Skip to content

fix(apps): log inbound activities at info, warn on missing Authorization #425

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
corinagum merged 3 commits into from
May 21, 2026
+18 −0
Merged

fix(apps): log inbound activities at info, warn on missing Authorization #425

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
dbf012d
fix(apps): log inbound activities at info and warn on missing Authori…
corinagum May 8, 2026
c99c6e8
fix(apps): sanitize activity fields in logs and correlate warn with t…
corinagum May 8, 2026
d30ac47
refactor(apps): drop info-level entry log, keep silent-401 warn
corinagum May 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions packages/apps/src/microsoft_teams/apps/http/http_server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
"""

import logging
import re
from types import SimpleNamespace
from typing import Any, Awaitable, Callable, Dict, Optional, cast

Expand All @@ -18,6 +19,14 @@

logger = logging.getLogger(__name__)

_LOG_CONTROL_CHARS = re.compile(r"[\r\n\t\x00-\x1f\x7f]")


def _safe_log_field(value: object) -> str:
"""Strip control characters and cap length so an attacker-controlled activity
field cannot forge multi-line log entries (log injection)."""
return _LOG_CONTROL_CHARS.sub("", str(value if value is not None else "unknown"))[:64]


class HttpServer:
"""
Expand Down Expand Up @@ -95,11 +104,20 @@ async def handle_request(self, request: HttpRequest) -> HttpResponse:
body = request["body"]
headers = request["headers"]

entry_type = _safe_log_field(body.get("type"))
entry_id = _safe_log_field(body.get("id"))

# Validate JWT token
authorization = headers.get("authorization") or headers.get("Authorization") or ""

if self._token_validator and not self._skip_auth:
if not authorization.startswith("Bearer "):
logger.warning(
"inbound activity rejected (type=%s, id=%s): missing or malformed "
"Authorization header (responding 401)",
entry_type,
entry_id,
)
return HttpResponse(status=401, body={"error": "Unauthorized"})

raw_token = authorization.removeprefix("Bearer ")
Expand Down
Loading