Skip to content

fix(outlook): add Trusted Types policy and extend auth timeout #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
conceptblenders wants to merge 3 commits into
base: main
Choose a base branch
from
+32 −1
Open

fix(outlook): add Trusted Types policy and extend auth timeout #65

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
084d7ee
fix(outlook): add Trusted Types policy and extend auth timeout
conceptblenders Apr 20, 2026
0e68789
fix(outlook): narrow Trusted Types default policy to zod probe only
conceptblenders Apr 20, 2026
338ff5b
fix(outlook): address maintainer review feedback
conceptblenders Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions plugins/outlook/src/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,27 @@
// Outlook on cloud.microsoft enforces Trusted Types (CSP). Zod's allowsEval
// feature-detect calls new Function("") the first time a zod parser runs
// (lazy, memoized via cached()). This policy just needs to exist before that
// first runtime call — import statements are hoisted regardless, but the probe
// only fires when a tool handler first invokes a zod schema at runtime.
if (typeof window !== 'undefined') {
try {
const tt = (window as Window & {
trustedTypes?: TrustedTypePolicyFactory & { defaultPolicy?: TrustedTypePolicy | null };
}).trustedTypes;
if (tt && !tt.defaultPolicy) {
tt.createPolicy('default', {
createScript: (s: string) => {
// Only allow the empty-string probe used by zod's allowsEval feature-detect.
if (s !== '') throw new TypeError('Blocked Trusted Types script conversion');
return s;
},
});
}
} catch {
// 'default' policy already exists, or Trusted Types not supported — safe to ignore.
}
}

import { OpenTabsPlugin } from '@opentabs-dev/plugin-sdk';
import type { ToolDefinition } from '@opentabs-dev/plugin-sdk';
import { isAuthenticated, waitForAuth } from './outlook-api.js';
Expand Down
9 changes: 8 additions & 1 deletion plugins/outlook/src/outlook-api.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -158,7 +158,14 @@ const getAuth = (): OutlookAuth | null => {
return auth;
};

export const isAuthenticated = (): boolean => getAuth() !== null;
export const isAuthenticated = (): boolean => {
// During OAuth redirect the #code= fragment is present but MSAL tokens are
// not yet in localStorage. Return false early so the platform's 30s re-poll
// catches the token once the handshake completes, rather than burning the
// 5s isReady window on token searches that will all fail.
if (typeof window !== 'undefined' && window.location.hash.includes('code=')) return false;
return getAuth() !== null;
};

export const waitForAuth = (): Promise<boolean> =>
waitUntil(() => isAuthenticated(), { interval: 500, timeout: 5000 }).then(
Expand Down