bot.notification.findMember returns "undefined" when azure function security level changes from anonymous -> function

[iloveyeseul]

Describe the bug
Our team builds a custom teams app that deploys the notification bot using Azure bot service, azure function, and Teams toolkit with bot framework. We noticed that when our azure function security level changes from "anonymous" to "function", the bot framework returns "undefined" for finding member installation for this function

// Create bot.
export const notificationApp = new ConversationBot({
  // The bot id and password to create CloudAdapter.
  // See https://aka.ms/about-bot-adapter to learn more about adapters.
  adapterConfig: {
    MicrosoftAppId: config.botId,
    MicrosoftAppPassword: config.botPassword,
    MicrosoftAppType: "MultiTenant",
  },
  // Enable notification
  notification: {
    enabled: true,
  },
});

member = await notificationApp.notification.findMember(
    m => {
      console.log(JSON.stringify(m));
      return Promise.resolve(m.account.userPrincipalName.toLowerCase() === element.toLowerCase())
    })

To Reproduce
Steps to reproduce the behavior:
Update azure function security level from "anonymous" -> "function"
The BotBuilderCloudAdapter.ConversationBot returns "undefined" for the findMember function

Expected behavior
We expect the member is return when the app is installed from the user

Screenshots
Also, we noticed this error in azure when we ran diagnostics

VS Code Extension Information (please complete the following information):

• OS: [e.g. iOS]
• Version [e.g. 22]

CLI Information (please complete the following information):

• OS: [e.g. iOS8.1]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

[microsoft-github-policy-service]

Thank you for contacting us! Any issue or feedback from you is quite important to us. We will do our best to fully respond to your issue as soon as possible. Sometimes additional investigations may be needed, we will usually get back to you within 2 days by adding comments to this issue. Please stay tuned.

[qinezh]

@iloveyeseul The API endpoint /api/messages will be called by Bot Framework Service, if function level authentication is enabled, the endpoint will be failed to be called.

The bot id & password will be verified while calling /api/messages, so it's safe to keep the API endpoint for anonymous access. For other API endpoints, you're free to enable auth for them.

[iloveyeseul]

Hello @qinezh , the answer was helpful. I could be able to make /api/messages endpoint as anonymous and another endpoint of ours as function level auth and could be able to send/receive notifications. However, discuss further with the team, we would like to secure /api/messages endpoint as well for the production app. We don't want to expose any endpoints in the risk and accessible from external, which can be under the risk of DOS attacks or has other security risk implication. Do you have any more suggestions or know ways how to secure /api/messages endpoint as well and not make it anonymous?

[qinezh]

Do you have any more suggestions or know ways how to secure /api/messages endpoint as well and not make it anonymous?

As far as I know, there's no way to do that, otherwise Bot Framework Service can't access the endpoint /api/messages either.

[microsoft-github-policy-service]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.

[microsoft-github-policy-service]

Due to lack of details for further investigation, we will archive the issue for now. In case you still have following-up questions on this issue, please always feel free to reopen the issue by clicking ‘reopen issue’ button below the comment box. We will get back to you as soon as possible.