Deprecate skipAuth in favor of dangerouslyAllowUnauthenticatedRequests#636
Open
heyitsaamir wants to merge 4 commits into
Open
Deprecate skipAuth in favor of dangerouslyAllowUnauthenticatedRequests#636heyitsaamir wants to merge 4 commits into
heyitsaamir wants to merge 4 commits into
Conversation
Add dangerouslyAllowUnauthenticatedRequests as the replacement for skipAuth, keep skipAuth as an AppOptions-only deprecated alias, and support the new option via DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR deprecates the existing skipAuth auth-bypass option and replaces it with a more explicit dangerouslyAllowUnauthenticatedRequests flag, adding optional env-var support to enable the bypass for local development/testing.
Changes:
- Introduces
dangerouslyAllowUnauthenticatedRequestsacrossApp,HttpServer, andHttpPlugin, while keepingskipAuthas a deprecatedAppOptionsalias. - Adds
DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTSsupport via a sharedisTruthyEnvValuehelper. - Updates tests and documentation to reflect the new option name and behavior.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| packages/botbuilder/src/adapter.spec.ts | Updates botbuilder adapter tests to use dangerouslyAllowUnauthenticatedRequests instead of skipAuth. |
| packages/apps/src/utils/env.ts | Adds isTruthyEnvValue helper for consistent env-var truthiness parsing. |
| packages/apps/src/utils/env.spec.ts | Adds unit tests for isTruthyEnvValue. |
| packages/apps/src/plugins/http/plugin.ts | Replaces skipAuth option plumbing with dangerouslyAllowUnauthenticatedRequests in the deprecated HttpPlugin. |
| packages/apps/src/plugins/http/plugin.spec.ts | Updates HttpPlugin tests to cover the renamed option and pass-through. |
| packages/apps/src/http/http-server.ts | Renames the bypass option to dangerouslyAllowUnauthenticatedRequests and updates warnings/auth flow accordingly. |
| packages/apps/src/http/http-server.spec.ts | Updates HttpServer tests for the renamed option and default behavior. |
| packages/apps/src/app.ts | Adds dangerouslyAllowUnauthenticatedRequests to AppOptions, supports env var fallback, and keeps skipAuth as deprecated alias. |
| packages/apps/src/app.spec.ts | Adds coverage for option/env-var precedence and deprecated skipAuth alias support. |
| packages/apps/README.md | Documents the new option and DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS env var for local testing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
corinagum
approved these changes
Jul 9, 2026
Rename the internal truthy parsing helper from env-specific naming to string-specific naming while keeping it private to the package. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
corinagum
approved these changes
Jul 9, 2026
Use the existing direct process.env access style in App when resolving DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS. Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
corinagum
reviewed
Jul 9, 2026
Comment on lines
+137
to
+143
| * Dangerously allow incoming HTTP requests without Teams service token validation. | ||
| * Uses environment variable DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS if not explicitly provided. | ||
| */ | ||
| readonly dangerouslyAllowUnauthenticatedRequests?: boolean; | ||
|
|
||
| /** | ||
| * @deprecated Use dangerouslyAllowUnauthenticatedRequests instead. |
Collaborator
There was a problem hiding this comment.
Since TS only gets a JSDoc by nature, do we want to add a log that will be seen in this case?
corinagum
reviewed
Jul 9, 2026
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dangerouslyAllowUnauthenticatedRequestsas the replacement auth-bypass optionskipAuthas a deprecatedAppOptions-only alias and remove it from lower HTTP/plugin layersDANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTSsupport via an internal truthy env helperValidation
npm test --workspace @microsoft/teams.apps -- app.spec.ts env.spec.ts --runInBandnpm test --workspace @microsoft/teams.apps -- http-server.spec.ts app.spec.ts plugin.spec.ts --runInBandnpm run lint --workspace @microsoft/teams.appsnpm run build --workspace @microsoft/teams.appsnpm test --workspace @microsoft/teams.botbuilder -- --runInBand