Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trharris/authenticate https #2270

Merged
merged 14 commits into from
Apr 29, 2024
Merged

Trharris/authenticate https #2270

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
deda4cc
Restrict authentication.authenticate to only accept https urls
TrevorJoelHarris Apr 17, 2024
c3004d9
Create @microsoft-teams-js-40968a44-8220-4162-a289-038e99f5bee3.json
TrevorJoelHarris Apr 17, 2024
d7a5048
Updated based on PR feedback
TrevorJoelHarris Apr 17, 2024
393e68b
Merge branch 'main' into trharris/authenticateHttps
TrevorJoelHarris Apr 19, 2024
0c4ab5c
Merge branch 'main' into trharris/authenticateHttps
TrevorJoelHarris Apr 24, 2024
85f1d99
Merge branch 'main' into trharris/authenticateHttps
TrevorJoelHarris Apr 25, 2024
0892b96
Updated to use new validation functions and added(?) support for URL …
TrevorJoelHarris Apr 25, 2024
18d2502
Merge branch 'main' into trharris/authenticateHttps
AE-MS Apr 26, 2024
e15bbab
abstract out the auth code's use of the a tag and then add tests to m…
TrevorJoelHarris Apr 26, 2024
9664063
Merge branch 'trharris/authenticateHttps' of https://github.com/Offic…
TrevorJoelHarris Apr 26, 2024
6a9c079
Merge branch 'main' into trharris/authenticateHttps
TrevorJoelHarris Apr 26, 2024
91dcf39
Re-order imports
TrevorJoelHarris Apr 26, 2024
baaad3f
Updated based on PR feedback
TrevorJoelHarris Apr 26, 2024
352e93d
Merge branch 'main' into trharris/authenticateHttps
TrevorJoelHarris Apr 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 7 additions & 0 deletions change/@microsoft-teams-js-40968a44-8220-4162-a289-038e99f5bee3.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"type": "patch",
"comment": "Updated `authentication.authenticate` so that it only accepts https URLs.",
"packageName": "@microsoft/teams-js",
"email": "trharris@microsoft.com",
"dependentChangeType": "patch"
}
6 changes: 6 additions & 0 deletions packages/teams-js/src/internal/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -429,6 +429,12 @@ export function validateUrl(url: URL, errorToThrow?: Error): void {
}
}

export function fullyQualifyUrlString(urlString: string): URL {
TrevorJoelHarris marked this conversation as resolved.
Show resolved Hide resolved
TrevorJoelHarris marked this conversation as resolved.
Show resolved Hide resolved
TrevorJoelHarris marked this conversation as resolved.
Show resolved Hide resolved
const link = document.createElement('a');
link.href = urlString;
TrevorJoelHarris marked this conversation as resolved.
Show resolved Hide resolved
return new URL(link.href);
}

/**
* The hasScriptTags function first decodes any HTML entities in the input string using the decodeHTMLEntities function.
* It then tries to decode the result as a URI component. If the URI decoding fails (which would throw an error), it assumes that the input was not encoded and uses the original input.
Expand Down
30 changes: 11 additions & 19 deletions packages/teams-js/src/public/authentication.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import { GlobalVars } from '../internal/globalVars';
import { registerHandler, removeHandler } from '../internal/handlers';
import { ensureInitializeCalled, ensureInitialized } from '../internal/internalAPIs';
import { ApiName, ApiVersionNumber, getApiVersionTag } from '../internal/telemetry';
import { fullyQualifyUrlString, validateUrl } from '../internal/utils';
import { FrameContexts, HostClientType } from './constants';
import { runtime } from './runtime';

Expand Down Expand Up @@ -160,26 +161,15 @@ export namespace authentication {

function authenticateHelper(apiVersionTag: string, authenticateParameters: AuthenticateParameters): Promise<string> {
return new Promise<string>((resolve, reject) => {
if (
GlobalVars.hostClientType === HostClientType.desktop ||
GlobalVars.hostClientType === HostClientType.android ||
GlobalVars.hostClientType === HostClientType.ios ||
GlobalVars.hostClientType === HostClientType.ipados ||
GlobalVars.hostClientType === HostClientType.macos ||
GlobalVars.hostClientType === HostClientType.rigel ||
GlobalVars.hostClientType === HostClientType.teamsRoomsWindows ||
GlobalVars.hostClientType === HostClientType.teamsRoomsAndroid ||
GlobalVars.hostClientType === HostClientType.teamsPhones ||
GlobalVars.hostClientType === HostClientType.teamsDisplays ||
GlobalVars.hostClientType === HostClientType.surfaceHub
) {
if (GlobalVars.hostClientType !== HostClientType.web) {
// Convert any relative URLs into absolute URLs before sending them over to the parent window.
const link = document.createElement('a');
link.href = authenticateParameters.url;
const fullyQualifiedURL: URL = fullyQualifyUrlString(authenticateParameters.url);
validateUrl(fullyQualifiedURL);

// Ask the parent window to open an authentication window with the parameters provided by the caller.
resolve(
sendMessageToParentAsync<[boolean, string]>(apiVersionTag, 'authentication.authenticate', [
link.href,
fullyQualifiedURL.href,
authenticateParameters.width,
authenticateParameters.height,
authenticateParameters.isExternal,
Expand Down Expand Up @@ -358,9 +348,11 @@ export namespace authentication {
// Ensure that the new window is always smaller than our app's window so that it never fully covers up our app
width = Math.min(width, Communication.currentWindow.outerWidth - 400);
height = Math.min(height, Communication.currentWindow.outerHeight - 200);

// Convert any relative URLs into absolute URLs before sending them over to the parent window
const link = document.createElement('a');
link.href = authenticateParameters.url.replace('{oauthRedirectMethod}', 'web');
const qualifiedURL = fullyQualifyUrlString(authenticateParameters.url.replace('{oauthRedirectMethod}', 'web'));
TrevorJoelHarris marked this conversation as resolved.
Show resolved Hide resolved
validateUrl(qualifiedURL);

// We are running in the browser, so we need to center the new window ourselves
let left: number =
typeof Communication.currentWindow.screenLeft !== 'undefined'
Expand All @@ -374,7 +366,7 @@ export namespace authentication {
top += Communication.currentWindow.outerHeight / 2 - height / 2;
// Open a child window with a desired set of standard browser features
Communication.childWindow = Communication.currentWindow.open(
link.href,
qualifiedURL.href,
'_blank',
'toolbar=no, location=yes, status=no, menubar=no, scrollbars=yes, top=' +
top +
Expand Down