const { tokenResponse } = await userTokenClient.getTokenOrSignInResource((_a = activity.from) === null || _a === void 0 ? void 0 : _a.id, this.options.azureBotOAuthConnectionName, activity.channelId, activity.getConversationReference(), activity.relatesTo, '');
+            return tokenResponse === null || tokenResponse === void 0 ? void 0 : tokenResponse.token;
         }
+        return token;
+    }
+    /**
+     * Acquires an on-behalf-of token for the user based on the provided scopes and connection.
+     */
+    async getOBOToken(context, oboConnection, oboScopes) {
+        return (0, agents_telemetry_1.trace)(observability_1.AuthorizationTraceDefinitions.azureBotOBOToken, async ({ record }) => {
+            var _a, _b;
+            record({ handlerId: this.id, connectionName: oboConnection, authScopes: oboScopes });
+            const token = await this.getBaseToken(context);
+            if (!token) {
+                return;
+            }
+            if (!this.isExchangeable(token)) {
+                throw agents_activity_1.ExceptionHelper.generateException(Error, errorHelper_1.Errors.AzureBotConnectionTokenNotExchangeable, undefined, { connectionName: this.options.azureBotOAuthConnectionName });
+            }
+            try {
+                const provider = oboConnection ? this.settings.connections.getConnection(oboConnection) : this.settings.connections.getDefaultConnection();
+                // Record the connection name again in case it changes.
+                record({ connectionName: (_b = (_a = provider === null || provider === void 0 ? void 0 : provider.connectionSettings) === null || _a === void 0 ? void 0 : _a.connectionName) !== null && _b !== void 0 ? _b : oboConnection });
+                const newToken = await provider.acquireTokenOnBehalfOf(oboScopes, token);
+                logger.debug(this.prefix('Successfully acquired on-behalf-of token'), { connection: oboConnection, scopes: oboScopes });
+                return newToken;
+            }
+            catch (error) {
+                logger.error(this.prefix('Failed to exchange on-behalf-of token'), { connection: oboConnection, scopes: oboScopes }, error);
+                throw error;
+            }
+        });
     }
     /**
      * Checks if a token is exchangeable for an on-behalf-of flow.
      */
     isExchangeable(token) {
+        var _a;
         if (!token || typeof token !== 'string') {
             return false;
         }
         const payload = jsonwebtoken_1.default.decode(token);
+        if (!payload || typeof payload === 'string') {
+            return false;
+        }
+        const appid = (_a = payload.azp) !== null && _a !== void 0 ? _a : payload.appid;
+        if (typeof appid !== 'string' || appid.length === 0) {
+            return false;
+        }
         const audiences = Array.isArray(payload.aud) ? payload.aud : [payload.aud];
-        return audiences.some(aud => typeof aud === 'string' && aud.startsWith('api://'));
+        return audiences.some(aud => typeof aud === 'string' && aud.includes(appid));
     }
     /**
      * Sets the token from the token response or initiates the sign-in flow.
      */
-    async setToken(storage, context, active, code) {
+    async setToken(storage, context, active, code, reason = { message: '' }) {
         var _a;
         const { activity } = context;
         const userTokenClient = await this.getUserTokenClient(context);
-        const { tokenResponse, signInResource } = await userTokenClient.getTokenOrSignInResource((_a = activity.from) === null || _a === void 0 ? void 0 : _a.id, this._options.name, activity.channelId, activity.getConversationReference(), activity.relatesTo, code !== null && code !== void 0 ? code : '');
-        if (!tokenResponse && active) {
-            logger.warn(this.prefix('Invalid code entered. Restarting sign-in flow'), activity);
-            await context.sendActivity(messageFactory_1.MessageFactory.text(this.messages.invalidCode(code !== null && code !== void 0 ? code : '')));
+        const { tokenResponse, signInResource } = await userTokenClient.getTokenOrSignInResource((_a = activity.from) === null || _a === void 0 ? void 0 : _a.id, this.options.azureBotOAuthConnectionName, activity.channelId, activity.getConversationReference(), activity.relatesTo, code !== null && code !== void 0 ? code : '');
+        if (!tokenResponse && active && code) {
+            reason.message = 'Invalid code entered. Restarting sign-in flow';
+            logger.warn(this.prefix(reason.message), activity);
+            await context.sendActivity(messageFactory_1.MessageFactory.text(this.messages.invalidCode(code)));
             return types_1.AuthorizationHandlerStatus.REJECTED;
         }
         if (!tokenResponse) {
-            logger.debug(this.prefix('Cannot find token. Sending sign-in card'), activity);
-            const oCard = cards_1.CardFactory.oauthCard(this._options.name, this._options.title, this._options.text, signInResource, this._options.enableSso);
+            reason.message = 'Cannot find token. Sending sign-in card';
+            logger.debug(this.prefix(reason.message), activity);
+            const oCard = cards_1.CardFactory.oauthCard(this.options.azureBotOAuthConnectionName, this.options.title, this.options.text, signInResource, this.options.enableSso);
             await context.sendActivity(messageFactory_1.MessageFactory.attachment(oCard));
             await storage.write({ activity, id: this.id, ...(active !== null && active !== void 0 ? active : {}), attemptsLeft: this.maxAttempts });
             return types_1.AuthorizationHandlerStatus.PENDING;
         }
-        logger.debug(this.prefix('Successfully acquired token'), activity);
+        reason.message = 'Successfully acquired token';
+        logger.debug(this.prefix(reason.message), activity);
         this.setContext(context, { token: tokenResponse.token });
         return types_1.AuthorizationHandlerStatus.APPROVED;
     }
     /**
      * Handles sign-in related activities.
      */
-    async handleSignInActivities(context) {
+    async handleSignInActivities(context, reason) {
         var _a, _b, _c, _d;
         const { activity } = context;
         // Ignore signin/verifyState here (handled in codeVerification).
@@ -281,64 +326,66 @@ class AzureBotAuthorization {
             const tokenExchangeInvokeRequest = activity.value;
             const tokenExchangeRequest = { token: tokenExchangeInvokeRequest === null || tokenExchangeInvokeRequest === void 0 ? void 0 : tokenExchangeInvokeRequest.token };
             if (!(tokenExchangeRequest === null || tokenExchangeRequest === void 0 ? void 0 : tokenExchangeRequest.token)) {
-                const reason = 'The Agent received an InvokeActivity that is missing a TokenExchangeInvokeRequest value. This is required to be sent with the InvokeActivity.';
-                await this.sendInvokeResponse(context, {
+                reason.message = 'The Agent received an InvokeActivity that is missing a TokenExchangeInvokeRequest value. This is required to be sent with the InvokeActivity.';
+                await (0, utils_1.sendInvokeResponse)(context, {
                     status: 400,
-                    body: { connectionName: this._options.name, failureDetail: reason }
+                    body: { connectionName: this.options.azureBotOAuthConnectionName, failureDetail: reason.message }
                 });
-                logger.error(this.prefix(reason));
-                await ((_a = this._onFailure) === null || _a === void 0 ? void 0 : _a.call(this, context, reason));
+                logger.error(this.prefix(reason.message));
+                await ((_a = this._onFailure) === null || _a === void 0 ? void 0 : _a.call(this, context, reason.message));
                 return types_1.AuthorizationHandlerStatus.REJECTED;
             }
-            if (tokenExchangeInvokeRequest.connectionName !== this._options.name) {
-                const reason = `The Agent received an InvokeActivity with a TokenExchangeInvokeRequest for a different connection name ('${tokenExchangeInvokeRequest.connectionName}') than expected ('${this._options.name}').`;
-                await this.sendInvokeResponse(context, {
+            if (tokenExchangeInvokeRequest.connectionName !== this.options.azureBotOAuthConnectionName) {
+                reason.message = `The Agent received an InvokeActivity with a TokenExchangeInvokeRequest for a different connection name ('${tokenExchangeInvokeRequest.connectionName}') than expected ('${this.options.azureBotOAuthConnectionName}').`;
+                await (0, utils_1.sendInvokeResponse)(context, {
                     status: 400,
-                    body: { id: tokenExchangeInvokeRequest.id, connectionName: this._options.name, failureDetail: reason }
+                    body: { id: tokenExchangeInvokeRequest.id, connectionName: this.options.azureBotOAuthConnectionName, failureDetail: reason.message }
                 });
-                logger.error(this.prefix(reason));
-                await ((_b = this._onFailure) === null || _b === void 0 ? void 0 : _b.call(this, context, reason));
+                logger.error(this.prefix(reason.message));
+                await ((_b = this._onFailure) === null || _b === void 0 ? void 0 : _b.call(this, context, reason.message));
                 return types_1.AuthorizationHandlerStatus.REJECTED;
             }
-            const { token } = await userTokenClient.exchangeTokenAsync((_c = activity.from) === null || _c === void 0 ? void 0 : _c.id, this._options.name, activity.channelId, tokenExchangeRequest);
+            const { token } = await userTokenClient.exchangeTokenAsync((_c = activity.from) === null || _c === void 0 ? void 0 : _c.id, this.options.azureBotOAuthConnectionName, activity.channelId, tokenExchangeRequest);
             if (!token) {
-                const reason = 'The MS Teams token service didn\'t send back the exchanged token. Waiting for MS Teams to send another signin/tokenExchange request. After multiple failed attempts, the user will be asked to enter the magic code.';
-                await this.sendInvokeResponse(context, {
+                reason.message = 'The MS Teams token service didn\'t send back the exchanged token. Waiting for MS Teams to send another signin/tokenExchange request. After multiple failed attempts, the user will be asked to enter the magic code.';
+                await (0, utils_1.sendInvokeResponse)(context, {
                     status: 412,
-                    body: { id: tokenExchangeInvokeRequest.id, connectionName: this._options.name, failureDetail: reason }
+                    body: { id: tokenExchangeInvokeRequest.id, connectionName: this.options.azureBotOAuthConnectionName, failureDetail: reason.message }
                 });
-                logger.debug(this.prefix(reason));
+                logger.debug(this.prefix(reason.message));
                 return types_1.AuthorizationHandlerStatus.PENDING;
             }
-            await this.sendInvokeResponse(context, {
+            await (0, utils_1.sendInvokeResponse)(context, {
                 status: 200,
-                body: { id: tokenExchangeInvokeRequest.id, connectionName: this._options.name }
+                body: { id: tokenExchangeInvokeRequest.id, connectionName: this.options.azureBotOAuthConnectionName }
             });
-            logger.debug(this.prefix('Successfully exchanged token'));
+            reason.message = 'Successfully exchanged token';
+            logger.debug(this.prefix(reason.message));
             this.setContext(context, { token });
             await ((_d = this._onSuccess) === null || _d === void 0 ? void 0 : _d.call(this, context));
             return types_1.AuthorizationHandlerStatus.APPROVED;
         }
         if (activity.name === 'signin/failure') {
-            await this.sendInvokeResponse(context, { status: 200 });
-            const reason = 'Failed to sign-in';
+            await (0, utils_1.sendInvokeResponse)(context, { status: 200 });
+            reason.message = 'Failed to sign-in';
             const value = activity.value;
-            logger.error(this.prefix(reason), value, activity);
+            logger.error(this.prefix(reason.message), value, activity);
             if (this._onFailure) {
-                await this._onFailure(context, value.message || reason);
+                await this._onFailure(context, value.message || reason.message);
             }
             else {
-                await context.sendActivity(messageFactory_1.MessageFactory.text(`${reason}. Please try again.`));
+                await context.sendActivity(messageFactory_1.MessageFactory.text(`${reason.message}. Please try again.`));
             }
             return types_1.AuthorizationHandlerStatus.REJECTED;
         }
-        logger.error(this.prefix(`Unknown sign-in activity name: ${activity.name}`), activity);
+        reason.message = `Unknown sign-in activity name: ${activity.name}`;
+        logger.error(this.prefix(reason.message), activity);
         return types_1.AuthorizationHandlerStatus.REJECTED;
     }
     /**
      * Verifies the magic code provided by the user.
      */
-    async codeVerification(storage, context, active) {
+    async codeVerification(storage, context, active, reason = { message: '' }) {
         if (!active) {
             logger.debug(this.prefix('No active session found. Skipping code verification.'), context.activity);
             return { status: types_1.AuthorizationHandlerStatus.IGNORED };
@@ -351,18 +398,21 @@ class AzureBotAuthorization {
             state = teamsState;
         }
         if (state === 'CancelledByUser') {
-            await this.sendInvokeResponse(context, { status: 200 });
-            logger.warn(this.prefix('Sign-in process was cancelled by the user'), activity);
+            await (0, utils_1.sendInvokeResponse)(context, { status: 200 });
+            reason.message = 'Sign-in process was cancelled by the user';
+            logger.warn(this.prefix(reason.message), activity);
             return { status: types_1.AuthorizationHandlerStatus.REJECTED };
         }
         if (!(state === null || state === void 0 ? void 0 : state.match(/^\d{6}$/))) {
-            logger.warn(this.prefix(`Invalid magic code entered. Attempts left: ${active.attemptsLeft}`), activity);
+            reason.message = `Invalid magic code entered. Attempts left: ${active.attemptsLeft}`;
+            logger.warn(this.prefix(reason.message), activity);
             await context.sendActivity(messageFactory_1.MessageFactory.text(this.messages.invalidCodeFormat(active.attemptsLeft)));
             await storage.write({ ...active, attemptsLeft: active.attemptsLeft - 1 });
             return { status: types_1.AuthorizationHandlerStatus.PENDING };
         }
-        await this.sendInvokeResponse(context, { status: 200 });
-        logger.debug(this.prefix('Code verification successful'), activity);
+        await (0, utils_1.sendInvokeResponse)(context, { status: 200 });
+        reason.message = 'Code verification successful';
+        logger.debug(this.prefix(reason.message), activity);
         return { status: types_1.AuthorizationHandlerStatus.APPROVED, code: state };
     }
     /**
@@ -385,41 +435,16 @@ class AzureBotAuthorization {
     async getUserTokenClient(context) {
         const userTokenClient = context.turnState.get(context.adapter.UserTokenClientKey);
         if (!userTokenClient) {
-            throw new Error(this.prefix('The \'userTokenClient\' is not available in the adapter. Ensure that the adapter supports user token operations.'));
+            throw agents_activity_1.ExceptionHelper.generateException(Error, errorHelper_1.Errors.UserTokenClientNotAvailable);
         }
         return userTokenClient;
     }
-    /**
-     * Sends an InvokeResponse activity if the channel is Microsoft Teams, including Copilot within MS Teams.
-     */
-    sendInvokeResponse(context, response) {
-        if (context.activity.channelIdChannel !== agents_activity_1.Channels.Msteams) {
-            return Promise.resolve();
-        }
-        return context.sendActivity(agents_activity_1.Activity.fromObject({
-            type: agents_activity_1.ActivityTypes.InvokeResponse,
-            value: response
-        }));
-    }
     /**
      * Prefixes a message with the handler ID.
      */
     prefix(message) {
         return `[handler:${this.id}] ${message}`;
     }
-    /**
-     * Loads the OAuth scopes from the environment variables.
-     */
-    loadScopes(value) {
-        var _a;
-        return (_a = value === null || value === void 0 ? void 0 : value.split(',').reduce((acc, scope) => {
-            const trimmed = scope.trim();
-            if (trimmed) {
-                acc.push(trimmed);
-            }
-            return acc;
-        }, [])) !== null && _a !== void 0 ? _a : [];
-    }
 }
 exports.AzureBotAuthorization = AzureBotAuthorization;
 //# sourceMappingURL=azureBotAuthorization.js.map