Only browsers sends a request to Teams (#3122)

aleDsz · web-flow · commit 5fc51ab3e4d6 · 2026-01-21T17:34:04.000-03:00
diff --git a/lib/livebook/zta/livebook_teams.ex b/lib/livebook/zta/livebook_teams.ex
@@ -74,6 +74,26 @@ defmodule Livebook.ZTA.LivebookTeams do
      |> halt(), nil}
   end
 
+  defp handle_request(conn, team, %{"teams_redirect" => _, "redirect_to" => redirect_to}) do
+    case Teams.Requests.create_auth_request(team) do
+      {:ok, %{"authorize_uri" => authorize_uri}} ->
+        uri =
+          authorize_uri
+          |> URI.new!()
+          |> URI.append_query("redirect_to=#{redirect_to}")
+
+        {conn
+         |> redirect(external: URI.to_string(uri))
+         |> halt(), nil}
+
+      {_error_or_transport_error, _reason} ->
+        {conn
+         |> put_session(:teams_error, true)
+         |> redirect(to: conn.request_path)
+         |> halt(), nil}
+    end
+  end
+
   defp handle_request(conn, team, _params) do
     case get_session(conn) do
       %{"livebook_teams_access_token" => access_token} ->
@@ -100,14 +120,14 @@ defmodule Livebook.ZTA.LivebookTeams do
          |> halt(), nil}
 
       _ ->
-        request_user_authentication(conn, team)
+        request_user_authentication(conn)
     end
   end
 
   defp validate_access_token(conn, team, access_token) do
     case get_user_info(team, access_token) do
       {:ok, metadata} -> {conn, metadata}
-      _ -> request_user_authentication(conn, team)
+      _ -> request_user_authentication(conn)
     end
   end
 
@@ -118,41 +138,33 @@ defmodule Livebook.ZTA.LivebookTeams do
     end
   end
 
-  defp request_user_authentication(conn, team) do
-    case Teams.Requests.create_auth_request(team) do
-      {:ok, %{"authorize_uri" => authorize_uri}} ->
-        # We have the browser do the redirect because the browser
-        # knows the current page location. Unfortunately, it is quite
-        # complex to know the actual host on the server, because the
-        # user may be running inside a proxy. So in order to make the
-        # feature more accessible, we do the redirecting on the client.
-        conn =
-          html(conn, """
-          <!DOCTYPE html>
-          <html lang="en">
-            <head>
-              <meta charset="UTF-8">
-              <title>Redirecting...</title>
-              <script>
-                const redirectTo = new URL(window.location.href);
-                redirectTo.searchParams.append("teams_identity", "");
-
-                const url = new URL("#{authorize_uri}");
-                url.searchParams.set("redirect_to", redirectTo.toString());
-                window.location.href = url.toString();
-              </script>
-            </head>
-          </html>
-          """)
-
-        {halt(conn), nil}
-
-      _ ->
-        {conn
-         |> put_session(:teams_error, true)
-         |> redirect(to: conn.request_path)
-         |> halt(), nil}
-    end
+  defp request_user_authentication(conn) do
+    # We have the browser do the redirect because the browser
+    # knows the current page location. Unfortunately, it is quite
+    # complex to know the actual host on the server, because the
+    # user may be running inside a proxy. So in order to make the
+    # feature more accessible, we do the redirecting on the client.
+    html_document = """
+    <!DOCTYPE html>
+    <html lang="en">
+      <head>
+        <meta charset="UTF-8">
+        <title>Redirecting...</title>
+        <script>
+          const redirectTo = new URL(window.location.href);
+          redirectTo.searchParams.append("teams_identity", "");
+
+          const url = new URL(window.location.href);
+          url.searchParams.set("redirect_to", redirectTo.toString());
+          url.searchParams.append("teams_redirect", "");
+
+          window.location.href = url.toString();
+        </script>
+      </head>
+    </html>
+    """
+
+    {conn |> html(html_document) |> halt(), nil}
   end
 
   defp get_user_info(team, access_token) do
diff --git a/test/livebook_teams/zta/livebook_teams_test.exs b/test/livebook_teams/zta/livebook_teams_test.exs
@@ -25,18 +25,36 @@ defmodule Livebook.ZTA.LivebookTeamsTest do
     end
 
     test "gets the user information from Livebook Teams", %{conn: conn, node: node, test: test} do
-      # Step 1: Get redirected to Livebook Teams
+      # Step 1: Would get redirected to Livebook to check if it's a bot
       conn = init_test_session(conn, %{})
       {conn, nil} = LivebookTeams.authenticate(test, conn, [])
+      assert html_response(conn, 200) =~ "teams_redirect"
 
-      [_, location] = Regex.run(~r/URL\("(.*?)"\)/, html_response(conn, 200))
+      redirect_to =
+        LivebookWeb.Endpoint.url()
+        |> URI.new!()
+        |> URI.append_query("teams_identity")
+
+      # Step 2: Checks if the given request belongs to a browser
+      conn =
+        build_conn(:get, "/", %{teams_redirect: "", redirect_to: URI.to_string(redirect_to)})
+        |> init_test_session(%{})
+        |> put_req_header(
+          "user-agent",
+          "Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
+        )
+
+      {conn, nil} = LivebookTeams.authenticate(test, conn, [])
+
+      # Step 3: Get redirected to Livebook Teams
+      location = Phoenix.ConnTest.redirected_to(conn)
       uri = URI.parse(location)
       assert uri.path == "/identity/authorize"
       assert %{"token" => token} = URI.decode_query(uri.query)
 
       %{code: code} = TeamsRPC.allow_auth_request(node, token)
 
-      # Step 2: Emulate the redirect back with the code for validation
+      # Step 4: Emulate the redirect back with the code for validation
       conn =
         build_conn(:get, "/", %{teams_identity: "", code: code})
         |> init_test_session(Plug.Conn.get_session(conn))
@@ -46,14 +64,29 @@ defmodule Livebook.ZTA.LivebookTeamsTest do
 
       assert redirected_to(conn, 302) == "/"
 
-      # Step 3: Confirm the token is valid for future requests
+      # Step 5: Confirm the token is valid for future requests
       conn =
         build_conn(:get, "/")
         |> init_test_session(Plug.Conn.get_session(conn))
 
       assert {%{halted: false}, ^metadata} = LivebookTeams.authenticate(test, conn, [])
     end
 
+    test "blocks non-browsers to reach Livebook Teams", %{test: test} do
+      redirect_to =
+        LivebookWeb.Endpoint.url()
+        |> URI.new!()
+        |> URI.append_query("teams_identity")
+
+      conn =
+        build_conn(:get, "/", %{teams_redirect: "", redirect_to: URI.to_string(redirect_to)})
+        |> init_test_session(%{})
+        |> put_req_header("user-agent", "Mozilla/5.0 (compatible; Thinkbot/0.5.8; +blablabla.)")
+
+      {conn, nil} = LivebookTeams.authenticate(test, conn, [])
+      assert response(conn, 200) == ""
+    end
+
     test "shows an error when the user does not belong to the org", %{conn: conn, test: test} do
       # Step 1: Emulate a request coming from Teams saying the user does belong to the org
       conn = init_test_session(conn, %{})
diff --git a/test/support/integration/teams_tests.ex b/test/support/integration/teams_tests.ex
@@ -179,18 +179,26 @@ defmodule Livebook.TeamsIntegrationHelper do
   end
 
   def authenticate_user_on_teams(name, node, team) do
-    conn = Phoenix.ConnTest.build_conn()
+    conn =
+      Phoenix.ConnTest.build_conn()
+      |> Plug.Conn.put_req_header(
+        "user-agent",
+        "Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0"
+      )
+
+    redirect_to =
+      LivebookWeb.Endpoint.url()
+      |> URI.new!()
+      |> URI.append_query("teams_identity")
 
-    response =
+    uri =
       conn
       |> LivebookWeb.ConnCase.with_authorization(team.id, name)
-      |> get("/")
-      |> html_response(200)
+      |> get("/", %{teams_redirect: "", redirect_to: URI.to_string(redirect_to)})
+      |> Phoenix.ConnTest.redirected_to()
+      |> URI.parse()
 
-    [_, location] = Regex.run(~r/URL\("(.*?)"\)/, response)
-    uri = URI.parse(location)
     %{"token" => token} = URI.decode_query(uri.query)
-
     %{code: code} = Livebook.TeamsRPC.allow_auth_request(node, token)
 
     session =
@@ -199,7 +207,7 @@ defmodule Livebook.TeamsIntegrationHelper do
       |> get("/", %{teams_identity: "", code: code})
       |> Plug.Conn.get_session()
 
-    authenticated_conn = %Plug.Conn{} = Plug.Test.init_test_session(conn, session)
+    authenticated_conn = Plug.Test.init_test_session(conn, session)
     final_conn = get(authenticated_conn, "/")
     assigns = Map.take(final_conn.assigns, [:current_user])
 
