@microsoft/teams.apps 0.2.7

package/dist/manifest.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoibWFuaWZlc3QuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvbWFuaWZlc3QudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiJ9

package/dist/middleware/entra-token-validator.d.ts

@@ -0,0 +1,75 @@
+import jwt, { type JwtPayload } from 'jsonwebtoken';
+import jwksClient, { JwksClient } from 'jwks-rsa';
+import { ILogger } from '@microsoft/teams.common';
+/**
+ * Entra token validator parameters
+ */
+type EntraTokenValidatorParams = {
+    /**
+     *  App tenant ID. Used to find public keys to validate token signature, and to validate issuer for single-tenant apps.
+     *  This can be 'common', 'organization', or 'consumers' for a multi-tenant app, or a specific tenant ID for a single-tenant app.
+     */
+    tenantId: string;
+    /** App client ID. Used to validate token audience. */
+    clientId: string;
+    options?: {
+        /**
+         * For multi-tenant apps that only allows sign-in from specific tenants, this is the list of allowed tenant IDs.
+         * If empty or not provided, any tenant is considered valid.
+         * This is ignored for single-tenant apps.
+         */
+        allowedTenantIds?: string[];
+    };
+};
+export declare const getJwksClient: (options: jwksClient.Options) => JwksClient;
+/**
+ * And Entra token validator that can validate access tokens issued by Microsoft Entra for app specific use.
+ */
+export declare class EntraTokenValidator {
+    readonly tenantId: string;
+    readonly clientId: string;
+    readonly validIssuerTenantIds: string[];
+    private keyClient;
+    constructor({ tenantId, clientId, options }: EntraTokenValidatorParams);
+    /**
+     * Validates a JWT access token
+     * @param {ILogger} logger The logger to use.
+     * @param {string} rawAccessToken The access token as a string.
+     * @param { string | undefined } requiredScope If provided, the token will only be considered valid if issued for this scope.
+     * @returns {Promise<jwt.Jwt | null>} The validated token if the signature is valid and the claims are valid.
+     */
+    validateAccessToken(logger: ILogger, rawAccessToken: string, requiredScope?: string): Promise<jwt.Jwt | null>;
+    getTokenPayload(token: jwt.Jwt): JwtPayload | null;
+    /**
+     * Validates the token claims: that it's valid for the intended purpose, it's not expired, it has the right audience & issuer,
+     * it's issued for the requisite scope.
+     * @param {ILogger} logger The logger to use.
+     * @param {jwt.Jwt} token The token to validate.
+     * @param { string | undefined } requiredScope If provided, the token will only be considered valid if issued for this scope.
+     * @returns {boolean} True if the claims validation passed.
+     */
+    private validateAccessTokenClaims;
+    /**
+     * Decodes an access token without verifying if the signature is valid.
+     * @param {ILogger} logger The logger to use.
+     * @param {string} rawAccessToken the raw access token.
+     * @returns {jwt.JWT | null} A decoded token if the raw access token is well formed.
+     */
+    private decodeToken;
+    /**
+     * Gets the public key from the key identifier in a token header
+     * @param {ILogger} logger The logger to use.
+     * @param {jwt.JwtHeader} header the token header
+     * @returns {Promise<string | undefined>} the public key corresponding to the header key identifier, if available
+     */
+    private getPublicKey;
+    /**
+     * Decodes the access token and verifies it against the public key
+     * @param {ILogger} logger The logger to use.
+     * @param {string} rawAccessToken the raw access token.
+     * @param {string} publicKey the public key to verify signature against.
+     * @returns {Promise<jwt.JWT | null>} A decoded token if the raw token is well formed and the signature is valid.
+     */
+    private validateTokenSignature;
+}
+export {};

package/dist/middleware/entra-token-validator.js

@@ -0,0 +1,169 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EntraTokenValidator = exports.getJwksClient = void 0;
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const jwks_rsa_1 = __importDefault(require("jwks-rsa"));
+const getJwksClient = (options) => (0, jwks_rsa_1.default)(options);
+exports.getJwksClient = getJwksClient;
+/**
+ * And Entra token validator that can validate access tokens issued by Microsoft Entra for app specific use.
+ */
+class EntraTokenValidator {
+    tenantId;
+    clientId;
+    validIssuerTenantIds;
+    keyClient;
+    constructor({ tenantId, clientId, options }) {
+        this.tenantId = tenantId;
+        this.clientId = clientId;
+        // single-tenant applications only allow tokens issued by this app's tenant
+        // multi tenant applications allow tokens issued by any tenant, unless the
+        // allowedTenantIds option is provided to limit the set of allowed issuers.
+        const isMultiTenant = ['common', 'organizations', 'consumers'].some((val) => tenantId === val);
+        this.validIssuerTenantIds = isMultiTenant ? (options?.allowedTenantIds ?? []) : [this.tenantId];
+        this.keyClient = (0, exports.getJwksClient)({
+            jwksUri: `https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys`,
+        });
+    }
+    /**
+     * Validates a JWT access token
+     * @param {ILogger} logger The logger to use.
+     * @param {string} rawAccessToken The access token as a string.
+     * @param { string | undefined } requiredScope If provided, the token will only be considered valid if issued for this scope.
+     * @returns {Promise<jwt.Jwt | null>} The validated token if the signature is valid and the claims are valid.
+     */
+    async validateAccessToken(logger, rawAccessToken, requiredScope) {
+        if (!rawAccessToken) {
+            logger.error('No token provided');
+            return null;
+        }
+        const token = this.decodeToken(logger, rawAccessToken);
+        if (!token) {
+            logger.error('Failed to decode the access token');
+            return null;
+        }
+        const publicKey = await this.getPublicKey(logger, token.header);
+        if (!publicKey) {
+            logger.error(`Failed to find public key for the key identifier "${token.header.kid}"`);
+            return null;
+        }
+        const validatedToken = this.validateTokenSignature(logger, rawAccessToken, publicKey);
+        if (!validatedToken) {
+            logger.error('Failed to validate the token signature');
+            return null;
+        }
+        if (!this.validateAccessTokenClaims(logger, validatedToken, requiredScope)) {
+            logger.error('Failed to validate the access token claims');
+            return null;
+        }
+        return validatedToken;
+    }
+    getTokenPayload(token) {
+        return token.payload instanceof Object ? token.payload : null;
+    }
+    /**
+     * Validates the token claims: that it's valid for the intended purpose, it's not expired, it has the right audience & issuer,
+     * it's issued for the requisite scope.
+     * @param {ILogger} logger The logger to use.
+     * @param {jwt.Jwt} token The token to validate.
+     * @param { string | undefined } requiredScope If provided, the token will only be considered valid if issued for this scope.
+     * @returns {boolean} True if the claims validation passed.
+     */
+    validateAccessTokenClaims(logger, token, requiredScope) {
+        const payload = this.getTokenPayload(token);
+        if (!payload) {
+            logger.error('Invalid token payload.');
+            return false;
+        }
+        // validate iat (issued at) and exp (expiration) fields.
+        // these are expressed as number of seconds since Unix epoch.
+        const now = Math.round(new Date().getTime() / 1000.0);
+        const checkTimestamp = payload.iat && payload.iat <= now && payload.exp && payload.exp >= now;
+        if (!checkTimestamp) {
+            logger.error('The token is expired or not yet valid.');
+            return false;
+        }
+        // validate audience
+        const checkAudience = payload.aud === this.clientId || payload.aud === `api://${this.clientId}`;
+        if (!checkAudience) {
+            logger.error('The token is not issued for the expected audience.');
+            return false;
+        }
+        const tokenIssuer = payload.iss;
+        if (!tokenIssuer) {
+            logger.error('Invalid token issuer.');
+            return false;
+        }
+        // validate token issuer
+        //  - if this is a single-tenant application, validate that the token is issued by the expected tenant
+        //  - if this is a multi-tenant application that only allows sign-in from specific tenants, validate that
+        //    the token is issued by one of those
+        //  - if this is a multi-tenant that does not limit sign-in to specific tenants, any issuer is considered valid.
+        const checkIssuer = !this.validIssuerTenantIds.length ||
+            this.validIssuerTenantIds.some((tenantId) => tokenIssuer.startsWith(`https://login.microsoftonline.com/${tenantId}/`));
+        if (!checkIssuer) {
+            logger.error(`The token is issued by unexpected tenant: ${payload.iss}`);
+            return false;
+        }
+        // validate that the token is issued for the required scope
+        const checkRequiredScope = !requiredScope || payload.scp?.includes(requiredScope);
+        if (!checkRequiredScope) {
+            logger.error(`The token is not issued for the required scope: ${requiredScope}`);
+            return false;
+        }
+        // all checks passed
+        return true;
+    }
+    /**
+     * Decodes an access token without verifying if the signature is valid.
+     * @param {ILogger} logger The logger to use.
+     * @param {string} rawAccessToken the raw access token.
+     * @returns {jwt.JWT | null} A decoded token if the raw access token is well formed.
+     */
+    decodeToken(logger, rawAccessToken) {
+        try {
+            return jsonwebtoken_1.default.decode(rawAccessToken, { complete: true });
+        }
+        catch (error) {
+            logger.error(error);
+            return null;
+        }
+    }
+    /**
+     * Gets the public key from the key identifier in a token header
+     * @param {ILogger} logger The logger to use.
+     * @param {jwt.JwtHeader} header the token header
+     * @returns {Promise<string | undefined>} the public key corresponding to the header key identifier, if available
+     */
+    async getPublicKey(logger, header) {
+        try {
+            const signingKey = await this.keyClient.getSigningKey(header.kid);
+            return signingKey.getPublicKey() ?? null;
+        }
+        catch (error) {
+            logger.error(error);
+            return null;
+        }
+    }
+    /**
+     * Decodes the access token and verifies it against the public key
+     * @param {ILogger} logger The logger to use.
+     * @param {string} rawAccessToken the raw access token.
+     * @param {string} publicKey the public key to verify signature against.
+     * @returns {Promise<jwt.JWT | null>} A decoded token if the raw token is well formed and the signature is valid.
+     */
+    validateTokenSignature(logger, rawAccessToken, publicKey) {
+        try {
+            return jsonwebtoken_1.default.verify(rawAccessToken, publicKey, { complete: true });
+        }
+        catch (error) {
+            logger.error(error);
+            return null;
+        }
+    }
+}
+exports.EntraTokenValidator = EntraTokenValidator;
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZW50cmEtdG9rZW4tdmFsaWRhdG9yLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL21pZGRsZXdhcmUvZW50cmEtdG9rZW4tdmFsaWRhdG9yLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7OztBQUFBLGdFQUFvRDtBQUNwRCx3REFBa0Q7QUF5QjNDLE1BQU0sYUFBYSxHQUFHLENBQUMsT0FBMkIsRUFBYyxFQUFFLENBQUMsSUFBQSxrQkFBVSxFQUFDLE9BQU8sQ0FBQyxDQUFDO0FBQWpGLFFBQUEsYUFBYSxpQkFBb0U7QUFFOUY7O0dBRUc7QUFDSCxNQUFhLG1CQUFtQjtJQUNyQixRQUFRLENBQVM7SUFDakIsUUFBUSxDQUFTO0lBQ2pCLG9CQUFvQixDQUFXO0lBQ2hDLFNBQVMsQ0FBYTtJQUU5QixZQUFZLEVBQUUsUUFBUSxFQUFFLFFBQVEsRUFBRSxPQUFPLEVBQTZCO1FBQ3BFLElBQUksQ0FBQyxRQUFRLEdBQUcsUUFBUSxDQUFDO1FBQ3pCLElBQUksQ0FBQyxRQUFRLEdBQUcsUUFBUSxDQUFDO1FBRXpCLDJFQUEyRTtRQUMzRSwwRUFBMEU7UUFDMUUsMkVBQTJFO1FBQzNFLE1BQU0sYUFBYSxHQUFHLENBQUMsUUFBUSxFQUFFLGVBQWUsRUFBRSxXQUFXLENBQUMsQ0FBQyxJQUFJLENBQUMsQ0FBQyxHQUFHLEVBQUUsRUFBRSxDQUFDLFFBQVEsS0FBSyxHQUFHLENBQUMsQ0FBQztRQUMvRixJQUFJLENBQUMsb0JBQW9CLEdBQUcsYUFBYSxDQUFDLENBQUMsQ0FBQyxDQUFDLE9BQU8sRUFBRSxnQkFBZ0IsSUFBSSxFQUFFLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLENBQUM7UUFFaEcsSUFBSSxDQUFDLFNBQVMsR0FBRyxJQUFBLHFCQUFhLEVBQUM7WUFDN0IsT0FBTyxFQUFFLHFDQUFxQyxRQUFRLHNCQUFzQjtTQUM3RSxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0gsS0FBSyxDQUFDLG1CQUFtQixDQUN2QixNQUFlLEVBQ2YsY0FBc0IsRUFDdEIsYUFBc0I7UUFFdEIsSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO1lBQ3BCLE1BQU0sQ0FBQyxLQUFLLENBQUMsbUJBQW1CLENBQUMsQ0FBQztZQUNsQyxPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7UUFFRCxNQUFNLEtBQUssR0FBRyxJQUFJLENBQUMsV0FBVyxDQUFDLE1BQU0sRUFBRSxjQUFjLENBQUMsQ0FBQztRQUN2RCxJQUFJLENBQUMsS0FBSyxFQUFFLENBQUM7WUFDWCxNQUFNLENBQUMsS0FBSyxDQUFDLG1DQUFtQyxDQUFDLENBQUM7WUFDbEQsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQsTUFBTSxTQUFTLEdBQUcsTUFBTSxJQUFJLENBQUMsWUFBWSxDQUFDLE1BQU0sRUFBRSxLQUFLLENBQUMsTUFBTSxDQUFDLENBQUM7UUFDaEUsSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1lBQ2YsTUFBTSxDQUFDLEtBQUssQ0FBQyxxREFBcUQsS0FBSyxDQUFDLE1BQU0sQ0FBQyxHQUFHLEdBQUcsQ0FBQyxDQUFDO1lBQ3ZGLE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUVELE1BQU0sY0FBYyxHQUFHLElBQUksQ0FBQyxzQkFBc0IsQ0FBQyxNQUFNLEVBQUUsY0FBYyxFQUFFLFNBQVMsQ0FBQyxDQUFDO1FBQ3RGLElBQUksQ0FBQyxjQUFjLEVBQUUsQ0FBQztZQUNwQixNQUFNLENBQUMsS0FBSyxDQUFDLHdDQUF3QyxDQUFDLENBQUM7WUFDdkQsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO1FBRUQsSUFBSSxDQUFDLElBQUksQ0FBQyx5QkFBeUIsQ0FBQyxNQUFNLEVBQUUsY0FBYyxFQUFFLGFBQWEsQ0FBQyxFQUFFLENBQUM7WUFDM0UsTUFBTSxDQUFDLEtBQUssQ0FBQyw0Q0FBNEMsQ0FBQyxDQUFDO1lBQzNELE9BQU8sSUFBSSxDQUFDO1FBQ2QsQ0FBQztRQUVELE9BQU8sY0FBYyxDQUFDO0lBQ3hCLENBQUM7SUFFRCxlQUFlLENBQUMsS0FBYztRQUM1QixPQUFPLEtBQUssQ0FBQyxPQUFPLFlBQVksTUFBTSxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUM7SUFDaEUsQ0FBQztJQUVEOzs7Ozs7O09BT0c7SUFDSyx5QkFBeUIsQ0FDL0IsTUFBZSxFQUNmLEtBQWMsRUFDZCxhQUFzQjtRQUV0QixNQUFNLE9BQU8sR0FBRyxJQUFJLENBQUMsZUFBZSxDQUFDLEtBQUssQ0FBQyxDQUFDO1FBQzVDLElBQUksQ0FBQyxPQUFPLEVBQUUsQ0FBQztZQUNiLE1BQU0sQ0FBQyxLQUFLLENBQUMsd0JBQXdCLENBQUMsQ0FBQztZQUN2QyxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7UUFFRCx3REFBd0Q7UUFDeEQsNkRBQTZEO1FBQzdELE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsSUFBSSxJQUFJLEVBQUUsQ0FBQyxPQUFPLEVBQUUsR0FBRyxNQUFNLENBQUMsQ0FBQztRQUN0RCxNQUFNLGNBQWMsR0FBRyxPQUFPLENBQUMsR0FBRyxJQUFJLE9BQU8sQ0FBQyxHQUFHLElBQUksR0FBRyxJQUFJLE9BQU8sQ0FBQyxHQUFHLElBQUksT0FBTyxDQUFDLEdBQUcsSUFBSSxHQUFHLENBQUM7UUFFOUYsSUFBSSxDQUFDLGNBQWMsRUFBRSxDQUFDO1lBQ3BCLE1BQU0sQ0FBQyxLQUFLLENBQUMsd0NBQXdDLENBQUMsQ0FBQztZQUN2RCxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7UUFFRCxvQkFBb0I7UUFDcEIsTUFBTSxhQUFhLEdBQUcsT0FBTyxDQUFDLEdBQUcsS0FBSyxJQUFJLENBQUMsUUFBUSxJQUFJLE9BQU8sQ0FBQyxHQUFHLEtBQUssU0FBUyxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7UUFDaEcsSUFBSSxDQUFDLGFBQWEsRUFBRSxDQUFDO1lBQ25CLE1BQU0sQ0FBQyxLQUFLLENBQUMsb0RBQW9ELENBQUMsQ0FBQztZQUNuRSxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7UUFFRCxNQUFNLFdBQVcsR0FBRyxPQUFPLENBQUMsR0FBRyxDQUFDO1FBQ2hDLElBQUksQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUNqQixNQUFNLENBQUMsS0FBSyxDQUFDLHVCQUF1QixDQUFDLENBQUM7WUFDdEMsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO1FBRUQsd0JBQXdCO1FBQ3hCLHNHQUFzRztRQUN0Ryx5R0FBeUc7UUFDekcseUNBQXlDO1FBQ3pDLGdIQUFnSDtRQUNoSCxNQUFNLFdBQVcsR0FDZixDQUFDLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxNQUFNO1lBQ2pDLElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxJQUFJLENBQUMsQ0FBQyxRQUFRLEVBQUUsRUFBRSxDQUMxQyxXQUFXLENBQUMsVUFBVSxDQUFDLHFDQUFxQyxRQUFRLEdBQUcsQ0FBQyxDQUN6RSxDQUFDO1FBQ0osSUFBSSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQ2pCLE1BQU0sQ0FBQyxLQUFLLENBQUMsNkNBQTZDLE9BQU8sQ0FBQyxHQUFHLEVBQUUsQ0FBQyxDQUFDO1lBQ3pFLE9BQU8sS0FBSyxDQUFDO1FBQ2YsQ0FBQztRQUVELDJEQUEyRDtRQUMzRCxNQUFNLGtCQUFrQixHQUFHLENBQUMsYUFBYSxJQUFJLE9BQU8sQ0FBQyxHQUFHLEVBQUUsUUFBUSxDQUFDLGFBQWEsQ0FBQyxDQUFDO1FBQ2xGLElBQUksQ0FBQyxrQkFBa0IsRUFBRSxDQUFDO1lBQ3hCLE1BQU0sQ0FBQyxLQUFLLENBQUMsbURBQW1ELGFBQWEsRUFBRSxDQUFDLENBQUM7WUFDakYsT0FBTyxLQUFLLENBQUM7UUFDZixDQUFDO1FBRUQsb0JBQW9CO1FBQ3BCLE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUVEOzs7OztPQUtHO0lBQ0ssV0FBVyxDQUFDLE1BQWUsRUFBRSxjQUFzQjtRQUN6RCxJQUFJLENBQUM7WUFDSCxPQUFPLHNCQUFHLENBQUMsTUFBTSxDQUFDLGNBQWMsRUFBRSxFQUFFLFFBQVEsRUFBRSxJQUFJLEVBQUUsQ0FBQyxDQUFDO1FBQ3hELENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsTUFBTSxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsQ0FBQztZQUNwQixPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7SUFDSCxDQUFDO0lBRUQ7Ozs7O09BS0c7SUFDSyxLQUFLLENBQUMsWUFBWSxDQUN4QixNQUFlLEVBQ2YsTUFBa0M7UUFFbEMsSUFBSSxDQUFDO1lBQ0gsTUFBTSxVQUFVLEdBQUcsTUFBTSxJQUFJLENBQUMsU0FBUyxDQUFDLGFBQWEsQ0FBQyxNQUFNLENBQUMsR0FBRyxDQUFDLENBQUM7WUFDbEUsT0FBTyxVQUFVLENBQUMsWUFBWSxFQUFFLElBQUksSUFBSSxDQUFDO1FBQzNDLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsTUFBTSxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsQ0FBQztZQUNwQixPQUFPLElBQUksQ0FBQztRQUNkLENBQUM7SUFDSCxDQUFDO0lBRUQ7Ozs7OztPQU1HO0lBQ0ssc0JBQXNCLENBQzVCLE1BQWUsRUFDZixjQUFzQixFQUN0QixTQUFpQjtRQUVqQixJQUFJLENBQUM7WUFDSCxPQUFPLHNCQUFHLENBQUMsTUFBTSxDQUFDLGNBQWMsRUFBRSxTQUFTLEVBQUUsRUFBRSxRQUFRLEVBQUUsSUFBSSxFQUFFLENBQUMsQ0FBQztRQUNuRSxDQUFDO1FBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztZQUNmLE1BQU0sQ0FBQyxLQUFLLENBQUMsS0FBSyxDQUFDLENBQUM7WUFDcEIsT0FBTyxJQUFJLENBQUM7UUFDZCxDQUFDO0lBQ0gsQ0FBQztDQUNGO0FBN0xELGtEQTZMQyJ9

package/dist/middleware/index.d.ts

@@ -0,0 +1,3 @@
+export { EntraTokenValidator } from './entra-token-validator';
+export * from './strip-mentions-text';
+export * from './with-client-auth';

package/dist/middleware/index.js

@@ -0,0 +1,22 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EntraTokenValidator = void 0;
+var entra_token_validator_1 = require("./entra-token-validator");
+Object.defineProperty(exports, "EntraTokenValidator", { enumerable: true, get: function () { return entra_token_validator_1.EntraTokenValidator; } });
+__exportStar(require("./strip-mentions-text"), exports);
+__exportStar(require("./with-client-auth"), exports);
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvbWlkZGxld2FyZS9pbmRleC50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7Ozs7Ozs7Ozs7Ozs7OztBQUFBLGlFQUE4RDtBQUFyRCw0SEFBQSxtQkFBbUIsT0FBQTtBQUM1Qix3REFBc0M7QUFDdEMscURBQW1DIn0=

package/dist/middleware/strip-mentions-text.d.ts

@@ -0,0 +1,3 @@
+import * as api from '@microsoft/teams.api';
+import { IActivityContext } from '../contexts';
+export declare function stripMentionsText(options?: api.StripMentionsTextOptions): ({ activity, next }: IActivityContext) => void | api.InvokeResponse | Promise<void | api.InvokeResponse>;

package/dist/middleware/strip-mentions-text.js

@@ -0,0 +1,48 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.stripMentionsText = stripMentionsText;
+const api = __importStar(require("@microsoft/teams.api"));
+function stripMentionsText(options) {
+    return ({ activity, next }) => {
+        if (activity.type === 'message' ||
+            activity.type === 'messageUpdate' ||
+            activity.type === 'typing') {
+            activity.text = api.stripMentionsText(activity, options);
+        }
+        return next();
+    };
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic3RyaXAtbWVudGlvbnMtdGV4dC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9taWRkbGV3YXJlL3N0cmlwLW1lbnRpb25zLXRleHQudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7QUFJQSw4Q0FZQztBQWhCRCwwREFBNEM7QUFJNUMsU0FBZ0IsaUJBQWlCLENBQUMsT0FBc0M7SUFDdEUsT0FBTyxDQUFDLEVBQUUsUUFBUSxFQUFFLElBQUksRUFBb0IsRUFBRSxFQUFFO1FBQzlDLElBQ0UsUUFBUSxDQUFDLElBQUksS0FBSyxTQUFTO1lBQzNCLFFBQVEsQ0FBQyxJQUFJLEtBQUssZUFBZTtZQUNqQyxRQUFRLENBQUMsSUFBSSxLQUFLLFFBQVEsRUFDMUIsQ0FBQztZQUNELFFBQVEsQ0FBQyxJQUFJLEdBQUcsR0FBRyxDQUFDLGlCQUFpQixDQUFDLFFBQVEsRUFBRSxPQUFPLENBQUMsQ0FBQztRQUMzRCxDQUFDO1FBRUQsT0FBTyxJQUFJLEVBQUUsQ0FBQztJQUNoQixDQUFDLENBQUM7QUFDSixDQUFDIn0=

package/dist/middleware/with-client-auth.d.ts

@@ -0,0 +1,13 @@
+import express from 'express';
+import { ILogger } from '@microsoft/teams.common';
+import { Credentials } from '@microsoft/teams.api';
+import { IClientContext } from '../contexts';
+import { EntraTokenValidator } from './entra-token-validator';
+export type WithClientAuthParams = Partial<Credentials> & {
+    entraTokenValidator?: Pick<EntraTokenValidator, 'validateAccessToken' | 'getTokenPayload'>;
+    readonly logger: ILogger;
+};
+export type ClientAuthRequest = express.Request & {
+    context?: IClientContext;
+};
+export declare function withClientAuth(params: WithClientAuthParams): (req: ClientAuthRequest, res: express.Response, next: express.NextFunction) => Promise<void>;

package/dist/middleware/with-client-auth.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withClientAuth = withClientAuth;
+function withClientAuth(params) {
+    const entraTokenValidator = params.entraTokenValidator;
+    const log = params.logger;
+    return async (req, res, next) => {
+        const appSessionId = req.header('X-Teams-App-Session-Id');
+        const pageId = req.header('X-Teams-Page-Id');
+        const authorization = req.header('Authorization')?.split(' ');
+        const authToken = authorization?.length === 2 && authorization[0].toLowerCase() === 'bearer'
+            ? authorization[1]
+            : '';
+        const validatedToken = !entraTokenValidator
+            ? null
+            : await entraTokenValidator.validateAccessToken(log, authToken);
+        if (!pageId || !appSessionId || !validatedToken || !entraTokenValidator) {
+            log.debug('unauthorized');
+            res.status(401).send('unauthorized');
+            return;
+        }
+        const tokenPayload = entraTokenValidator.getTokenPayload(validatedToken);
+        req.context = {
+            appId: tokenPayload?.['appId'],
+            appSessionId,
+            authToken,
+            channelId: req.header('X-Teams-Channel-Id'),
+            chatId: req.header('X-Teams-Chat-Id'),
+            meetingId: req.header('X-Teams-Meeting-Id'),
+            messageId: req.header('X-Teams-Message-Id'),
+            pageId,
+            subPageId: req.header('X-Teams-Sub-Page-Id'),
+            teamId: req.header('X-Teams-Team-Id'),
+            tenantId: tokenPayload?.['tid'],
+            userId: tokenPayload?.['oid'],
+        };
+        next();
+    };
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoid2l0aC1jbGllbnQtYXV0aC5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uL3NyYy9taWRkbGV3YXJlL3dpdGgtY2xpZW50LWF1dGgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFpQkEsd0NBMENDO0FBMUNELFNBQWdCLGNBQWMsQ0FBQyxNQUE0QjtJQUN6RCxNQUFNLG1CQUFtQixHQUFHLE1BQU0sQ0FBQyxtQkFBbUIsQ0FBQztJQUN2RCxNQUFNLEdBQUcsR0FBRyxNQUFNLENBQUMsTUFBTSxDQUFDO0lBRTFCLE9BQU8sS0FBSyxFQUFFLEdBQXNCLEVBQUUsR0FBcUIsRUFBRSxJQUEwQixFQUFFLEVBQUU7UUFDekYsTUFBTSxZQUFZLEdBQUcsR0FBRyxDQUFDLE1BQU0sQ0FBQyx3QkFBd0IsQ0FBQyxDQUFDO1FBQzFELE1BQU0sTUFBTSxHQUFHLEdBQUcsQ0FBQyxNQUFNLENBQUMsaUJBQWlCLENBQUMsQ0FBQztRQUM3QyxNQUFNLGFBQWEsR0FBRyxHQUFHLENBQUMsTUFBTSxDQUFDLGVBQWUsQ0FBQyxFQUFFLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUM5RCxNQUFNLFNBQVMsR0FDYixhQUFhLEVBQUUsTUFBTSxLQUFLLENBQUMsSUFBSSxhQUFhLENBQUMsQ0FBQyxDQUFDLENBQUMsV0FBVyxFQUFFLEtBQUssUUFBUTtZQUN4RSxDQUFDLENBQUMsYUFBYSxDQUFDLENBQUMsQ0FBQztZQUNsQixDQUFDLENBQUMsRUFBRSxDQUFDO1FBRVQsTUFBTSxjQUFjLEdBQUcsQ0FBQyxtQkFBbUI7WUFDekMsQ0FBQyxDQUFDLElBQUk7WUFDTixDQUFDLENBQUMsTUFBTSxtQkFBbUIsQ0FBQyxtQkFBbUIsQ0FBQyxHQUFHLEVBQUUsU0FBUyxDQUFDLENBQUM7UUFFbEUsSUFBSSxDQUFDLE1BQU0sSUFBSSxDQUFDLFlBQVksSUFBSSxDQUFDLGNBQWMsSUFBSSxDQUFDLG1CQUFtQixFQUFFLENBQUM7WUFDeEUsR0FBRyxDQUFDLEtBQUssQ0FBQyxjQUFjLENBQUMsQ0FBQztZQUMxQixHQUFHLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxDQUFDLElBQUksQ0FBQyxjQUFjLENBQUMsQ0FBQztZQUNyQyxPQUFPO1FBQ1QsQ0FBQztRQUVELE1BQU0sWUFBWSxHQUFHLG1CQUFtQixDQUFDLGVBQWUsQ0FBQyxjQUFjLENBQUMsQ0FBQztRQUV6RSxHQUFHLENBQUMsT0FBTyxHQUFHO1lBQ1osS0FBSyxFQUFFLFlBQVksRUFBRSxDQUFDLE9BQU8sQ0FBQztZQUM5QixZQUFZO1lBQ1osU0FBUztZQUNULFNBQVMsRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLG9CQUFvQixDQUFDO1lBQzNDLE1BQU0sRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLGlCQUFpQixDQUFDO1lBQ3JDLFNBQVMsRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLG9CQUFvQixDQUFDO1lBQzNDLFNBQVMsRUFBRSxHQUFHLENBQUMsTUFBTSxDQUFDLG9CQUFvQixDQUFDO1lBQzNDLE1BQU07WUFDTixTQUFTLEVBQUUsR0FBRyxDQUFDLE1BQU0sQ0FBQyxxQkFBcUIsQ0FBQztZQUM1QyxNQUFNLEVBQUUsR0FBRyxDQUFDLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQztZQUNyQyxRQUFRLEVBQUUsWUFBWSxFQUFFLENBQUMsS0FBSyxDQUFDO1lBQy9CLE1BQU0sRUFBRSxZQUFZLEVBQUUsQ0FBQyxLQUFLLENBQUM7U0FDOUIsQ0FBQztRQUVGLElBQUksRUFBRSxDQUFDO0lBQ1QsQ0FBQyxDQUFDO0FBQ0osQ0FBQyJ9

package/dist/oauth.d.ts

@@ -0,0 +1,9 @@
+export type OAuthSettings = {
+    /**
+     * the OAuth connection name to use for
+     * authentication
+     * @default `graph`
+     */
+    readonly defaultConnectionName?: string;
+};
+export declare const DEFAULT_OAUTH_SETTINGS: Required<OAuthSettings>;

package/dist/oauth.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DEFAULT_OAUTH_SETTINGS = void 0;
+exports.DEFAULT_OAUTH_SETTINGS = {
+    defaultConnectionName: 'graph',
+};
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoib2F1dGguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvb2F1dGgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7O0FBU2EsUUFBQSxzQkFBc0IsR0FBNEI7SUFDN0QscUJBQXFCLEVBQUUsT0FBTztDQUMvQixDQUFDIn0=

package/dist/plugins/http/index.d.ts

@@ -0,0 +1,2 @@
+export * from './plugin';
+export * from './stream';

package/dist/plugins/http/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./plugin"), exports);
+__exportStar(require("./stream"), exports);
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi8uLi9zcmMvcGx1Z2lucy9odHRwL2luZGV4LnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7Ozs7Ozs7Ozs7Ozs7QUFBQSwyQ0FBeUI7QUFDekIsMkNBQXlCIn0=