Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

POST /v3/conversations ➡ InternalServerError: Cannot read property 'appid' of undefined

See original GitHub issue

Version

4.2.1

Describe the bug

Bot Framework emulator is throwing a 500 InternalServerError when posting to /v3/conversations, despite the same code works in a deployed bot with Microsoft Teams.

(1) The error message is Cannot read property 'appid' of undefined, when the request contains a valid JWT Bearer token in the Authorization header. (The JWT payload DOES contain a property called appid btw.)

(2) If I leave the Authorization header empty, I get another 500 InternalServerError and the error message is Cannot read property 'payload' of undefined.

(3) If I send some random text as the Bearer token in the Authorization header - as suggested here - I get a 401 Unauthorized (at least not another 500 InternalServerError 🙄).

Repro steps

Start the Bot Framework Emulator.
Open Postman.
Make a POST request to the local serviceUrl’s /v3/conversations endpoint (it should look like this: http://localhost:PORT/v3/conversations) with the request body included below and (1) a JWT generated by the .NET Bot Builder SDK v4 / (2) nothing / (3) some random text in the Authorization header.
See error.

Expected behavior

DO NOT give back 500 InternalServerErrors with JavaScript error messages on the API endpoints. Handle the errors and send back a 400 BadRequest or even an 500 InternalServerError but with a meaningful error message.
In the (1) situation the API should respond with a 200 OK and send the conversationId in the body of the response.
In the (2) situation the API should respond with a 401 Unauthorized IMHO, but clearly not with 500 InternalServerError.
In the (3) situation the 401 Unauthorized is correct IMHO, but if we take @tonyanziano’s comment into account, then it should respond correctly with 200 OK and a conversationId.

Debug

I was able trace the issue back to this line in the Bot Framework Emulator: https://github.com/Microsoft/BotFramework-Emulator/blob/4b620e3367938243a70fada026654280727b7beb/packages/emulator/core/src/conversations/middleware/getBotEndpoint.ts#L64 But I’m not totally sure what is causing the issue here. Maybe something is broken in JWT parsing.

Additional context

Request body:

{
  "bot": {
    "id": "3",
    "name": "Bot",
    "role": "bot"
  },
  "members": [
    {
      "id": "3570b2c3-9377-4880-87a1-666bba16d0bb",
      "name": "User",
      "role": "user"
    }
  ],
  "channelData": {
    "clientActivityId": "1545857215036.8654911430483678.2"
  }
}

Parsed JWT token:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "nbCwW56w3KsB-xUaPlLOSLjODGQ",
  "kid": "nbCwW56w3KsB-xUaPlLOSLjODGQ"
}.{
  "aud": "https://api.botframework.com",
  "iss": "https://sts.windows.net/d6d49420-****-****-****-************/",
  "iat": 1545856906,
  "nbf": 1545856906,
  "exp": 1545860806,
  "aio": "42RgPOsZXnazy/hiHcpsJAVW1petAA==",
  "appid": "3e58d71d-****-****-****-************",
  "appidacr": "1",
  "idp": "https://sts.windows.net/d6d49420-****-****-****-************/",
  "tid": "d6d49420-****-****-****-************",
  "uti": "pL3r9YTz7EuFksrQefLsAA",
  "ver": "1.0"
}.[Signature]

Code used to make the request originally with the .NET Bot Builder SDK v4:

await _botFrameworkAdapter.CreateConversationAsync(
    "emulator",
    "http://localhost:31973",
    new MicrosoftAppCredentials(**appId**, **appPassword**),
    new ConversationParameters(bot: **botChannelAccount**, members: new List<ChannelAccount> { **userChannelAccount** }, channelData: **channelData**),
    Callback(),
    cancellationToken);

[bug]

Issue Analytics

State:
Created 5 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

justinwilabycommented, Jan 3, 2019

Beginning work on this now.

1reaction

mark-szabocommented, Jan 2, 2019

So while debugging with @justinwilaby, we discovered the following bugs/question marks:

On the above mentioned line the payload property of jwt is not necessary, appid is directly contained in jwt.

- (req as any).botEndpoint = botEmulator.facilities.endpoints.getByAppId((req as any).jwt.payload.appid);
+ (req as any).botEndpoint = botEmulator.facilities.endpoints.getByAppId((req as any).jwt.appid);

In createConversations.ts there is a check whether conversationParameters.activity is null. But it should rather check whether it is undefined…

- if (conversationParameters.activity !== null)
+ if (conversationParameters.activity)

There is something spooky with another check in createConversations.ts: this does not have a property called botid. What is ‘security bot id’ by the way?

if (conversationParameters.bot.id !== this.botId) {
    throw createAPIException(HttpStatus.BAD_REQUEST, ErrorCodes.BadArgument,
    'conversationParameters.bot.id doesn\'t match security bot id');
}

When we fixed (1), (2), commented out the whole check in (3), we were able to get the 200 OK back with the conversation id. 🥳

But sadly neither when the conversation created nor when I POSTed to /v3/conversations/:conversationId/activities happened anything at all on the emulator UI. What should happen in theory? A new tab should open in the emulator? The activity should appear in the current, open conversation in the emulator?