botbuilder/lib/teams/teamsSSOTokenExchangeMiddleware.js

"use strict";
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT License.
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
    return new (P || (P = Promise))(function (resolve, reject) {
        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
        step((generator = generator.apply(thisArg, _arguments || [])).next());
    });
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.TeamsSSOTokenExchangeMiddleware = void 0;
const z = require("zod");
const botbuilder_core_1 = require("botbuilder-core");
function getStorageKey(context) {
    var _a;
    const activity = context.activity;
    const channelId = activity.channelId;
    if (!channelId) {
        throw new Error('invalid activity. Missing channelId');
    }
    const conversationId = (_a = activity.conversation) === null || _a === void 0 ? void 0 : _a.id;
    if (!conversationId) {
        throw new Error('invalid activity. Missing conversation.id');
    }
    const value = activity.value;
    if (!(value === null || value === void 0 ? void 0 : value.id)) {
        throw new Error('Invalid signin/tokenExchange. Missing activity.value.id.');
    }
    return `${channelId}/${conversationId}/${value.id}`;
}
function sendInvokeResponse(context, body = null, status = botbuilder_core_1.StatusCodes.OK) {
    return __awaiter(this, void 0, void 0, function* () {
        yield context.sendActivity({
            type: botbuilder_core_1.ActivityTypes.InvokeResponse,
            value: { body, status },
        });
    });
}
const ExchangeToken = z.custom((val) => typeof val.exchangeToken === 'function', { message: 'ExtendedUserTokenProvider' });
/**
 * If the activity name is signin/tokenExchange, this middleware will attempt to
 * exchange the token, and deduplicate the incoming call, ensuring only one
 * exchange request is processed.
 *
 * If a user is signed into multiple Teams clients, the Bot could receive a
 * "signin/tokenExchange" from each client. Each token exchange request for a
 * specific user login will have an identical activity.value.id.
 *
 * Only one of these token exchange requests should be processed by the bot.
 * The others return [StatusCodes.PRECONDITION_FAILED](xref:botframework-schema:StatusCodes.PRECONDITION_FAILED).
 * For a distributed bot in production, this requires distributed storage
 * ensuring only one token exchange is processed. This middleware supports
 * CosmosDb storage found in botbuilder-azure, or MemoryStorage for local development.
 */
class TeamsSSOTokenExchangeMiddleware {
    /**
     * Initializes a new instance of the TeamsSSOTokenExchangeMiddleware class.
     *
     * @param storage The [Storage](xref:botbuilder-core.Storage) to use for deduplication
     * @param oAuthConnectionName The connection name to use for the single sign on token exchange
     */
    constructor(storage, oAuthConnectionName) {
        this.storage = storage;
        this.oAuthConnectionName = oAuthConnectionName;
        if (!storage) {
            throw new TypeError('`storage` parameter is required');
        }
        if (!oAuthConnectionName) {
            throw new TypeError('`oAuthConnectionName` parameter is required');
        }
    }
    /**
     * Called each time the bot receives a new request.
     *
     * @param context Context for current turn of conversation with the user.
     * @param next Function to call to continue execution to the next step in the middleware chain.
     */
    onTurn(context, next) {
        return __awaiter(this, void 0, void 0, function* () {
            if (context.activity.channelId === botbuilder_core_1.Channels.Msteams && context.activity.name === botbuilder_core_1.tokenExchangeOperationName) {
                // If the TokenExchange is NOT successful, the response will have already been sent by exchangedToken
                if (!(yield this.exchangedToken(context))) {
                    return;
                }
                // Only one token exchange should proceed from here. Deduplication is performed second because in the case
                // of failure due to consent required, every caller needs to receive a response
                if (!(yield this.deduplicatedTokenExchangeId(context))) {
                    // If the token is not exchangeable, do not process this activity further.
                    return;
                }
            }
            yield next();
        });
    }
    deduplicatedTokenExchangeId(context) {
        var _a, _b;
        return __awaiter(this, void 0, void 0, function* () {
            // Create a StoreItem with Etag of the unique 'signin/tokenExchange' request
            const storeItem = {
                eTag: (_a = context.activity.value) === null || _a === void 0 ? void 0 : _a.id,
            };
            try {
                // Writing the IStoreItem with ETag of unique id will succeed only once
                yield this.storage.write({
                    [getStorageKey(context)]: storeItem,
                });
            }
            catch (err) {
                const message = (_b = err.message) === null || _b === void 0 ? void 0 : _b.toLowerCase();
                // Do NOT proceed processing this message, some other thread or machine already has processed it.
                // Send 200 invoke response.
                if (message.includes('etag conflict') || message.includes('precondition is not met')) {
                    yield sendInvokeResponse(context);
                    return false;
                }
                throw err;
            }
            return true;
        });
    }
    exchangedToken(context) {
        return __awaiter(this, void 0, void 0, function* () {
            let tokenExchangeResponse;
            const tokenExchangeRequest = context.activity.value;
            try {
                const userTokenClient = context.turnState.get(context.adapter.UserTokenClientKey);
                const exchangeToken = ExchangeToken.safeParse(context.adapter);
                if (userTokenClient) {
                    tokenExchangeResponse = yield userTokenClient.exchangeToken(context.activity.from.id, this.oAuthConnectionName, context.activity.channelId, { token: tokenExchangeRequest.token });
                }
                else if (exchangeToken.success) {
                    tokenExchangeResponse = yield exchangeToken.data.exchangeToken(context, this.oAuthConnectionName, context.activity.from.id, { token: tokenExchangeRequest.token });
                }
                else {
                    new Error('Token Exchange is not supported by the current adapter.');
                }
            }
            catch (_err) {
                // Ignore Exceptions
                // If token exchange failed for any reason, tokenExchangeResponse above stays null,
                // and hence we send back a failure invoke response to the caller.
            }
            if (!(tokenExchangeResponse === null || tokenExchangeResponse === void 0 ? void 0 : tokenExchangeResponse.token)) {
                // The token could not be exchanged (which could be due to a consent requirement)
                // Notify the sender that PreconditionFailed so they can respond accordingly.
                const invokeResponse = {
                    id: tokenExchangeRequest.id,
                    connectionName: this.oAuthConnectionName,
                    failureDetail: 'The bot is unable to exchange token. Proceed with regular login.',
                };
                yield sendInvokeResponse(context, invokeResponse, botbuilder_core_1.StatusCodes.PRECONDITION_FAILED);
                return false;
            }
            return true;
        });
    }
}
exports.TeamsSSOTokenExchangeMiddleware = TeamsSSOTokenExchangeMiddleware;
//# sourceMappingURL=teamsSSOTokenExchangeMiddleware.js.map