microsoft · corinagum · Jun 4, 2026 · Mar 25, 2026 · Apr 5, 2026 · Apr 5, 2026
diff --git a/packages/apps/src/http/http-server.spec.ts b/packages/apps/src/http/http-server.spec.ts
@@ -175,6 +175,28 @@ describe('HttpServer', () => {
     });
   });
 
+  describe('handleRequest without credentials and without skipAuth', () => {
+    let noCredServer: HttpServer;
+
+    beforeEach(async () => {
+      noCredServer = new HttpServer(adapter, { ...defaultOptions, skipAuth: false });
+      await noCredServer.initialize({ credentials: undefined });
+    });
+
+    it('should return 401 when no credentials are configured', async () => {
+      noCredServer.onRequest = jest.fn().mockResolvedValue({ status: 200 });
+
+      const result = await adapter.simulateRequest('/api/messages', {
+        type: 'message',
+        serviceUrl: 'https://attacker.com',
+      });
+
+      expect(result.status).toBe(401);
+      expect(result.body).toEqual({ error: 'Authentication not configured' });
+      expect(noCredServer.onRequest).not.toHaveBeenCalled();
+    });
+  });
+
   describe('start', () => {
     it('should delegate to adapter.start()', async () => {
       await server.start(3978);

diff --git a/packages/apps/src/http/http-server.ts b/packages/apps/src/http/http-server.ts
@@ -102,6 +102,10 @@ export class HttpServer implements IHttpServer {
     this.credentials = deps.credentials;
     this.cloud = deps.cloud;
 
+    if (!this.credentials && !this.skipAuth) {
+      this.logger.warn('No credentials configured and skipAuth is not enabled. All incoming requests will be rejected. Configure client authentication to securely receive messages, or set skipAuth: true for local development.');
+    }
+
     // Initialize service token validator if credentials provided and auth not skipped
     if (this.credentials && !this.skipAuth) {
       this.serviceTokenValidator = new ServiceTokenValidator(
@@ -111,10 +115,10 @@ export class HttpServer implements IHttpServer {
         this.logger,
         deps.cloud
       );
-    } else if (!this.credentials) {
+    } else if (!this.credentials && this.skipAuth) {
       this.logger.warn(
-        'No credentials configured (CLIENT_ID / CLIENT_SECRET / TENANT_ID). ' +
-        `Bot will accept unauthenticated requests on ${this._messagingEndpoint}.`
+        'No credentials configured (CLIENT_ID / CLIENT_SECRET / TENANT_ID), ' +
+        `but skipAuth is enabled. Bot will accept unauthenticated requests on ${this._messagingEndpoint}.`
       );
     }
 
@@ -203,7 +207,7 @@ export class HttpServer implements IHttpServer {
     headers: Record<string, string | string[]>,
     body: ICoreActivity
   ): Promise<AuthResult> {
-    if (this.skipAuth || !this.credentials) {
+    if (this.skipAuth) {
       const serviceUrl = body.serviceUrl || '';
 
       return {
@@ -218,6 +222,10 @@ export class HttpServer implements IHttpServer {
       };
     }
 
+    if (!this.credentials) {
+      return { success: false, error: 'Authentication not configured' };
+    }
+
     const raw = headers['authorization'];
     const authHeader = Array.isArray(raw) ? raw[0] : raw;
     if (!authHeader) {

diff --git a/packages/apps/src/middleware/jwt-validation-middleware.ts b/packages/apps/src/middleware/jwt-validation-middleware.ts
@@ -40,8 +40,7 @@ export function withJwtValidation(params: JwtValidationParams) {
     next: express.NextFunction
   ) => {
     if (!validator) {
-      logger.debug('No service token validator configured, skipping validation');
-      next();
+      res.status(401).send('Authentication not configured');
       return;
     }