Skip to content

Deprecate skipAuth in favor of dangerouslyAllowUnauthenticatedRequests#636

Open
heyitsaamir wants to merge 4 commits into
microsoft:mainfrom
heyitsaamir:heyitsaamir-deprecate-skipauth
Open

Deprecate skipAuth in favor of dangerouslyAllowUnauthenticatedRequests#636
heyitsaamir wants to merge 4 commits into
microsoft:mainfrom
heyitsaamir:heyitsaamir-deprecate-skipauth

Conversation

@heyitsaamir

Copy link
Copy Markdown
Collaborator

Summary

  • add dangerouslyAllowUnauthenticatedRequests as the replacement auth-bypass option
  • keep skipAuth as a deprecated AppOptions-only alias and remove it from lower HTTP/plugin layers
  • add DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS support via an internal truthy env helper

Validation

  • npm test --workspace @microsoft/teams.apps -- app.spec.ts env.spec.ts --runInBand
  • npm test --workspace @microsoft/teams.apps -- http-server.spec.ts app.spec.ts plugin.spec.ts --runInBand
  • npm run lint --workspace @microsoft/teams.apps
  • npm run build --workspace @microsoft/teams.apps
  • npm test --workspace @microsoft/teams.botbuilder -- --runInBand

Add dangerouslyAllowUnauthenticatedRequests as the replacement for skipAuth, keep skipAuth as an AppOptions-only deprecated alias, and support the new option via DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 9, 2026 05:07

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR deprecates the existing skipAuth auth-bypass option and replaces it with a more explicit dangerouslyAllowUnauthenticatedRequests flag, adding optional env-var support to enable the bypass for local development/testing.

Changes:

  • Introduces dangerouslyAllowUnauthenticatedRequests across App, HttpServer, and HttpPlugin, while keeping skipAuth as a deprecated AppOptions alias.
  • Adds DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS support via a shared isTruthyEnvValue helper.
  • Updates tests and documentation to reflect the new option name and behavior.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file
File Description
packages/botbuilder/src/adapter.spec.ts Updates botbuilder adapter tests to use dangerouslyAllowUnauthenticatedRequests instead of skipAuth.
packages/apps/src/utils/env.ts Adds isTruthyEnvValue helper for consistent env-var truthiness parsing.
packages/apps/src/utils/env.spec.ts Adds unit tests for isTruthyEnvValue.
packages/apps/src/plugins/http/plugin.ts Replaces skipAuth option plumbing with dangerouslyAllowUnauthenticatedRequests in the deprecated HttpPlugin.
packages/apps/src/plugins/http/plugin.spec.ts Updates HttpPlugin tests to cover the renamed option and pass-through.
packages/apps/src/http/http-server.ts Renames the bypass option to dangerouslyAllowUnauthenticatedRequests and updates warnings/auth flow accordingly.
packages/apps/src/http/http-server.spec.ts Updates HttpServer tests for the renamed option and default behavior.
packages/apps/src/app.ts Adds dangerouslyAllowUnauthenticatedRequests to AppOptions, supports env var fallback, and keeps skipAuth as deprecated alias.
packages/apps/src/app.spec.ts Adds coverage for option/env-var precedence and deprecated skipAuth alias support.
packages/apps/README.md Documents the new option and DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS env var for local testing.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Rename the internal truthy parsing helper from env-specific naming to string-specific naming while keeping it private to the package.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Use the existing direct process.env access style in App when resolving DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS.

Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Comment thread packages/apps/src/app.ts
Comment on lines +137 to +143
* Dangerously allow incoming HTTP requests without Teams service token validation.
* Uses environment variable DANGEROUSLY_ALLOW_UNAUTHENTICATED_REQUESTS if not explicitly provided.
*/
readonly dangerouslyAllowUnauthenticatedRequests?: boolean;

/**
* @deprecated Use dangerouslyAllowUnauthenticatedRequests instead.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since TS only gets a JSDoc by nature, do we want to add a log that will be seen in this case?

Comment thread packages/apps/src/utils/string.ts Outdated
Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants