Security: lock JsonWebToken trust-boundary contract#586
Open
corinagum wants to merge 2 commits into
Open
Conversation
corinagum
changed the title
lilyydu
approved these changes
May 22, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Documents the security/trust-boundary contract for JsonWebToken in @microsoft/teams.api, clarifying that it is a typed accessor over an already-validated JWT and does not itself perform signature or claim validation.
Changes:
- Adds a constructor docstring to
JsonWebTokendescribing the layered authentication model and explicitly stating that the class does not verify signatures or enforce token validity. - Points readers to the HTTP-boundary validator (
JwtValidator.validateAccessToken) as the intended location for JWT validation.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Documents the layered authentication model the SDK uses for inbound JSON Web Tokens. TypeScript half of a 3-SDK PR set.
Why
Security scan finding "JsonWebToken No Signature Verification" flagged the
JsonWebTokenaccessor class for decoding tokens without verifying signatures. A cross-SDK audit confirmed this is intentional architecture: signature verification runs at the HTTP boundary (JwtValidator.validateAccessTokeninpackages/apps/src/middleware/auth/), and the accessor exists as a typed view over already-validated payloads. Every consumer of decoded claims is downstream of a validator pass.This PR makes the architectural invariant explicit at the constructor site so future readers (and the scanner on its next pass) see the design intent locally.
What
Contract docstring at
JsonWebToken's constructor explaining that it performs no signature verification, where verification actually happens, and the rule that callers must not construct from raw network input.What this does not change
JsonWebTokenkeeps its current name and shape (verified public on@microsoft/teams.api, so a rename would have been breaking).JwtValidator.validateAccessTokenexactly as before.Related PRs