Summary
Deferred items from the Teams adapter review (PR #667). None are blocking but should be addressed for production hardening.
Items
Security
serviceUrl domain sanity check — Defense-in-depth: validate that cached serviceUrl domains are known Bot Framework endpoints. Note: Microsoft has marked IsTrustedServiceUrl as obsolete, so this should not be the primary defense.validate_nbf disabled — Consider enabling nbf validation with leeway = 30 for clock skew tolerance instead of skipping entirely.algorithms includes RS384 — OpenID metadata only declares RS256; consider restricting to vec![Algorithm::RS256].
Performance
teams_service_urls uses Mutex — Reply path (read) is much hotter than inbound path (write). Switch to RwLock to reduce contention under load.teams_service_urls unbounded — Add max size similar to LINE's REPLY_TOKEN_CACHE_MAX.
Code Quality
update_activity() dead code — Defined but never called. Add #[allow(dead_code)] with comment or defer to streaming PR.jsonwebtoken = "9" unpinned — Security-critical dependency; consider pinning to exact version.config_from_env test uses remove_var — Race condition risk in multi-threaded test runner; consider #[serial_test::serial] or temp_env.- JWKS
refresh_jwks thundering herd — Multiple concurrent cache misses during key rotation will all hit Microsoft's endpoint. Document as accepted behavior or add a lock.
- Telegram API URL hardcoded — Extract to
TELEGRAM_API_BASE constant (matching LINE's LINE_API_BASE) for mock testing.
- LINE
unwrap_or_default() for channel_id — Add warning log when empty string is produced.
Source
Summary
Deferred items from the Teams adapter review (PR #667). None are blocking but should be addressed for production hardening.
Items
Security
serviceUrldomain sanity check — Defense-in-depth: validate that cachedserviceUrldomains are known Bot Framework endpoints. Note: Microsoft has markedIsTrustedServiceUrlas obsolete, so this should not be the primary defense.validate_nbfdisabled — Consider enabling nbf validation withleeway = 30for clock skew tolerance instead of skipping entirely.algorithmsincludes RS384 — OpenID metadata only declares RS256; consider restricting tovec![Algorithm::RS256].Performance
teams_service_urlsusesMutex— Reply path (read) is much hotter than inbound path (write). Switch toRwLockto reduce contention under load.teams_service_urlsunbounded — Add max size similar to LINE'sREPLY_TOKEN_CACHE_MAX.Code Quality
update_activity()dead code — Defined but never called. Add#[allow(dead_code)]with comment or defer to streaming PR.jsonwebtoken = "9"unpinned — Security-critical dependency; consider pinning to exact version.config_from_envtest usesremove_var— Race condition risk in multi-threaded test runner; consider#[serial_test::serial]ortemp_env.refresh_jwksthundering herd — Multiple concurrent cache misses during key rotation will all hit Microsoft's endpoint. Document as accepted behavior or add a lock.TELEGRAM_API_BASEconstant (matching LINE'sLINE_API_BASE) for mock testing.unwrap_or_default()for channel_id — Add warning log when empty string is produced.Source