@microsoft/omnichannel-chat-widget 1.8.4-main.4f09da2 → 1.8.4-main.5d1fc98

package/README.md

@@ -177,7 +177,7 @@ Header's and Footer's child components consist of three parts:
 1. "middleGroup" - adding child components in the middle of the Header/Footer
 1. "rightGroup" - adding child components at the right of the Header/Footer
 
-By default Header has the header icon and title on the left and minimize and close buttons on the right, and Footer has Download Transcript and Email Transcript buttons on the left and audio notification button on the right. These components can be overriden with [ComponentOverrides](#ComponentOverrides). In addition, other custom child components can be added to both Header and Footer by creating custom react nodes and adding them to attributes "leftGroup", "middleGroup" or "rightGroup" of "controlProps".
+By default Header has the header icon and title on the left and minimize and close buttons on the right, and Footer has Download Transcript and Email Transcript buttons on the left and audio notification button on the right. These components can be overriden with [ComponentOverrides](#componentoverrides). In addition, other custom child components can be added to both Header and Footer by creating custom react nodes and adding them to attributes "leftGroup", "middleGroup" or "rightGroup" of "controlProps".
 
 ```js
 const buttonStyleProps: IButtonStyles = {
@@ -224,8 +224,10 @@ const customizedFooterProp: IFooterProps = {
 > :pushpin: Note that [WebChat hooks](https://github.com/microsoft/BotFramework-WebChat/blob/main/docs/HOOKS.md) can also be used in any custom components.
 
 #### Bidirectional Custom Events
+
 - Sending events from a hosting web page to bots/agents
-    - Register a function to post event
+  - Register a function to post event
+
         ```js
         //define sendCustomEvent function
         const sendCustomEvent = (payload) => {
@@ -253,7 +255,9 @@ const customizedFooterProp: IFooterProps = {
             }
         })
         ```
-    - Receiving events from bots/agents
+
+  - Receiving events from bots/agents
+
         ```js
         //define setOnCustomEvent function
         const setOnCustomEvent = (callback) => {
@@ -269,8 +273,10 @@ const customizedFooterProp: IFooterProps = {
         ```
 
 #### Trigger initiateEndChat event
+
 Customer can trigger the initiateEndChat event via BroadcastService to end a chat session.
 When needed, the payload below could be triggered:
+
 ```js
 const endChatEvent = {
     eventName: "InitiateEndChat",
@@ -283,18 +289,21 @@ BroadcastService.postMessage(endChatEvent);
 
 The payload of the event is optional, only needed when force closing of a persistent chat session is not required.
 When chat widget receives the event without any payload, it will:
+
 1. set the widget to closed state, the widget panel will be minimized. Post chat survey will not be displayed.
 2. trigger a sessionclose service network request to OmniChannel services.
 
 If skipSessionCloseForPersistentChat is set to true. The session close network request will not be triggered, instead, if postChat survey is available, post chat survey will be displayed.
 
 After successfully processed initiateEndChat event. The CloseChat event is broadcasted.
+
 ```js
 BroadcastService.getMessageByEventName("CloseChat").subscribe(async (msg) => {
     console.log("close chat received: ", msg);
     //more actions to unmount component and resources
 })
 ```
+
 ## See Also
 
 [Customizations Dev Guide](https://github.com/microsoft/omnichannel-chat-widget/blob/main/docs/customizations/getstarted.md)\

package/lib/cjs/common/Constants.js

@@ -82,6 +82,8 @@ _defineProperty(Constants, "audioMediaRegex", /(\.)(aac|aiff|alac|amr|flac|mp2|m
 _defineProperty(Constants, "videoMediaRegex", /(\.)(avchd|avi|flv|mpe|mpeg|mpg|mpv|mp4|m4p|m4v|mov|qt|swf|webm|wmv)$/i);
 _defineProperty(Constants, "chromeSupportedInlineMediaRegex", /(\.)(aac|mp3|wav|mp4)$/i);
 _defineProperty(Constants, "firefoxSupportedInlineMediaRegex", /(\.)(aac|flac|mp3|wav|mp4|mov)$/i);
+_defineProperty(Constants, "AdaptiveCardType", "adaptivecard");
+_defineProperty(Constants, "SuggestedActionsType", "suggestedactions");
 // calling container event names
 _defineProperty(Constants, "CallAdded", "callAdded");
 _defineProperty(Constants, "LocalVideoStreamAdded", "localVideoStreamAdded");

package/lib/cjs/common/facades/FacadeChatSDK.js

@@ -26,6 +26,8 @@ let FacadeChatSDK = /*#__PURE__*/function () {
     _defineProperty(this, "getAuthToken", void 0);
     _defineProperty(this, "sdkMocked", void 0);
     _defineProperty(this, "disableReauthentication", void 0);
+    // Stays true so CASE 1 re-triggers on every startChat to set deferInitialAuth
+    _defineProperty(this, "pendingMidAuthUnauthenticatedState", false);
     this.chatSDK = input.chatSDK;
     this.chatConfig = input.chatConfig;
     this.getAuthToken = input.getAuthToken;
@@ -50,6 +52,12 @@ let FacadeChatSDK = /*#__PURE__*/function () {
     value: function destroy() {
       this.token = null;
       this.expiration = 0;
+      if ((0, _authHelper.isMidAuthEnabled)(this.chatConfig)) {
+        this.pendingMidAuthUnauthenticatedState = false;
+        this.isAuthenticated = true;
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        this.chatSDK.deferInitialAuth = false;
+      }
     }
   }, {
     key: "isTokenSet",
@@ -214,6 +222,10 @@ let FacadeChatSDK = /*#__PURE__*/function () {
           message: "Token is valid"
         };
       }
+
+      // Token missing or expired - need to get a new one via getAuthToken
+      // For mid-auth: getAuthToken receives { isMidAuthEnabled: true } so customer implementations
+      // can check portal state and return null for logged-out users
       _TelemetryHelper.TelemetryHelper.logFacadeChatSDKEventToAllTelemetry(_TelemetryConstants.LogLevel.INFO, {
         Event: _TelemetryConstants.TelemetryEvent.NewTokenValidationStarted,
         Description: "Token validation started."
@@ -234,6 +246,7 @@ let FacadeChatSDK = /*#__PURE__*/function () {
       this.token = "";
       this.expiration = 0;
       try {
+        var _ring$error, _ring$error2;
         const ring = await (0, _authHelper.handleAuthentication)(this.chatSDK, this.chatConfig, this.getAuthToken);
         if ((ring === null || ring === void 0 ? void 0 : ring.result) === true && ring !== null && ring !== void 0 && ring.token) {
           await this.setToken(ring.token);
@@ -248,18 +261,35 @@ let FacadeChatSDK = /*#__PURE__*/function () {
             result: true,
             message: "New Token obtained"
           };
-        } else {
-          var _ring$error, _ring$error2;
-          _TelemetryHelper.TelemetryHelper.logFacadeChatSDKEventToAllTelemetry(_TelemetryConstants.LogLevel.ERROR, {
-            Event: _TelemetryConstants.TelemetryEvent.NewTokenValidationFailed,
-            Description: (_ring$error = ring.error) === null || _ring$error === void 0 ? void 0 : _ring$error.message,
-            ExceptionDetails: ring === null || ring === void 0 ? void 0 : ring.error
+        }
+
+        // Mid-auth: no token available - set pending flag for startChat to handle
+        const isEmptyTokenWithoutError = (0, _utils.isNullOrEmptyString)(ring === null || ring === void 0 ? void 0 : ring.token) && ((ring === null || ring === void 0 ? void 0 : ring.result) === true || (ring === null || ring === void 0 ? void 0 : ring.result) === false && !(ring !== null && ring !== void 0 && ring.error));
+        if ((0, _authHelper.isMidAuthEnabled)(this.chatConfig) && isEmptyTokenWithoutError) {
+          // Clear Facade and SDK token state so API calls use unauthenticated endpoints
+          this.token = "";
+          this.expiration = 0;
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any
+          this.chatSDK.authenticatedUserToken = null;
+          this.pendingMidAuthUnauthenticatedState = true;
+          _TelemetryHelper.TelemetryHelper.logFacadeChatSDKEventToAllTelemetry(_TelemetryConstants.LogLevel.INFO, {
+            Event: _TelemetryConstants.TelemetryEvent.NewTokenValidationCompleted,
+            Description: "Mid-auth enabled: no token returned; proceeding as unauthenticated"
           });
           return {
-            result: false,
-            message: (ring === null || ring === void 0 ? void 0 : (_ring$error2 = ring.error) === null || _ring$error2 === void 0 ? void 0 : _ring$error2.message) || "Failed to get token"
+            result: true,
+            message: "Mid-auth: proceeding as unauthenticated"
           };
         }
+        _TelemetryHelper.TelemetryHelper.logFacadeChatSDKEventToAllTelemetry(_TelemetryConstants.LogLevel.ERROR, {
+          Event: _TelemetryConstants.TelemetryEvent.NewTokenValidationFailed,
+          Description: (_ring$error = ring.error) === null || _ring$error === void 0 ? void 0 : _ring$error.message,
+          ExceptionDetails: ring === null || ring === void 0 ? void 0 : ring.error
+        });
+        return {
+          result: false,
+          message: (ring === null || ring === void 0 ? void 0 : (_ring$error2 = ring.error) === null || _ring$error2 === void 0 ? void 0 : _ring$error2.message) || "Failed to get token"
+        };
       } catch (e) {
         console.error("Unexpected error while getting token", e);
         _TelemetryHelper.TelemetryHelper.logFacadeChatSDKEventToAllTelemetry(_TelemetryConstants.LogLevel.ERROR, {
@@ -273,6 +303,155 @@ let FacadeChatSDK = /*#__PURE__*/function () {
         };
       }
     }
+
+    /**
+     * Sets unauthenticated state for mid-auth flow.
+     * Clears SDK internal state to prevent reconnection to previous authenticated session.
+     */
+  }, {
+    key: "setMidAuthUnauthenticatedState",
+    value: function setMidAuthUnauthenticatedState() {
+      var _sdk$chatToken, _sdk$chatToken2;
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const sdk = this.chatSDK;
+      const hadExistingChat = !!((_sdk$chatToken = sdk.chatToken) !== null && _sdk$chatToken !== void 0 && _sdk$chatToken.chatId);
+      const previousChatId = (_sdk$chatToken2 = sdk.chatToken) === null || _sdk$chatToken2 === void 0 ? void 0 : _sdk$chatToken2.chatId;
+      this.clearAuthState();
+
+      // Clear SDK internal state for fresh unauthenticated chat
+      sdk.chatToken = {};
+      sdk.reconnectId = null;
+      sdk.requestId = null;
+      sdk.sessionId = null;
+      sdk.conversation = null;
+      _TelemetryHelper.TelemetryHelper.logFacadeChatSDKEventToAllTelemetry(_TelemetryConstants.LogLevel.INFO, {
+        Event: _TelemetryConstants.TelemetryEvent.MidConversationAuthReset,
+        Description: hadExistingChat ? "Mid-auth without token: local state cleared" : "Mid-auth: initialized as unauthenticated (no prior chat)",
+        Data: hadExistingChat ? {
+          previousChatId
+        } : undefined
+      });
+    }
+
+    /** Clears authentication state in both FacadeChatSDK and underlying SDK */
+  }, {
+    key: "clearAuthState",
+    value: function clearAuthState() {
+      this.token = "";
+      this.expiration = 0;
+      this.isAuthenticated = false;
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      this.chatSDK.authenticatedUserToken = null;
+    }
+
+    /**
+     * Migrates conversation from unauthenticated to authenticated via authenticateChat.
+     * Called after startChat() when user has a valid token but the backend conversation
+     * was started as unauthenticated.
+     */
+  }, {
+    key: "migrateConversationToAuthenticated",
+    value: async function migrateConversationToAuthenticated() {
+      try {
+        await this.chatSDK.authenticateChat(this.token, {
+          refreshChatToken: true
+        });
+        this.isAuthenticated = true;
+        _TelemetryHelper.TelemetryHelper.logFacadeChatSDKEventToAllTelemetry(_TelemetryConstants.LogLevel.INFO, {
+          Event: _TelemetryConstants.TelemetryEvent.MidConversationAuthSucceeded,
+          Description: "Mid-auth: authenticateChat completed, conversation migrated to authenticated"
+        });
+      } catch (e) {
+        // Non-fatal: Chat is already active via startChat, will retry on next reconnect
+        _TelemetryHelper.TelemetryHelper.logFacadeChatSDKEventToAllTelemetry(_TelemetryConstants.LogLevel.WARN, {
+          Event: _TelemetryConstants.TelemetryEvent.MidConversationAuthFailed,
+          Description: "Mid-auth: authenticateChat returned error after startChat, chat still active",
+          ExceptionDetails: {
+            message: e === null || e === void 0 ? void 0 : e.message
+          }
+        });
+      }
+    }
+
+    /**
+     * Configures SDK auth state before startChat.
+     * CASE 1: Pending unauthenticated (no token) - sets deferInitialAuth=true
+     * CASE 2: Authenticated with valid token - sets SDK token and deferInitialAuth based on scenario
+     */
+  }, {
+    key: "configureMidAuthState",
+    value: function configureMidAuthState(isReconnect, wasPreviousSessionAuthenticated) {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const sdk = this.chatSDK;
+
+      // CASE 1: No token available (user not logged in)
+      // pendingMidAuthUnauthenticatedState stays true until user logs in (cleared in tokenRing)
+      if (this.pendingMidAuthUnauthenticatedState) {
+        const shouldClear = this.handlePendingUnauthenticatedState(wasPreviousSessionAuthenticated);
+        sdk.deferInitialAuth = true;
+        _TelemetryHelper.TelemetryHelper.logFacadeChatSDKEventToAllTelemetry(_TelemetryConstants.LogLevel.INFO, {
+          Event: _TelemetryConstants.TelemetryEvent.MidConversationAuthReset,
+          Description: "Mid-auth configureMidAuthState: CASE 1 - unauthenticated, deferInitialAuth=true",
+          Data: {
+            isReconnect: String(isReconnect),
+            wasPreviousSessionAuthenticated: String(wasPreviousSessionAuthenticated),
+            shouldClearReconnectParams: String(shouldClear)
+          }
+        });
+        return {
+          shouldClearReconnectParams: shouldClear
+        };
+      }
+
+      // CASE 2: Authenticated with valid token
+      if (this.isTokenSet() && !this.isTokenExpired()) {
+        this.handleAuthenticatedState(isReconnect, wasPreviousSessionAuthenticated);
+      }
+      return {
+        shouldClearReconnectParams: false
+      };
+    }
+
+    /**
+     * CASE 1 handler: Returns true if reconnect params should be cleared (Auth -> Unauth transition)
+     */
+  }, {
+    key: "handlePendingUnauthenticatedState",
+    value: function handlePendingUnauthenticatedState(wasPreviousSessionAuthenticated) {
+      if (wasPreviousSessionAuthenticated) {
+        // Auth -> Unauth: user logged out, clear state for fresh chat
+        this.setMidAuthUnauthenticatedState();
+        return true;
+      }
+
+      // Unauth -> Unauth: keep liveChatContext for reconnection
+      this.isAuthenticated = false;
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      this.chatSDK.authenticatedUserToken = null;
+      return false;
+    }
+
+    /**
+     * CASE 2 handler: Sets deferInitialAuth only for reconnects to unauthenticated sessions (need migration).
+     * For new chats or reconnects to authenticated sessions, SDK handles auth internally.
+     */
+  }, {
+    key: "handleAuthenticatedState",
+    value: function handleAuthenticatedState(isReconnect, wasPreviousSessionAuthenticated) {
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      const sdk = this.chatSDK;
+      sdk.authenticatedUserToken = this.token;
+      if (isReconnect && !wasPreviousSessionAuthenticated) {
+        sdk.deferInitialAuth = true;
+        _TelemetryHelper.TelemetryHelper.logFacadeChatSDKEventToAllTelemetry(_TelemetryConstants.LogLevel.INFO, {
+          Event: _TelemetryConstants.TelemetryEvent.MidConversationAuthSucceeded,
+          Description: "Mid-auth handleAuthenticatedState: CASE 2 - reconnect to unauth session, deferInitialAuth=true (migration needed)"
+        });
+      } else {
+        // Reset to prevent inheriting deferInitialAuth=true from a previous unauthenticated chat
+        sdk.deferInitialAuth = false;
+      }
+    }
   }, {
     key: "validateAndExecuteCall",
     value: async function validateAndExecuteCall(functionName, fn) {
@@ -307,7 +486,53 @@ let FacadeChatSDK = /*#__PURE__*/function () {
     key: "startChat",
     value: async function startChat() {
       let optionalParams = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
-      return this.validateAndExecuteCall("startChat", () => this.chatSDK.startChat(optionalParams));
+      const midAuthEnabled = (0, _authHelper.isMidAuthEnabled)(this.chatConfig);
+      const isReconnect = !!optionalParams.liveChatContext || !!optionalParams.reconnectId;
+      const wasPreviousSessionAuthenticated = optionalParams.wasAuthenticated === true;
+      return this.validateAndExecuteCall("startChat", async () => {
+        if (midAuthEnabled) {
+          const {
+            shouldClearReconnectParams
+          } = this.configureMidAuthState(isReconnect, wasPreviousSessionAuthenticated);
+          if (shouldClearReconnectParams) {
+            delete optionalParams.liveChatContext;
+            delete optionalParams.reconnectId;
+          }
+        }
+        await this.chatSDK.startChat(optionalParams);
+
+        // Migrate to authenticated if needed (reconnects to unauthenticated sessions only)
+        if (midAuthEnabled) {
+          const shouldMigrateToAuth = isReconnect && this.isTokenSet() && !this.isTokenExpired() && !wasPreviousSessionAuthenticated;
+          if (shouldMigrateToAuth) {
+            _TelemetryHelper.TelemetryHelper.logFacadeChatSDKEventToAllTelemetry(_TelemetryConstants.LogLevel.INFO, {
+              Event: _TelemetryConstants.TelemetryEvent.MidConversationAuthSucceeded,
+              Description: "Mid-auth startChat: initiating migration to authenticated",
+              Data: {
+                isReconnect: String(isReconnect),
+                wasPreviousSessionAuthenticated: String(wasPreviousSessionAuthenticated)
+              }
+            });
+            await this.migrateConversationToAuthenticated();
+          }
+        }
+
+        // Broadcast final auth state after startChat completes (only on state change)
+        if (midAuthEnabled) {
+          const isAuthenticatedAfterStart = this.isTokenSet() && !this.isTokenExpired();
+          const authStateChanged = !isReconnect || isAuthenticatedAfterStart !== wasPreviousSessionAuthenticated;
+          if (authStateChanged) {
+            _omnichannelChatComponents.BroadcastService.postMessage({
+              eventName: isAuthenticatedAfterStart ? _TelemetryConstants.BroadcastEvent.MidConversationAuthSucceeded : _TelemetryConstants.BroadcastEvent.MidConversationAuthReset,
+              payload: {
+                isAuthenticated: isAuthenticatedAfterStart,
+                isStartChatComplete: true,
+                isReconnect
+              }
+            });
+          }
+        }
+      });
     }
   }, {
     key: "endChat",
@@ -445,6 +670,7 @@ let FacadeChatSDK = /*#__PURE__*/function () {
       let optionalParams = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
       return this.validateAndExecuteCall("getAgentAvailability", () => this.chatSDK.getAgentAvailability(optionalParams));
     }
+
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
   }, {
     key: "getReconnectableChats",

package/lib/cjs/common/telemetry/TelemetryConstants.js

@@ -74,6 +74,8 @@ exports.BroadcastEvent = BroadcastEvent;
   BroadcastEvent["FMLTrackingCompletedAck"] = "FMLTrackingCompletedAck";
   BroadcastEvent["FMLTrackingCompleted"] = "FMLTrackingCompleted";
   BroadcastEvent["PersistentConversationReset"] = "PersistentConversationReset";
+  BroadcastEvent["MidConversationAuthSucceeded"] = "MidConversationAuthSucceeded";
+  BroadcastEvent["MidConversationAuthReset"] = "MidConversationAuthReset";
 })(BroadcastEvent || (exports.BroadcastEvent = BroadcastEvent = {}));
 let TelemetryEvent;
 exports.TelemetryEvent = TelemetryEvent;
@@ -108,6 +110,9 @@ exports.TelemetryEvent = TelemetryEvent;
   TelemetryEvent["CallingSDKInitFailed"] = "CallingSDKInitFailed";
   TelemetryEvent["CallingSDKLoadSuccess"] = "CallingSDKLoadSuccess";
   TelemetryEvent["CallingSDKLoadFailed"] = "CallingSDKLoadFailed";
+  TelemetryEvent["MidConversationAuthSucceeded"] = "MidConversationAuthSucceeded";
+  TelemetryEvent["MidConversationAuthFailed"] = "MidConversationAuthFailed";
+  TelemetryEvent["MidConversationAuthReset"] = "MidConversationAuthReset";
   TelemetryEvent["GetConversationDetailsCallStarted"] = "GetConversationDetailsCallStarted";
   TelemetryEvent["GetConversationDetailsCallFailed"] = "GetConversationDetailsCallFailed";
   TelemetryEvent["EndChatSDKCallFailed"] = "EndChatSDKCallFailed";
@@ -318,10 +323,16 @@ exports.TelemetryEvent = TelemetryEvent;
   TelemetryEvent["LCWLazyLoadNoMoreHistory"] = "LCWLazyLoadNoMoreHistory";
   TelemetryEvent["LCWLazyLoadHistoryError"] = "LCWLazyLoadHistoryError";
   TelemetryEvent["LCWLazyLoadDestroyed"] = "LCWLazyLoadDestroyed";
+  TelemetryEvent["LCWLazyLoadTriggerFired"] = "LCWLazyLoadTriggerFired";
+  TelemetryEvent["LCWLazyLoadBatchReceived"] = "LCWLazyLoadBatchReceived";
+  TelemetryEvent["LCWLazyLoadInitialLoadComplete"] = "LCWLazyLoadInitialLoadComplete";
+  TelemetryEvent["LCWLazyLoadScrollAnchorApplied"] = "LCWLazyLoadScrollAnchorApplied";
   TelemetryEvent["SecureEventBusUnauthorizedDispatch"] = "SecureEventBusUnauthorizedDispatch";
   TelemetryEvent["SecureEventBusListenerError"] = "SecureEventBusListenerError";
   TelemetryEvent["SecureEventBusDispatchError"] = "SecureEventBusDispatchError";
   TelemetryEvent["StartChatComplete"] = "StartChatComplete";
+  TelemetryEvent["AgentJoinedConversation"] = "AgentJoinedConversation";
+  TelemetryEvent["BrowserTabHidden"] = "BrowserTabHidden";
 })(TelemetryEvent || (exports.TelemetryEvent = TelemetryEvent = {}));
 let TelemetryConstants = /*#__PURE__*/function () {
   function TelemetryConstants() {
@@ -392,6 +403,8 @@ let TelemetryConstants = /*#__PURE__*/function () {
         case TelemetryEvent.SecureEventBusUnauthorizedDispatch:
         case TelemetryEvent.SecureEventBusListenerError:
         case TelemetryEvent.SecureEventBusDispatchError:
+        case TelemetryEvent.AgentJoinedConversation:
+        case TelemetryEvent.BrowserTabHidden:
           return ScenarioType.ACTIONS;
         case TelemetryEvent.StartChatSDKCall:
         case TelemetryEvent.StartChatEventReceived:

package/lib/cjs/common/utils/xssUtils.js

@@ -7,70 +7,42 @@ exports.detectAndCleanXSS = void 0;
 var _dompurify = _interopRequireDefault(require("dompurify"));
 function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; }
 /**
- * Detects potential Cross-Site Scripting (XSS) attacks in text input and sanitizes the content.
+ * Sanitizes text input and detects XSS attack patterns.
  * 
- * This function performs comprehensive XSS detection using pattern matching for common attack vectors
- * and then sanitizes the input using DOMPurify with strict configuration. It's designed to protect
- * against various XSS techniques including script injection, event handler injection, style-based
- * attacks, and encoded payloads.
+ * Sanitizes first with DOMPurify, then checks for malicious patterns in both
+ * the original and sanitized text to catch mutation XSS attacks.
  * 
- * Security patterns detected:
- * - JavaScript protocol URLs (javascript:)
- * - HTML event handlers (onmouseover, onclick, etc.)
- * - Script tags (<script>)
- * - CSS expression() functions
- * - CSS url() functions
- * - Position-based CSS attacks (position: fixed/absolute)
- * - VBScript protocol URLs
- * - Data URLs with HTML content
- * - Fragment identifiers with escaped quotes
- * - HTML entity-encoded angle brackets
- * 
- * @param text - The input text to be analyzed and sanitized
- * @returns An object containing:
- *   - cleanText: The sanitized version of the input text with all HTML tags and attributes removed
- *   - isXSSDetected: Boolean flag indicating whether potential XSS patterns were found in the original text
+ * @param text - Input text to sanitize
+ * @returns Object with cleanText (sanitized) and isXSSDetected flag
  */
 const detectAndCleanXSS = text => {
-  // Comprehensive array of regular expressions to detect common XSS attack patterns
-  const xssPatterns = [/javascript\s*:/gi,
-  // JavaScript protocol URLs (with optional spaces)
-  /vbscript\s*:/gi,
-  // VBScript protocol URLs (with optional spaces)
-  /on\w+\s*=/gi,
-  // HTML event handlers (onmouseover, onclick, onload, etc.)
-  /<\s*script/gi,
-  // Script tag opening (with optional spaces)
-  /expression\s*\(/gi,
-  // CSS expression() function (IE-specific)
-  /url\s*\(/gi,
-  // CSS url() function
-  /style\s*=.*position\s*:\s*fixed/gi,
-  // CSS position fixed attacks
-  /style\s*=.*position\s*:\s*absolute/gi,
-  // CSS position absolute attacks
-  /data\s*:\s*text\s*\/\s*html/gi,
-  // Data URLs containing HTML
-  /#.*\\"/gi,
-  // Fragment identifiers with escaped quotes
-  /&gt;.*&lt;/gi // HTML entity-encoded angle brackets indicating tag structure
-  ];
-
-  // Check if any XSS patterns are detected in the input text
-  const isXSSDetected = xssPatterns.some(pattern => pattern.test(text));
-
-  // Clean the text using DOMPurify with strict config
+  // Sanitize first to prevent mutation XSS (e.g., "s<iframe></iframe>tyle" → "style")
   const cleanText = _dompurify.default.sanitize(text, {
     ALLOWED_TAGS: [],
-    // No HTML tags allowed in title
     ALLOWED_ATTR: [],
     KEEP_CONTENT: true,
-    // Keep text content
     ALLOW_DATA_ATTR: false,
     ALLOW_UNKNOWN_PROTOCOLS: false,
     SANITIZE_DOM: true,
     FORCE_BODY: false
   });
+  const contentChanged = text !== cleanText;
+
+  // Non-global regex patterns to avoid stateful .test() issues
+  const xssPatterns = [/javascript\s*:/i, /vbscript\s*:/i, /on\w+\s*=/i,
+  // Event handlers
+  /<\s*script/i, /<\s*iframe/i, /<\s*object/i, /<\s*embed/i, /<\s*svg/i, /expression\s*\(/i,
+  // IE CSS expressions
+  /style\s*=.*position\s*:\s*(fixed|absolute)/i, /data\s*:\s*text\s*\/\s*html/i, /#.*\\"/i, /&(lt|gt|#x3c|#60|#x3e|#62);/i,
+  // HTML entities
+  /&#x?[0-9a-f]+;.*</i, /\u003c.*\u003e/i,
+  // Unicode escapes
+  /src\s*=\s*["']?\s*javascript:/i, /href\s*=\s*["']?\s*javascript:/i];
+  const hasXSSPattern = xssPatterns.some(pattern => {
+    return pattern.test(text) || pattern.test(cleanText);
+  });
+  const hasHTMLStructure = /<[^>]+>/.test(text) && !/<[^>]+>/.test(cleanText);
+  const isXSSDetected = contentChanged || hasXSSPattern || hasHTMLStructure;
   return {
     cleanText,
     isXSSDetected

package/lib/cjs/common/utils.js

@@ -480,7 +480,7 @@ const setOcUserAgent = chatSDK => {
   // eslint-disable-line @typescript-eslint/no-explicit-any
   if ((_chatSDK$OCClient = chatSDK.OCClient) !== null && _chatSDK$OCClient !== void 0 && _chatSDK$OCClient.ocUserAgent && !((_chatSDK$OCClient2 = chatSDK.OCClient) !== null && _chatSDK$OCClient2 !== void 0 && _chatSDK$OCClient2.ocUserAgent.join(" ").includes("omnichannel-chat-widget/"))) {
     try {
-      const version = require("../../../package.json").version; // eslint-disable-line @typescript-eslint/no-var-requires
+      const version = require("../../package.json").version; // eslint-disable-line @typescript-eslint/no-var-requires
       const userAgent = `omnichannel-chat-widget/${version}`;
       chatSDK.OCClient.ocUserAgent = [userAgent, ...chatSDK.OCClient.ocUserAgent];
     } catch (error) {

package/lib/cjs/components/livechatwidget/LiveChatWidget.js

@@ -35,8 +35,16 @@ const LiveChatWidget = props => {
     throw new Error("chatConfig is required");
   }
 
+  // Check configuration flags
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  const isAuthenticatedChat = !!((_props$chatConfig = props.chatConfig) !== null && _props$chatConfig !== void 0 && (_props$chatConfig$Liv = _props$chatConfig.LiveChatConfigAuthSettings) !== null && _props$chatConfig$Liv !== void 0 && _props$chatConfig$Liv.msdyn_javascriptclientfunction) || (0, _liveChatConfigUtils.isPersistentChatEnabled)((_props$chatConfig2 = props.chatConfig) === null || _props$chatConfig2 === void 0 ? void 0 : (_props$chatConfig2$Li = _props$chatConfig2.LiveWSAndLiveChatEngJoin) === null || _props$chatConfig2$Li === void 0 ? void 0 : _props$chatConfig2$Li.msdyn_conversationmode);
+  const hasAuthClientFn = !!((_props$chatConfig = props.chatConfig) !== null && _props$chatConfig !== void 0 && (_props$chatConfig$Liv = _props$chatConfig.LiveChatConfigAuthSettings) !== null && _props$chatConfig$Liv !== void 0 && _props$chatConfig$Liv.msdyn_javascriptclientfunction);
+  const persistentChatEnabled = (0, _liveChatConfigUtils.isPersistentChatEnabled)((_props$chatConfig2 = props.chatConfig) === null || _props$chatConfig2 === void 0 ? void 0 : (_props$chatConfig2$Li = _props$chatConfig2.LiveWSAndLiveChatEngJoin) === null || _props$chatConfig2$Li === void 0 ? void 0 : _props$chatConfig2$Li.msdyn_conversationmode);
+
+  // isAuthenticatedChat determines if FacadeChatSDK should require authentication:
+  // REGULAR AUTH FLOW (config-based):
+  // - Persistent chat enabled ? always authenticated
+  // - Auth settings exist ? authenticated from start
+  const isAuthenticatedChat = persistentChatEnabled || hasAuthClientFn;
   if (!facadeChatSDK) {
     var _props$mock;
     setFacadeChatSDK(new _FacadeChatSDK.FacadeChatSDK({

package/lib/cjs/components/livechatwidget/common/ActivitySubscriber/BotAuthActivitySubscriber.js

@@ -44,7 +44,7 @@ const extractSasUrl = async attachment => {
   }
   return sasUrl;
 };
-const fetchBotAuthConfig = async (retries, interval) => {
+const fetchBotAuthConfig = async (retries, interval, fallback) => {
   _TelemetryHelper.TelemetryHelper.logLoadingEvent(_TelemetryConstants.LogLevel.INFO, {
     Event: _TelemetryConstants.TelemetryEvent.SetBotAuthProviderFetchConfig
   });
@@ -60,13 +60,23 @@ const fetchBotAuthConfig = async (retries, interval) => {
   });
   if (retries === 1) {
     // Base Case
-    throw new Error();
+    if (response !== undefined) {
+      return response;
+    }
+    if (fallback !== undefined) {
+      _TelemetryHelper.TelemetryHelper.logLoadingEvent(_TelemetryConstants.LogLevel.WARN, {
+        Event: _TelemetryConstants.TelemetryEvent.SetBotAuthProviderNotFound,
+        Description: `Failed to fetch bot auth config after maximum retries. Using fallback value: ${fallback}`
+      });
+      return fallback;
+    }
+    throw new Error("Failed to fetch bot auth config after maximum retries");
   }
   await delay(interval);
   if (response !== undefined) {
     return response;
   }
-  return await fetchBotAuthConfig(--retries, interval);
+  return await fetchBotAuthConfig(--retries, interval, fallback);
 };
 let BotAuthActivitySubscriber = /*#__PURE__*/function () {
   function BotAuthActivitySubscriber() {
@@ -76,6 +86,7 @@ let BotAuthActivitySubscriber = /*#__PURE__*/function () {
     _defineProperty(this, "signInCardSeen", void 0);
     _defineProperty(this, "fetchBotAuthConfigRetries", void 0);
     _defineProperty(this, "fetchBotAuthConfigRetryInterval", void 0);
+    _defineProperty(this, "fallbackShowSignInCard", void 0);
     this.signInCardSeen = new Set();
     this.fetchBotAuthConfigRetries = 3;
     this.fetchBotAuthConfigRetryInterval = 1000;
@@ -85,6 +96,11 @@ let BotAuthActivitySubscriber = /*#__PURE__*/function () {
     if (optionalParams.fetchBotAuthConfigRetryInterval) {
       this.fetchBotAuthConfigRetryInterval = optionalParams.fetchBotAuthConfigRetryInterval;
     }
+    this.fallbackShowSignInCard = optionalParams.fallbackShowSignInCard;
+    _TelemetryHelper.TelemetryHelper.logLoadingEvent(_TelemetryConstants.LogLevel.INFO, {
+      Event: _TelemetryConstants.TelemetryEvent.SetBotAuthProviderFetchConfig,
+      Description: `BotAuthActivitySubscriber initialized with fallbackShowSignInCard: ${optionalParams.fallbackShowSignInCard}`
+    });
   }
   _createClass(BotAuthActivitySubscriber, [{
     key: "applicable",
@@ -129,7 +145,7 @@ let BotAuthActivitySubscriber = /*#__PURE__*/function () {
         _omnichannelChatComponents.BroadcastService.postMessage(event);
       }
       try {
-        const response = await fetchBotAuthConfig(this.fetchBotAuthConfigRetries, this.fetchBotAuthConfigRetryInterval);
+        const response = await fetchBotAuthConfig(this.fetchBotAuthConfigRetries, this.fetchBotAuthConfigRetryInterval, this.fallbackShowSignInCard);
         if (response === false) {
           _TelemetryHelper.TelemetryHelper.logLoadingEvent(_TelemetryConstants.LogLevel.INFO, {
             Event: _TelemetryConstants.TelemetryEvent.SetBotAuthProviderHideCard
@@ -140,9 +156,10 @@ let BotAuthActivitySubscriber = /*#__PURE__*/function () {
           });
           return activity;
         }
-      } catch {
+      } catch (e) {
         _TelemetryHelper.TelemetryHelper.logLoadingEvent(_TelemetryConstants.LogLevel.INFO, {
-          Event: _TelemetryConstants.TelemetryEvent.SetBotAuthProviderNotFound
+          Event: _TelemetryConstants.TelemetryEvent.SetBotAuthProviderNotFound,
+          ExceptionDetails: e instanceof Error ? e.message : JSON.stringify(e)
         });
         //this is to ensure listener continues waiting for response
         if (this.signInCardSeen.has(signInId)) {

package/lib/cjs/components/livechatwidget/common/ChatWidgetEvents.js

@@ -10,6 +10,7 @@ var ChatWidgetEvents;
   ChatWidgetEvents["FETCH_PERSISTENT_CHAT_HISTORY"] = "CHAT_WIDGET/FETCH_PERSISTENT_CHAT_HISTORY";
   ChatWidgetEvents["NO_MORE_HISTORY_AVAILABLE"] = "CHAT_WIDGET/NO_MORE_HISTORY_AVAILABLE";
   ChatWidgetEvents["HISTORY_LOAD_ERROR"] = "CHAT_WIDGET/HISTORY_LOAD_ERROR";
+  ChatWidgetEvents["HISTORY_BATCH_LOADED"] = "CHAT_WIDGET/HISTORY_BATCH_LOADED";
 })(ChatWidgetEvents || (ChatWidgetEvents = {}));
 var _default = ChatWidgetEvents;
 exports.default = _default;

package/lib/cjs/components/livechatwidget/common/PersistentConversationHandler.js

@@ -133,6 +133,12 @@ let PersistentConversationHandler = /*#__PURE__*/function () {
         }
         const messagesDescOrder = (_ref = [...messages]) === null || _ref === void 0 ? void 0 : _ref.reverse();
         this.processHistoryMessages(messagesDescOrder);
+
+        // Signal that a batch of history messages has been added to the store.
+        // LazyLoadActivity subscribes to this to apply scroll anchoring after render.
+        (0, _dispatchCustomEvent.default)(_ChatWidgetEvents.default.HISTORY_BATCH_LOADED, {
+          messageCount: messages.length
+        });
         _TelemetryHelper.TelemetryHelper.logActionEvent(_TelemetryConstants.LogLevel.INFO, {
           Event: _TelemetryConstants.TelemetryEvent.LCWPersistentHistoryPullCompleted,
           Description: "History pull completed successfully",
@@ -241,6 +247,9 @@ let PersistentConversationHandler = /*#__PURE__*/function () {
     value: function processMessageToActivity(message) {
       try {
         const activity = (0, _convertPersistentChatHistoryMessageToActivity.default)(message);
+        if (!activity) {
+          return null;
+        }
         activity.id = activity.id || `activity-${this.count}`;
         activity.channelData = {
           ...activity.channelData,