Skip to content

Deprecate skip_auth in favor of unauthenticated request option#501

Open
heyitsaamir wants to merge 2 commits into
mainfrom
heyitsaamir-deprecate-skipauth
Open

Deprecate skip_auth in favor of unauthenticated request option#501
heyitsaamir wants to merge 2 commits into
mainfrom
heyitsaamir-deprecate-skipauth

Conversation

@heyitsaamir

Copy link
Copy Markdown
Collaborator

Summary

  • Add dangerously_allow_unauthenticated_requests as the preferred app option.
  • Support DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS for env-based configuration.
  • Keep public skip_auth as a deprecated alias with DeprecationWarning, while normalizing internal server wiring to the new option.
  • Update docs and tests for the new option and deprecated compatibility path.

Validation

  • uv run ruff check
  • uv run pyright
  • uv run pytest packages
  • uv run ruff format --check still reports pre-existing unrelated formatting drift in:
    • examples/formatted-messaging/src/main.py
    • packages/api/src/microsoft_teams/api/models/entity/quoted_reply_entity.py
    • packages/api/tests/unit/test_message_activities.py

Add dangerously_allow_unauthenticated_requests as the preferred option and support DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS for env-based configuration.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 9, 2026 05:15

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Apps SDK authentication configuration by deprecating skip_auth in favor of a clearer, explicitly dangerous option (dangerously_allow_unauthenticated_requests), including support for enabling it via an environment variable.

Changes:

  • Introduces dangerously_allow_unauthenticated_requests (and DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS) and normalizes internal option parsing/wiring.
  • Updates HttpServer initialization and request handling to use the new unauthenticated-request flag.
  • Updates unit tests and package README to reflect the new option and the deprecated compatibility path.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
packages/apps/src/microsoft_teams/apps/options.py Adds env-var parsing + deprecated alias handling while mapping skip_auth to the new option.
packages/apps/src/microsoft_teams/apps/http/http_server.py Switches server auth gating to dangerously_allow_unauthenticated_requests for JWT validation behavior.
packages/apps/src/microsoft_teams/apps/app.py Wires the App’s resolved option into HttpServer.initialize().
packages/apps/tests/test_app.py Adds coverage for env-var configuration and deprecated skip_auth behavior; updates existing init tests.
packages/apps/tests/test_http_server.py Updates server tests to use the new flag and adjusts related descriptions.
packages/apps/README.md Documents how to disable JWT validation for local development using the new option/env var.

Comment thread packages/apps/src/microsoft_teams/apps/options.py
Comment on lines 70 to 75
def initialize(
self,
credentials: Optional[Credentials] = None,
skip_auth: bool = False,
cloud: Optional[CloudEnvironment] = None,
dangerously_allow_unauthenticated_requests: bool = False,
) -> None:
Keep HttpServer as an internal implementation detail while preserving public HTTP adapter exports.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants