feat(microsoft-teams): microsoft: Obtain tenantId by decoding the access token instead of calling the /organizations endpoint (#4024)

This PR updates the Microsoft Teams post-connection logic to decode the
access token using JWT. It introduces a new interface for the decoded
token structure and retrieves the tenant ID directly from the decoded
token instead of making an API call. This change improves efficiency by
reducing unnecessary network requests and streamlining the connection
configuration process.

- Ticket:
[EXT-699](https://linear.app/nango/issue/EXT-699/microsoft-obtain-tenantid-by-decoding-the-access-token-instead-of)

<!-- Summary by @propel-code-bot -->

---

**Microsoft Teams Authentication Optimization: JWT Token Decoding for
TenantID**

This PR optimizes the Microsoft Teams authentication flow by replacing
an API call with direct JWT token decoding. Instead of making a network
request to the '/v1.0/organization' endpoint, the code now extracts the
tenant ID directly from the access token. This approach reduces latency,
eliminates a potential failure point, and improves overall connection
efficiency by removing an unnecessary network dependency.

**Key Changes:**
• Replaced ``API`` call to /v1.0/organization with ``JWT`` token
decoding
• Created comprehensive `MicrosoftDecodedToken` interface for token
structure
• Extracted tenant ``ID`` (tid) directly from the decoded token
• Removed dependency on axios for this operation

**Affected Areas:**
• Microsoft Teams post-connection handler
• Authentication flow for Microsoft Teams integration

**Potential Impact:**

**Functionality**: More reliable tenant ID retrieval with fewer
dependencies on external API calls

**Performance**: Reduced latency by eliminating an HTTP request during
connection setup

**Security**: Potential security concern due to using jwt.decode()
without proper token verification

**Scalability**: Improved scalability by reducing external API
dependencies and network traffic

**Review Focus:**
• Security concern: Using jwt.decode() without verification
• Completeness of the `MicrosoftDecodedToken` interface
• Error handling when token is not decodable
• Type assertion safety when handling the decoded ``JWT``

<details>
<summary><strong>Testing Needed</strong></summary>

• Verify tenant ``ID`` extraction works for tokens from different
Microsoft tenants
• Test with various token structures to ensure the interface is complete
• Verify error handling when token cannot be decoded properly
• Test with expired/invalid tokens to ensure graceful failure

</details>

<details>
<summary><strong>Code Quality Assessment</strong></summary>


**packages/server/lib/hooks/connection/providers/microsoft-teams/post-connection.ts**:
Well-structured with clear type definitions. The interface is
comprehensive but could potentially be simplified if not all properties
are needed.

</details>

<details>
<summary><strong>Best Practices</strong></summary>

**Code Organization**:
• Well-defined interfaces
• Type safety

**Error Handling**:
• Defensive coding with type and existence checks

**Performance**:
• Reducing ``API`` calls
• Local processing instead of network requests

</details>

<details>
<summary><strong>Possible Issues</strong></summary>

• Security vulnerability from using jwt.decode() without verification
• Token structure might change in Microsoft API updates
• Interface may need updates if Microsoft adds/removes fields from their
tokens

</details>

---
*This summary was automatically generated by @propel-code-bot*

Author: lordsarcastic

packages/server/lib/hooks/connection/providers/microsoft-teams/post-connection.ts

@@ -1,19 +1,57 @@
 import type { InternalNango as Nango } from '../../post-connection.js';
-import axios from 'axios';
+import type { OAuth2Credentials } from '@nangohq/types';
+import jwt from 'jsonwebtoken';
+
+interface MicrosoftDecodedToken {
+    aud: string;
+    iss: string;
+    iat: number;
+    nbf: number;
+    exp: number;
+    acct: number;
+    acr: string;
+    aio: string;
+    amr: string[];
+    app_displayname: string;
+    appid: string;
+    appidacr: string;
+    family_name: string;
+    given_name: string;
+    idtyp: string;
+    ipaddr: string;
+    name: string;
+    oid: string;
+    platf: string;
+    puid: string;
+    rh: string;
+    scp: string;
+    signin_state: string[];
+    sub: string;
+    tenant_region_scope: string;
+    tid: string;
+    unique_name: string;
+    upn: string;
+    uti: string;
+    ver: string;
+    wids: string[];
+    xms_ftd: string;
+    xms_idrel: string;
+    xms_st: {
+        sub: string;
+    };
+    xms_tcdt: number;
+}
 
 export default async function execute(nango: Nango) {
     const connection = await nango.getConnection();
-    const response = await nango.proxy({
-        endpoint: '/v1.0/organization',
-        method: 'GET',
-        providerConfigKey: connection.provider_config_key
-    });
+    const accessToken = (connection.credentials as OAuth2Credentials).access_token;
+    const decoded = jwt.decode(accessToken) as MicrosoftDecodedToken;
 
-    if (axios.isAxiosError(response) || !response || !response.data) {
+    if (!decoded || typeof decoded !== 'object') {
         return;
     }
 
-    const [{ id }] = response.data.value;
+    const id = decoded.tid;
 
     await nango.updateConnectionConfig({ tenantId: id });
 }