fix: search_work_items authentication with Azure Identity

Author: Tiberriver256

project-management/task-management/done.md

@@ -1,5 +1,21 @@
 ## Completed Tasks
 
+- [x] **Task**: Fix search_work_items API authentication error with Azure Identity (GitHub Issue #120)
+  - **Role**: Full-Stack Developer
+  - **Phase**: Completed
+  - **Notes**:
+    - Fixed an authentication issue with the search_work_items API when using Azure Identity authentication
+    - The search API was returning HTML for a login page instead of JSON data
+    - Identified that the search API endpoints (almsearch.dev.azure.com) require Bearer token authentication when using Azure Identity
+    - Fixed all three search features (work items, code, wiki) to properly handle Azure Identity authentication
+    - Added unit and integration tests to verify the fix
+  - **Sub-tasks**:
+    - [x] Updated the getAuthorizationHeader function in search-work-items feature to properly handle Azure Identity authentication
+    - [x] Applied the same fix to search-code and search-wiki features for consistency
+    - [x] Added unit tests to verify Azure Identity token acquisition
+    - [x] Added integration tests for the Azure Identity authentication path
+  - **Completed**: April 2, 2025
+
 - [x] **Task**: Migrate release automation to use Release Please for version management (GitHub Issue #113)
   - **Role**: DevOps Engineer
   - **Phase**: Completed

src/features/search/search-code/feature.spec.unit.ts

@@ -3,6 +3,19 @@ import { searchCode } from './feature';
 import { WebApi } from 'azure-devops-node-api';
 import { AzureDevOpsError } from '../../../shared/errors';
 
+// Mock Azure Identity
+jest.mock('@azure/identity', () => {
+  const mockGetToken = jest.fn().mockResolvedValue({ token: 'mock-token' });
+  return {
+    DefaultAzureCredential: jest.fn().mockImplementation(() => ({
+      getToken: mockGetToken,
+    })),
+    AzureCliCredential: jest.fn().mockImplementation(() => ({
+      getToken: mockGetToken,
+    })),
+  };
+});
+
 // Mock axios
 jest.mock('axios');
 const mockedAxios = axios as jest.Mocked<typeof axios>;

src/features/search/search-code/feature.ts

@@ -1,5 +1,6 @@
 import { WebApi } from 'azure-devops-node-api';
 import axios from 'axios';
+import { DefaultAzureCredential, AzureCliCredential } from '@azure/identity';
 import {
   AzureDevOpsError,
   AzureDevOpsResourceNotFoundError,
@@ -39,7 +40,7 @@ export async function searchCode(
     };
 
     // Get the authorization header from the connection
-    const authHeader = await getAuthorizationHeader(connection);
+    const authHeader = await getAuthorizationHeader();
 
     // Extract organization and project from the connection URL
     const { organization, project } = extractOrgAndProject(
@@ -134,10 +135,9 @@ function extractOrgAndProject(
 /**
  * Get the authorization header from the connection
  *
- * @param connection The Azure DevOps WebApi connection
  * @returns The authorization header
  */
-async function getAuthorizationHeader(connection: WebApi): Promise<string> {
+async function getAuthorizationHeader(): Promise<string> {
   try {
     // For PAT authentication, we can construct the header directly
     if (
@@ -150,15 +150,27 @@ async function getAuthorizationHeader(connection: WebApi): Promise<string> {
       return `Basic ${base64Token}`;
     }
 
-    // For other auth methods, we'll make a simple API call to get a valid token
-    // This is a workaround since we can't directly access the auth handler's token
-    const coreApi = await connection.getCoreApi();
-    await coreApi.getProjects();
+    // For Azure Identity / Azure CLI auth, we need to get a token
+    // using the Azure DevOps resource ID
+    // Choose the appropriate credential based on auth method
+    const credential =
+      process.env.AZURE_DEVOPS_AUTH_METHOD?.toLowerCase() === 'azure-cli'
+        ? new AzureCliCredential()
+        : new DefaultAzureCredential();
+
+    // Azure DevOps resource ID for token acquisition
+    const AZURE_DEVOPS_RESOURCE_ID = '499b84ac-1321-427f-aa17-267ca6975798';
+
+    // Get token for Azure DevOps
+    const token = await credential.getToken(
+      `${AZURE_DEVOPS_RESOURCE_ID}/.default`,
+    );
+
+    if (!token || !token.token) {
+      throw new Error('Failed to acquire token for Azure DevOps');
+    }
 
-    // At this point, the connection should have made a request and we can
-    // extract the auth header from the most recent request
-    // If this fails, we'll fall back to a default approach
-    return `Basic ${Buffer.from(':' + process.env.AZURE_DEVOPS_PAT).toString('base64')}`;
+    return `Bearer ${token.token}`;
   } catch (error) {
     throw new AzureDevOpsValidationError(
       `Failed to get authorization header: ${error instanceof Error ? error.message : String(error)}`,

src/features/search/search-wiki/feature.ts

@@ -1,5 +1,6 @@
 import { WebApi } from 'azure-devops-node-api';
 import axios from 'axios';
+import { DefaultAzureCredential, AzureCliCredential } from '@azure/identity';
 import {
   AzureDevOpsError,
   AzureDevOpsResourceNotFoundError,
@@ -50,7 +51,7 @@ export async function searchWiki(
     }
 
     // Get the authorization header from the connection
-    const authHeader = await getAuthorizationHeader(connection);
+    const authHeader = await getAuthorizationHeader();
 
     // Extract organization and project from the connection URL
     const { organization, project } = extractOrgAndProject(
@@ -141,10 +142,9 @@ function extractOrgAndProject(
 /**
  * Get the authorization header from the connection
  *
- * @param connection The Azure DevOps WebApi connection
  * @returns The authorization header
  */
-async function getAuthorizationHeader(connection: WebApi): Promise<string> {
+async function getAuthorizationHeader(): Promise<string> {
   try {
     // For PAT authentication, we can construct the header directly
     if (
@@ -157,15 +157,27 @@ async function getAuthorizationHeader(connection: WebApi): Promise<string> {
       return `Basic ${base64Token}`;
     }
 
-    // For other auth methods, we'll make a simple API call to get a valid token
-    // This is a workaround since we can't directly access the auth handler's token
-    const coreApi = await connection.getCoreApi();
-    await coreApi.getProjects();
+    // For Azure Identity / Azure CLI auth, we need to get a token
+    // using the Azure DevOps resource ID
+    // Choose the appropriate credential based on auth method
+    const credential =
+      process.env.AZURE_DEVOPS_AUTH_METHOD?.toLowerCase() === 'azure-cli'
+        ? new AzureCliCredential()
+        : new DefaultAzureCredential();
+
+    // Azure DevOps resource ID for token acquisition
+    const AZURE_DEVOPS_RESOURCE_ID = '499b84ac-1321-427f-aa17-267ca6975798';
+
+    // Get token for Azure DevOps
+    const token = await credential.getToken(
+      `${AZURE_DEVOPS_RESOURCE_ID}/.default`,
+    );
+
+    if (!token || !token.token) {
+      throw new Error('Failed to acquire token for Azure DevOps');
+    }
 
-    // At this point, the connection should have made a request and we can
-    // extract the auth header from the most recent request
-    // If this fails, we'll fall back to a default approach
-    return `Basic ${Buffer.from(':' + process.env.AZURE_DEVOPS_PAT).toString('base64')}`;
+    return `Bearer ${token.token}`;
   } catch (error) {
     throw new AzureDevOpsValidationError(
       `Failed to get authorization header: ${error instanceof Error ? error.message : String(error)}`,

src/features/search/search-work-items/feature.spec.int.ts

@@ -169,4 +169,38 @@ describeOrSkip('searchWorkItems (Integration)', () => {
       }
     }
   }, 30000);
+
+  // Add a test to verify Azure Identity authentication if configured
+  if (
+    process.env.AZURE_DEVOPS_AUTH_METHOD?.toLowerCase() === 'azure-identity'
+  ) {
+    test('should search work items using Azure Identity authentication', async () => {
+      // Skip if required environment variables are missing
+      if (!process.env.AZURE_DEVOPS_ORG_URL || !process.env.TEST_PROJECT_ID) {
+        console.log('Skipping test: required environment variables missing');
+        return;
+      }
+
+      // Create a config with Azure Identity authentication
+      const testConfig: AzureDevOpsConfig = {
+        organizationUrl: process.env.AZURE_DEVOPS_ORG_URL,
+        authMethod: AuthenticationMethod.AzureIdentity,
+        defaultProject: process.env.TEST_PROJECT_ID,
+      };
+
+      // Create the connection using the config
+      const connection = await getConnection(testConfig);
+
+      // Search work items
+      const result = await searchWorkItems(connection, {
+        projectId: process.env.TEST_PROJECT_ID,
+        searchText: 'test',
+      });
+
+      // Check that the response is properly formatted
+      expect(result).toBeDefined();
+      expect(result.count).toBeDefined();
+      expect(Array.isArray(result.results)).toBe(true);
+    });
+  }
 });

src/features/search/search-work-items/feature.spec.unit.ts

@@ -13,6 +13,16 @@ import { SearchWorkItemsOptions, WorkItemSearchResponse } from '../types';
 jest.mock('axios');
 const mockedAxios = axios as jest.Mocked<typeof axios>;
 
+// Mock @azure/identity
+jest.mock('@azure/identity', () => ({
+  DefaultAzureCredential: jest.fn().mockImplementation(() => ({
+    getToken: jest
+      .fn()
+      .mockResolvedValue({ token: 'mock-azure-identity-token' }),
+  })),
+  AzureCliCredential: jest.fn(),
+}));
+
 // Mock WebApi
 jest.mock('azure-devops-node-api');
 const MockedWebApi = WebApi as jest.MockedClass<typeof WebApi>;
@@ -266,4 +276,48 @@ describe('searchWorkItems', () => {
       AzureDevOpsValidationError,
     );
   });
+
+  it('should use Azure Identity authentication when AZURE_DEVOPS_AUTH_METHOD is azure-identity', async () => {
+    // Mock environment variables
+    const originalEnv = process.env.AZURE_DEVOPS_AUTH_METHOD;
+    process.env.AZURE_DEVOPS_AUTH_METHOD = 'azure-identity';
+
+    // Mock the WebApi connection
+    const mockConnection = {
+      serverUrl: 'https://dev.azure.com/testorg',
+      getCoreApi: jest.fn().mockResolvedValue({
+        getProjects: jest.fn().mockResolvedValue([]),
+      }),
+    };
+
+    // Mock axios post
+    const mockResponse = {
+      data: {
+        count: 0,
+        results: [],
+      },
+    };
+    (axios.post as jest.Mock).mockResolvedValueOnce(mockResponse);
+
+    // Call the function
+    await searchWorkItems(mockConnection as unknown as WebApi, {
+      projectId: 'testproject',
+      searchText: 'test query',
+    });
+
+    // Verify the axios post was called with a Bearer token
+    expect(axios.post).toHaveBeenCalledWith(
+      expect.any(String),
+      expect.any(Object),
+      {
+        headers: {
+          Authorization: 'Bearer mock-azure-identity-token',
+          'Content-Type': 'application/json',
+        },
+      },
+    );
+
+    // Cleanup
+    process.env.AZURE_DEVOPS_AUTH_METHOD = originalEnv;
+  });
 });

src/features/search/search-work-items/feature.ts

@@ -1,5 +1,6 @@
 import { WebApi } from 'azure-devops-node-api';
 import axios from 'axios';
+import { DefaultAzureCredential, AzureCliCredential } from '@azure/identity';
 import {
   AzureDevOpsError,
   AzureDevOpsResourceNotFoundError,
@@ -38,7 +39,7 @@ export async function searchWorkItems(
     };
 
     // Get the authorization header from the connection
-    const authHeader = await getAuthorizationHeader(connection);
+    const authHeader = await getAuthorizationHeader();
 
     // Extract organization and project from the connection URL
     const { organization, project } = extractOrgAndProject(
@@ -127,10 +128,9 @@ function extractOrgAndProject(
 /**
  * Get the authorization header from the connection
  *
- * @param connection The Azure DevOps WebApi connection
  * @returns The authorization header
  */
-async function getAuthorizationHeader(connection: WebApi): Promise<string> {
+async function getAuthorizationHeader(): Promise<string> {
   try {
     // For PAT authentication, we can construct the header directly
     if (
@@ -143,15 +143,27 @@ async function getAuthorizationHeader(connection: WebApi): Promise<string> {
       return `Basic ${base64Token}`;
     }
 
-    // For other auth methods, we'll make a simple API call to get a valid token
-    // This is a workaround since we can't directly access the auth handler's token
-    const coreApi = await connection.getCoreApi();
-    await coreApi.getProjects();
+    // For Azure Identity / Azure CLI auth, we need to get a token
+    // using the Azure DevOps resource ID
+    // Choose the appropriate credential based on auth method
+    const credential =
+      process.env.AZURE_DEVOPS_AUTH_METHOD?.toLowerCase() === 'azure-cli'
+        ? new AzureCliCredential()
+        : new DefaultAzureCredential();
+
+    // Azure DevOps resource ID for token acquisition
+    const AZURE_DEVOPS_RESOURCE_ID = '499b84ac-1321-427f-aa17-267ca6975798';
+
+    // Get token for Azure DevOps
+    const token = await credential.getToken(
+      `${AZURE_DEVOPS_RESOURCE_ID}/.default`,
+    );
+
+    if (!token || !token.token) {
+      throw new Error('Failed to acquire token for Azure DevOps');
+    }
 
-    // At this point, the connection should have made a request and we can
-    // extract the auth header from the most recent request
-    // If this fails, we'll fall back to a default approach
-    return `Basic ${Buffer.from(':' + process.env.AZURE_DEVOPS_PAT).toString('base64')}`;
+    return `Bearer ${token.token}`;
   } catch (error) {
     throw new AzureDevOpsValidationError(
       `Failed to get authorization header: ${error instanceof Error ? error.message : String(error)}`,