From c5b042e20deb23a13c39a19bfba42b257be38ee6 Mon Sep 17 00:00:00 2001 From: Jeff Klouda Date: Fri, 20 Jun 2025 13:58:41 -0700 Subject: [PATCH 1/3] remove max url length from authenticate flow --- packages/teams-js/src/internal/utils.ts | 4 ++-- packages/teams-js/src/public/authentication.ts | 2 +- packages/teams-js/test/internal/utils.spec.ts | 7 ++++++- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/packages/teams-js/src/internal/utils.ts b/packages/teams-js/src/internal/utils.ts index 652871eaad..3e0361132d 100644 --- a/packages/teams-js/src/internal/utils.ts +++ b/packages/teams-js/src/internal/utils.ts @@ -422,12 +422,12 @@ export function validateId(id: string, errorToThrow?: Error): void { } } -export function validateUrl(url: URL, errorToThrow?: Error): void { +export function validateUrl(url: URL, errorToThrow?: Error, enforceMaxLength: boolean = true): void { const urlString = url.toString().toLocaleLowerCase(); if (hasScriptTags(urlString)) { throw errorToThrow || new Error('Invalid Url'); } - if (urlString.length > 2048) { + if (enforceMaxLength && urlString.length > 2048) { throw errorToThrow || new Error('Url exceeds the maximum size of 2048 characters'); } if (!isValidHttpsURL(url)) { diff --git a/packages/teams-js/src/public/authentication.ts b/packages/teams-js/src/public/authentication.ts index a8e8b3873a..570add4a95 100644 --- a/packages/teams-js/src/public/authentication.ts +++ b/packages/teams-js/src/public/authentication.ts @@ -139,7 +139,7 @@ async function authenticateHelper( ): Promise { // Convert any relative URLs into absolute URLs before sending them over to the parent window. const fullyQualifiedURL: URL = fullyQualifyUrlString(authenticateParameters.url); - validateUrl(fullyQualifiedURL); + validateUrl(fullyQualifiedURL, undefined, false); // Ask the parent window to open an authentication window with the parameters provided by the caller. return sendMessageToParentAsync<[boolean, string]>(apiVersionTag, 'authentication.authenticate', [ diff --git a/packages/teams-js/test/internal/utils.spec.ts b/packages/teams-js/test/internal/utils.spec.ts index a024682cac..65ba48ef85 100644 --- a/packages/teams-js/test/internal/utils.spec.ts +++ b/packages/teams-js/test/internal/utils.spec.ts @@ -268,7 +268,7 @@ describe('utils', () => { expect(error).toEqual(new Error('Invalid Url')); } }); - it('should throw maxlength exceed error if it contains more than 2048 chars', async () => { + it('should throw maxlength exceed error if enforceMaxLength is true and URL contains more than 2048 chars', async () => { expect.assertions(1); const url = 'https://example.com?param=' + 'a'.repeat(2048); try { @@ -277,6 +277,11 @@ describe('utils', () => { expect(error).toEqual(new Error('Url exceeds the maximum size of 2048 characters')); } }); + it('should not throw maxlength exceed error if enforceMaxLength is false and URL contains more than 2048 chars', async () => { + expect.assertions(1); + const url = 'https://example.com?param=' + 'a'.repeat(2048); + expect(() => validateUrl(new URL(url), undefined, false)).not.toThrow(); + }); it('should throw invalid url error if it non http url', async () => { expect.assertions(1); // eslint-disable-next-line @microsoft/sdl/no-insecure-url From 3ee600b53843fe94bcb661559c3baed17b6c6a06 Mon Sep 17 00:00:00 2001 From: Jeff Klouda Date: Fri, 20 Jun 2025 14:05:51 -0700 Subject: [PATCH 2/3] changefile --- ...soft-teams-js-7668fe92-8f01-4492-804f-faba71615848.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 change/@microsoft-teams-js-7668fe92-8f01-4492-804f-faba71615848.json diff --git a/change/@microsoft-teams-js-7668fe92-8f01-4492-804f-faba71615848.json b/change/@microsoft-teams-js-7668fe92-8f01-4492-804f-faba71615848.json new file mode 100644 index 0000000000..49451b2ac1 --- /dev/null +++ b/change/@microsoft-teams-js-7668fe92-8f01-4492-804f-faba71615848.json @@ -0,0 +1,7 @@ +{ + "type": "patch", + "comment": "Removed the max length validation from the `authentication.authenticate` API.", + "packageName": "@microsoft/teams-js", + "email": "jeklouda@microsoft.com", + "dependentChangeType": "patch" +} From 042eac132caf99f40296b04f62dd0416e9af63e5 Mon Sep 17 00:00:00 2001 From: Jeff Klouda Date: Fri, 20 Jun 2025 14:34:09 -0700 Subject: [PATCH 3/3] remove all url size limits --- packages/teams-js/src/internal/utils.ts | 5 +---- packages/teams-js/src/public/authentication.ts | 2 +- packages/teams-js/test/internal/utils.spec.ts | 14 -------------- 3 files changed, 2 insertions(+), 19 deletions(-) diff --git a/packages/teams-js/src/internal/utils.ts b/packages/teams-js/src/internal/utils.ts index 3e0361132d..42b9785d0a 100644 --- a/packages/teams-js/src/internal/utils.ts +++ b/packages/teams-js/src/internal/utils.ts @@ -422,14 +422,11 @@ export function validateId(id: string, errorToThrow?: Error): void { } } -export function validateUrl(url: URL, errorToThrow?: Error, enforceMaxLength: boolean = true): void { +export function validateUrl(url: URL, errorToThrow?: Error): void { const urlString = url.toString().toLocaleLowerCase(); if (hasScriptTags(urlString)) { throw errorToThrow || new Error('Invalid Url'); } - if (enforceMaxLength && urlString.length > 2048) { - throw errorToThrow || new Error('Url exceeds the maximum size of 2048 characters'); - } if (!isValidHttpsURL(url)) { throw errorToThrow || new Error('Url should be a valid https url'); } diff --git a/packages/teams-js/src/public/authentication.ts b/packages/teams-js/src/public/authentication.ts index 570add4a95..a8e8b3873a 100644 --- a/packages/teams-js/src/public/authentication.ts +++ b/packages/teams-js/src/public/authentication.ts @@ -139,7 +139,7 @@ async function authenticateHelper( ): Promise { // Convert any relative URLs into absolute URLs before sending them over to the parent window. const fullyQualifiedURL: URL = fullyQualifyUrlString(authenticateParameters.url); - validateUrl(fullyQualifiedURL, undefined, false); + validateUrl(fullyQualifiedURL); // Ask the parent window to open an authentication window with the parameters provided by the caller. return sendMessageToParentAsync<[boolean, string]>(apiVersionTag, 'authentication.authenticate', [ diff --git a/packages/teams-js/test/internal/utils.spec.ts b/packages/teams-js/test/internal/utils.spec.ts index 65ba48ef85..6936139137 100644 --- a/packages/teams-js/test/internal/utils.spec.ts +++ b/packages/teams-js/test/internal/utils.spec.ts @@ -268,20 +268,6 @@ describe('utils', () => { expect(error).toEqual(new Error('Invalid Url')); } }); - it('should throw maxlength exceed error if enforceMaxLength is true and URL contains more than 2048 chars', async () => { - expect.assertions(1); - const url = 'https://example.com?param=' + 'a'.repeat(2048); - try { - validateUrl(new URL(url)); - } catch (error) { - expect(error).toEqual(new Error('Url exceeds the maximum size of 2048 characters')); - } - }); - it('should not throw maxlength exceed error if enforceMaxLength is false and URL contains more than 2048 chars', async () => { - expect.assertions(1); - const url = 'https://example.com?param=' + 'a'.repeat(2048); - expect(() => validateUrl(new URL(url), undefined, false)).not.toThrow(); - }); it('should throw invalid url error if it non http url', async () => { expect.assertions(1); // eslint-disable-next-line @microsoft/sdl/no-insecure-url