Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
public async createConnectorClientWithIdentity(serviceUrl: string, identity: ClaimsIdentity): Promise {
if (!identity) {
throw new Error('BotFrameworkAdapter.createConnectorClientWithScope(): invalid identity parameter.');
}
const botAppId = identity.getClaimValue(AuthenticationConstants.AudienceClaim) ||
identity.getClaimValue(AuthenticationConstants.AppIdClaim);
// Anonymous claims and non-skill claims should fall through without modifying the scope.
let credentials: AppCredentials = this.credentials;
// If the request is for skills, we need to create an AppCredentials instance with
// the correct scope for communication between the caller and the skill.
if (botAppId && SkillValidation.isSkillClaim(identity.claims)) {
const scope = JwtTokenValidation.getAppIdFromClaims(identity.claims);
if (this.credentials.oAuthScope === scope) {
// Do nothing, the current credentials and its scope are valid for the skill.
// i.e. the adatper instance is pre-configured to talk with one skill.
} else {
// Since the scope is different, we will create a new instance of the AppCredentials
// so this.credentials.oAuthScope isn't overridden.
credentials = await this.buildCredentials(botAppId, scope);
if (JwtTokenValidation.isGovernment(this.settings.channelService)) {
credentials.oAuthEndpoint = GovernmentConstants.ToChannelFromBotLoginUrl;
// Not sure that this code is correct because the scope was set earlier.
credentials.oAuthScope = GovernmentConstants.ToChannelFromBotOAuthScope;
}
}
}
const allowedCallersClaimsValidator = async (claims) => {
// For security, developer must specify allowedCallers.
if (!allowedCallers || allowedCallers.length === 0) {
throw new Error('AllowedCallers not specified in .env.');
}
// If allowedCallers contains '*', we allow all calls.
if (!allowedCallers.includes('*') && SkillValidation.isSkillClaim(claims)) {
// Check that the appId claim in the skill request is in the list of skills configured for this bot.
const appId = JwtTokenValidation.getAppIdFromClaims(claims);
if (!allowedCallers.includes(appId)) {
throw new Error(`Received a request from a bot with an app ID of "${ appId }". To enable requests from this caller, add the app ID to your configuration file.`);
}
}
};
const allowedSkillsClaimsValidator = async (claims) => {
// For security, developer must specify allowedSkills.
if (!allowedSkills || allowedSkills.length === 0) {
throw new Error('AllowedCallers not specified in .env.');
}
if (!allowedSkills.includes('*') && SkillValidation.isSkillClaim(claims)) {
// Check that the appId claim in the skill request is in the list of skills configured for this bot.
const appId = JwtTokenValidation.getAppIdFromClaims(claims);
if (!allowedSkills.includes(appId)) {
throw new Error(`Received a request from an application with an appID of "${ appId }". To enable requests from this skill, add the skill to your configuration file.`);
}
}
};
const allowedCallersClaimsValidator = async (claims) => {
// For security, developer must specify allowedCallers.
if (!allowedCallers || allowedCallers.length === 0) {
throw new Error('AllowedCallers not specified in .env.');
}
// If allowedCallers contains an '*', we allow all callers.
if (!allowedCallers.includes('*') && SkillValidation.isSkillClaim(claims)) {
// Check that the appId claim in the skill request is in the list of callers configured for this bot.
const appId = JwtTokenValidation.getAppIdFromClaims(claims);
if (!allowedCallers.includes(appId)) {
throw new Error(`Received a request from a bot with an app ID of "${ appId }". To enable requests from this caller, add the app ID to your configuration file.`);
}
}
};