feat: warn when bot starts without credentials#435
Open
corinagum wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a startup log warning to make “anonymous mode” explicit when the Teams bot HTTP server is initialized without credentials, improving observability and helping prevent accidental production deployments that accept unauthenticated traffic.
Changes:
- Emit a WARNING from
HttpServer.initialize()when noclient_idis present on provided credentials (i.e., credentials are unset). - Add unit tests validating the warning is emitted when credentials are missing and not emitted when credentials are provided.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| packages/apps/src/microsoft_teams/apps/http/http_server.py | Adds a startup warning when initializing the messaging endpoint without credentials. |
| packages/apps/tests/test_http_server.py | Adds unit tests covering warning/no-warning behavior during HttpServer.initialize(). |
corinagum
force-pushed
the
cg/devtools-deprecation
branch
from
94398fa to
6bbc718
Compare
Contributor
Author
|
On the Copilot suggestion to add a separate warning when `skip_auth=True` is set with valid credentials: this is intentional. Cross-SDK design decision (same in teams.ts and teams.net) to warn only on missing credentials, not on the explicit `skip_auth` opt-in. Rationale:
Marking as won't-fix for cross-SDK consistency. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
HttpServer.initialize()when noCLIENT_ID/CLIENT_SECRET/TENANT_IDis configured, so customers running anonymously know their bot accepts unauthenticated requests on/api/messages.test_http_server.pycovering: warning fires when no creds, warning does not fire when creds present.Why
Part of the DevTools deprecation rollout. The recommended local-testing path with Microsoft 365 Agents Playground is anonymous mode (no creds configured). The new warning makes that mode explicit at startup, so customers don't ship anonymous-mode bots to production by accident, and so the migration from DevTools to Playground produces a clear signal.
Behavior is unchanged. This is pure observability.
Test plan
pytest tests/test_http_server.py(22/22 passing)App()without credentials. Output:dictConfigreplaces the default root-logger handler at server-startup, so consumers running through Uvicorn need their own logging config (orlogging.basicConfig(level=WARNING)) to see this warning. Customers using the standard Agents templates already have logging configured.🤖 Generated with Claude Code