[copilot-finds] Bug: getAdditionallyAllowedTenants() does not trim whitespace from comma-separated tenant IDs #211
Description
Problem
DurableTaskAzureManagedConnectionString.getAdditionallyAllowedTenants() in packages/durabletask-js-azuremanaged/src/connection-string.ts (line 54) splits the comma-separated tenant ID string using value.split(",") without trimming whitespace from individual entries.
When a connection string contains spaces around tenant IDs — a common formatting pattern — the resulting array contains entries with leading/trailing whitespace (e.g., [" tenant2 "]). These untrimmed values are passed directly to WorkloadIdentityCredential in credential-factory.ts (line 45–51), causing Azure Identity authentication failures.
Additionally, trailing commas (e.g., tenant1,tenant2,) produce empty string entries in the array.
Root Cause
The split(",") call on line 54 does not normalize individual entries. While the parseConnectionString() method (line 109–110) trims keys and values at the pair level, the comma-separated sub-values within AdditionallyAllowedTenants are not processed.
Proposed Fix
Add .map(t => t.trim()).filter(t => t !== "") after the split(",") call to:
- Trim whitespace from each tenant ID
- Filter out empty entries from trailing commas
Impact
Severity: Medium — causes silent authentication failures in Workload Identity scenarios.
Affected scenarios: Any user specifying AdditionallyAllowedTenants in a connection string with spaces after commas (e.g., AdditionallyAllowedTenants=tenant1, tenant2, tenant3). This is a natural formatting pattern that works in many similar SDKs but fails silently here.