Solutions for Microsoft Office, and more...

How Content Security Policy Affects Office Add-ins

February 28, 2025 David E. CraigLeave a comment

I now have several add-ins in AppSource and all doing well. But one in particular is getting a LOT more attention than others: “Send to Planner.” While popular with the general public, IT admins are not because it needs so many permissions. I wrote a fairly complex explanation to why it needs to many permissions: https://kryl.com/?page=kb&id=31. Ok, so some say – fine, I trust that, but others want more, a lot more, like my latest Penetration Testing Results. They also ask for more than attestation and wonder why I am not on the Office 365 certified list… me too, it turns out…

Sidebar first… This is leading somewhere, I promise… So, Office 365 Certification… I jump through God knows how many hoops to try to get my Office 365 certification rather than just a generic Publisher Attestation. I have to provide a TON of documentation and one of the artifacts is a good penetration test which are actually a LOT of work. Anyway, after a few weeks of gathering information, study on how to do this, that or the other thing, a ton of back-and-forth in email… I was told…

“Well, so, yeah… Your company is… yeah… just not big enough for us to consider you.”

So, when I submitted the VERY FIRST FORM with employee count you still let me proceed! I waste weeks, collecting and finagling and answering to artifacts and this… Ugh! Anyway, it was an educational experience and from that, I learned how to create a good Pen Test document.

…Back to the main attraction. Turns out to make administrators HAPPY, you need to have a really good Pen Test and one of the picker areas they remark upon is your sites Content Security Policy. I use an NGINX server in Azure. It took a LOT of finagling to get it restrictive enough for me to score an A+ on https://securityheaders.com:

script-src 'self' https://p.trellocdn.com https://alcdn.msauth.net https://cdn.msftauth.net https://login.microsoftonline.com https://login.live.com https://*.trello.com https://*.asana.com https://appsforoffice.microsoft.com;

In my QA testing, everything seems to be humming along with my A+ except that I started noticing my add-in failing to load sometimes. Pop open the F12 developer tools and viola, a MicrosoftAjax.js error that is failed to load because of my CSP. So, I added it:

script-src 'self' https://p.trellocdn.com https://alcdn.msauth.net https://cdn.msftauth.net https://login.microsoftonline.com https://login.live.com https://*.trello.com https://*.asana.com https://appsforoffice.microsoft.com https://ajax.aspnetcdn.com;

That seemed to make it happy, and my QA succeed so I published. I had figured it must be something in my code, but I did not find Ajax in any of my dependencies or my code base, so I gathered it was from office-js (rightly so), but no big deal, right. I did an NPM UPDATE and grabbed another coffee.

But then users started to contact me that they were unable to use the add-in. Why? Well, turns out in certain conditions my code did something that would fail. And after a lot of troubleshooting, I start to see this error around areas where I am getting mailbox session data:

Cannot read properties of undefined (reading ‘cannotDeserializeInvalidJson’)
at Sys.Serialization.JavaScriptSerializer.deserialize

So, oh boy… 2015 wet sock moment… the Microsoft Office JS library apparently injects the MicrosoftAjax.js library right into your taskpane page and uses it for JSON.parse(). What?

Send to Planner (and my other add-ins) were all showing this. And I had NEVER seen this Ajax error before — so it was new. I scoured the web, asked my new buddy Chat GPT and… long story short, because this was something new… What did I do… Pen Testing… Yes, and what did I recently change… Oh, yeah, my CSP. Yes… more digging, trial and error:

script-src 'self' 'unsafe-eval' 'unsafe-inline' https://p.trellocdn.com https://alcdn.msauth.net https://cdn.msftauth.net https://login.microsoftonline.com https://login.live.com https://*.trello.com https://*.asana.com https://appsforoffice.microsoft.com https://ajax.aspnetcdn.com;

Well, now I only have an A on security headers, and I get a nice little blurb about:

This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive. This policy contains ‘unsafe-eval’ which is dangerous in the script-src directive.

Inline is one thing and good use of input sanitization with DomPurify (thanks MichaelZ), corner cases that. But unsafe-eval? I confirmed – on/off/on/off – yep… it needs to be there.

Anyway, it was a long journey – many hours – and I am wiser for it. I know this is probably because OfficeJS still supports versions back to Office 2013 and Edge before it went the path of the Chromium, but I hope maybe it can move away from needing eval() code and the MicrosoftAjax.js library in the near future and I can add a (+) back to my security posture.

Hopefully, this post will help others from tripping up on this as they lock things down.

403 Error with Planner API

October 22, 2024October 22, 2024 David E. Craig5 Comments

I am posting this here as it is a vexing issue, and I have received no feedback or guidance on it.

If you use Power Automate with the Planner Graph API or you have developed a solution that used the Planner Graph API to create tasks you will be affected by this problem:

https://feedbackportal.microsoft.com/feedback/idea/91794c73-0e87-ef11-9442-6045bdb4f28f

Essentially, the issue is that the new PREMIUM Plans that you can create from Teams Planner App (and soon the updated Planner Website), are not fully supported in the Graph API.

When you try to POST (create) a task for example you get a 403 error. This would imply that you need some type of Graph API Permission in your Entra ID Registration, but there is NO DOCUMENTATION on this at all.

If you or your organization use Microsoft Planner and have recently upgrade to Premium plans, and you automate your plans, please UP VOTE the item reference above.

If you are using Power Automate, here is a simple one I created. If a task is created and assigned to you anywhere in Planner, it will create a new task for you on a specified plan in a specified bucket.

If I run this, it creates a new task on the Plan: “Starts of Basic”
If I upgrade the plan to PREMIUM and then go to any other plan and create a task, and the automation runs, this is what I get:

This is the error you get:

	{
	"error": {
	"code": "ArchivedEntityCanNotBeUpdated",
	"message": "Archived entity can't be modified.",
	"innerError": {
	"date": "2024-10-22T13:33:52",
	"request-id": "f6cbf471-eead-49e8-944c-c3d9f9b00147",
	"client-request-id": "f6cbf471-eead-49e8-944c-c3d9f9b00147"
	}
	}
	}

view raw ArchivedEntityCanNotBeUpdated.json hosted with ❤ by GitHub

Pocket a Card v1.07

July 22, 2024July 21, 2024 David E. CraigLeave a comment

It has been a while since I have shown any love to this Power-Up. It has a LOT of users that use it a LOT. And unfortunately, for me they use the FREE features only. It might be a bit draconian, but with nearly 75,000 website hits per week from this one Power-Up alone, I added a retro-active limitation of only 5 pocket cards per board without a subscription. But I added a LOT to the subscription. Now you get all these features:

Epic cards, with epic covers and the ability to track resources, cost, budget, completeness, priority and deadline date.
You also have the ability to set cards to be pocketed at a future date.
Additionally, you can set cover colors, and
have more than 5 Pocket or Epic cards on the board.

Additional enhancement includes a bit of a redesign on the UI (star on the default pocket card), and more options on the back of the card. If these update garner more subscribers, I have even more planned:

Custom fields on Epics
Better pocketed card preview
Ability to edit the name, description or add comments to pocketed cards
Ability to select cards to pocket from the board, from the back of a pocket card, and
this includes searching for cards and adding them as well.
And much, much, more.

But I need more subscribers first. Please check it out: Pocket a Card

Horrible Safari Issue

July 12, 2024July 12, 2024 David E. CraigLeave a comment

Somebody will probably tell me that I am doing something wrong, and that Safari is behaving correctly, but, uh… since all other browsers work fine, and it ONLY happens in Safari, I will call it a horrible Safari issue. Now that disclaimers are aside…

I looked ALL over the Internet to find a reference to this issue, I searched for days and days, I eventually abandoned all hope and started talking to my volleyball when suddenly I ran into this:

I was startled, confused, there was a sign that said, “The End.” And as I was looking around there was Vincent D’Onofrio beside me with a wine glass and a rifle and I could not tell which character he was in at that moment.

Ok, ok, I am not going to explain that — some 1999 humor there for you if you got it.

Anyway… Safari…

I like (love ES6 classes), I build my own render function for my own elements and before you tell me to use a framework, I prefer vanilla and myself than to depend on others code, their bugs and their CDN nightmares or whims. Anyway, in my components they have event handlers that call back into a main function to make fetch() calls, sometimes I make those calls inside the component if they are specialized. It might look like this:

	window.setTimeout(async() => {
	const o = new thing();
	await o.render();
	}, 1);

	class thing {
	render = async () => {
	const html = /html/`<button id="btn1">Test</button>`;
	document.body.innerHTML = html;
	const msg = "something here";
	document.getElementById("btn1").addEventListener("click", async () => {
	await this.#getData(msg);
	});
	}
	#getData = async (msg) => {
	const result = await fetch('https://jsonplaceholder.typicode.com/posts/1');
	console.log(msg);
	const data = await result.json();
	console.log(data);
	}
	}

view raw safari_issue.js hosted with ❤ by GitHub

Now, this code works in Windows and in every browser, and on Mac in every browser and oddly enough, the above simplified code actually works great in Safari, but embedded a few layers deep in event handlers of other components with async because other fetch calls collected data, etc., etc.… It FAILS every time in Safari and only Safari.

What happens is that “msg” variable that I pass into my fetching function (this.#getData) is always UNDEFINED. And I have tried passing just a raw string “this is a string” and it fails. Maybe it is stack depth and a combination of async and even handler callbacks, or something funky with binding of this when you get into things a few layers. But the bottom line is that it ONLY happens in Safari and the ONLY way I have found to work around this is to remove all the async functions and await calls and put the fetch in a window.setTimeout(), like this:

	class thing {
	render = () => {
	const html = /html/`<button id="btn1">Test</button>`;
	document.body.innerHTML = html;
	const msg = "something here";
	document.getElementById("btn1").addEventListener("click", () => {
	this.#getData(msg);
	});
	}
	#getData = (msg) => {
	window.setTimeout(async () => {
	const result = await fetch('https://jsonplaceholder.typicode.com/posts/1');
	console.log(msg);
	const data = await result.json();
	console.log(data);
	}, 1);
	}
	}
	// instantiate
	const o = new thing();
	o.render();

view raw safari_issue_fix.js hosted with ❤ by GitHub

And I did try an old school Promise here where the window.setTimeout and the async on the Promise did the same thing with the “msg” parameter – undefined.

Anyway, I hope this helps someone else experiencing the same issue. And if you have had this issue before and fixed it in another way, please let me know. If you are aware of this issue and it is documented somewhere that I will not encounter an angry D’Onofrio bartender/lab sidekick, please let me know.

Solving Outlook JS Email Reply Parsing with ES6 Class | Example Included

July 9, 2024July 6, 2024 David E. CraigLeave a comment

In working with Send to Trello, Send to Planner and Send to Asana, I found one of the most complicated tasks in Outlook JS is trying to determine where an email reply ends, and the original message begins in order to get the latest response in a Message.Read scenario.

Seems simple enough that you look for the break between the messages, our eyes pick that up fairly easily. I have not tried AI yet, but that is a next step for sure.

However, wanted to share what I have found works in most cases. I created an ES6 class OutlookEmailBodyParser. And you use it like this:

	const emailBody = new Promise((resolve, reject) => {
	try {
	Office.context.mailbox.item.body.getAsync(type, (result) => {
	if (result.status === Office.AsyncResultStatus.Succeeded) {
	resolve(result.value);
	} else {
	reject(result.error);
	}
	});
	} catch {
	reject("Unable to get email body text.");
	}
	});
	const parser = new OutlookEmailBodyParser(emailBody);
	return parser.getLatestResponse();

view raw getLatsetResponse.js hosted with ❤ by GitHub

And here is the class that does all the work:

	export default class OutlookEmailBodyParser {
	/** @type {String} */
	#body = null;
	/**
	* Creates an instance of the Outlook Email Body Parser
	* Next you call:
	* – getLatestResponse() to get the most recent message
	* @param {String} body
	*/
	constructor(body) {
	this.#body = body;
	}
	/**
	* Returns the latest response
	*/
	getLatestResponse = () => {
	const lines = this.#body.replace("/\r/g", "\n").split("\n");
	// any line that starts with a word, a color and a space, like From: , to: , Cc:, Date:
	const prologLine = /(^[A-Z]{2,8}:\s)/i;
	// any line that ends with a colon
	const lineEndsWithColon = /^.+(:)$/;
	// covers general patterns of first.last@email.domain
	const emailRegex = /[a-zA-Z0-9._-]+@[a-zA-Z0-9-]+\.[a-zA-Z]{2,6}/;
	// covers ——-, _______, —–original message—-, _______PREV______
	const breakRegex = /^([-_]+(\w{0,15}(\s\|\s{0})){0,3}[-_]+)$/;
	// looks for a 4 digit number on the line, we grab it and see if it looks reasonable
	// meaning in compare is the 4 digit number starting with 19 or 20.
	const containsYear = /([/\s][0-9]{4})/;
	// looks for a time in formats 4:44, 16:44, 4:44 AM, 4:44 PM
	// we then look at capture groups to verify in range
	const containsTime = /\s([0-9]{1,2}):([0-9]{2})(\w{2}\|\s\w{2}\|:[0-9]{2}\|.{0})/;
	// — START —
	var breakOnLine = "";
	var fFoundLineBreak = false;
	var candidateLines = 0;
	var prevLine = "";
	for (const line of lines) {
	var gmailFoundCount = 0;
	var outlookFoundCount = 0;
	if (breakRegex.test(line)) {
	fFoundLineBreak = true;
	candidateLines++;
	prevLine = line;
	continue;
	}
	if (emailRegex.test(line)) {
	gmailFoundCount++;
	outlookFoundCount++;
	}
	if (prologLine.test(line)) outlookFoundCount++;
	if (lineEndsWithColon.test(line)) gmailFoundCount++;
	if (containsYear.test(line)) {
	const year = containsYear.exec(line);
	if (year.length === 2) {
	const num = Number.parseInt(year[0].trim());
	if (!Number.isNaN(num) && num > 1900 && num < 2100) {
	gmailFoundCount++;
	outlookFoundCount++;);
	}
	}
	}
	if (containsTime.test(line)) {
	const time = containsTime.exec(line);
	if (time.length >= 3) {
	const hour = Number.parseInt(time[1].trim());
	const min = Number.parseInt(time[2].trim());
	if (!Number.isNaN(hour) && !Number.isNaN(min) && hour >= 0 && hour <= 23 && min >= 0 && min <= 59) {
	gmailFoundCount++;
	outlookFoundCount++;
	}
	}
	}
	if (fFoundLineBreak) outlookFoundCount++;
	////////////////////////////////////
	// VALIDATE OUTLOOK
	////////////////////////////////////
	if (candidateLines >= 1 && outlookFoundCount > 2) {
	breakOnLine = prevLine;
	break;
	}
	////////////////////////////////////
	// VALIDATE GMAIL
	////////////////////////////////////
	if (gmailFoundCount >= 4) {
	breakOnLine = line;
	break;
	}
	if (candidateLines === 1 && gmailFoundCount === 1) {
	breakOnLine = prevLine;
	break;
	}
	////////////////////////////////////
	// reset
	////////////////////////////////////
	if (candidateLines === 3) candidateLines = 0;
	if (outlookFoundCount >= 2) candidateLines++;
	if (gmailFoundCount === 3) candidateLines++;
	if (candidateLines === 1) prevLine = line;
	fFoundLineBreak = false; // must set here
	}
	var latestResponse = this.#body;
	if (breakOnLine) {
	const pos = this.#body.indexOf(breakOnLine);
	latestResponse = this.#body.substring(0, pos);
	}
	// return
	return latestResponse;
	};
	}

view raw outlookEmailBodyParser.js hosted with ❤ by GitHub

Send to Planner v1.04 is Released

May 29, 2024May 26, 2024 David E. Craig2 Comments

I have been absent from my blog for a while as I have been busy working on Kryl Solutions add-ins and Power-Ups. It has been an enjoyable experience to really delve into the world of JavaScript (ES6) and get creative building things.

One of my favorite projects has been Send to Planner. I just released version 1.04 and after 6 months of being in the marketplace, the reception and stats for this add-in are amazing. It has quickly become my fastest growing integration.

With v1.04, I have added checklists. Now, you can do nearly everything with task from Send to Planner: create new tasks in any plan and bucket, add to existing tasks as comments, add start and due dates, update priority, update selected categories, update the task progress, add/remove user assignments, and now, add, remove or update checklist items.

If you use Microsoft Planner for managing your projects, and you deal a lot with incoming email driving or updating your task workflow, you really should check Send to Planner out and let me know what you think.

Send to Planner Add-in Published

January 11, 2024 David E. CraigLeave a comment

Right before the holidays I got my latest solution published to AppSource: “Send to Planner.”

This add-in is based on the “Send to Trello” Add-in and has a very similar look and feel. It was an unexpected side bar in my solutions development. A Send to Trello user contacted me because they also used Planner and were unable to find an effective solution that just did the basic “send an email to Planner” for free. While this has premium features to do much more, like keeping responses to the same email with the original task, the basic functionality will likely meet most casual use.

This was fun to create but also vexing at the same time. I am not sure where I got the idea, that there was an ability to get a front-end access token of the user running the Office add-in (getAccessToken). But turns out this is called an “on behalf of” flow that requires a complex manifest setup and you must send the customer email information to your backend web service to make the call “on behalf of” the user to Graph API. There are several options, but I had to go with the OAUTH flow using displayDialogAsync(). The AppSource (GDRP/Privacy) requirements for a backend data flow was more work and upkeep than I care for (cost and time wise). It is a headache I did not want.

So, I used the MSAL flow to pop an authentication dialog and then call the Graph API from the front-end to write to Planner. I already have users complaining that “it pops up the authentication dialog too much.” This is even though it does not require the entire authentication flow, it just pops up and then goes away.

I try the ssoSilent from the task-pane side and when/if that fails, I pop the dialog and do it there. The issue is because I do not own the frame of the Office task pane my origination domain is not correct. MSAL rejects the Silent SSO attempt. Ergo, it must pop open the dialog every time to get ssoSilent and refresh the token that way. A tad annoying.

I am not sure if I am missing something, but it would be nice to be able to request a front-end token with the proper scopes to do this, or a way to call ssoSilent from a task pane. But for now – this is what it is. Another annoying fact is that the token I get from MSAL, although it is refreshable (with ssoSilent), it lasts only 1 hour before it must be refreshed. So, 99% of the time a user clicks “Send to Planner” they see the dialog flash.

Either way, the add-in is out there and consumable. Please check it out!

Adding an Attachment to a Planner Task

November 10, 2023November 9, 2023 David E. CraigLeave a comment

I have recently started working on a new add-in in Office and had reason to create an newly uploaded attachment to a Planner Task item.

OMG!

I pulled out all my hair on this one as I was unable to figure out from the documentation how to do this. Hack, hack, hack — 3days later… well, I hope to save the world this frustration.

Here are the steps:

First, get the file from an upload. Determine the type and convert all the binary in the file to a BASE64 string.
Next, you need to GET the planners GROUP by the planner ID: https://graph.microsoft.com/v1.0/planner/plans/${plannerId}
Then you create the item in the group drive container, where name is the name of the file via a POST (with the based 64 in the body, content-type: text/plain): https://graph.microsoft.com/v1.0/groups/${plan.container.containerId}/drive/items/root:/${name}:/content
This returns a driveItem object and from this you need the driveItem.webUrl, but this is the part that killed me. The documentation tells you to use an encoded URL. WRONG. This fails every single time. After a lot of looking over the documentation and seeing what they were submitting, you actually only replace the “.” and the “:” and white space / /. Here is a function I created in JS:

	/**
	* Encodes the URL ins the special planner format that is for oif but not quite
	* following the encodeURIComponent() specification…
	* @param {String} url
	* @returns {String}
	*/
	#encodePlannerExternalReferenceUrl = (url) => {
	// Encode specific characters: : . _
	const encodedUrl = url.replace(/:/g, "%3A").replace(/\./g, "%2E").replace(/ /g, "%20");
	return encodedUrl;
	};

view raw enocdePlannerUrl.js hosted with ❤ by GitHub

Next, GET the task item by ID: https://graph.microsoft.com/v1.0/planner/tasks/${id}
Then GET the task items details by ID: https://graph.microsoft.com/v1.0/planner/tasks/${id}/details
For this next part, you use the “@odata.etag” prop the details and you will create a new entry with a PATCH: https://graph.microsoft.com/v1.0/planner/tasks/${taskId}/details.
For this part you need to create a fetch body like this: { references: ${ref} }, where the ref is defined as:

	const ref = {
	/** @type {PlannerReference} */
	[this.#encodePlannerExternalReferenceUrl(driveItem.webUrl)]: {
	"@odata.type": "#microsoft.graph.plannerExternalReference",
	alias: name,
	type: "Other",
	},
	};

view raw ref.js hosted with ❤ by GitHub

To make the above call you have to supply the @odata.etag. And this is the NEXT part that messed with my noodle. You do NOT use the whole value returned AND you have to place it in double quotes. Ugh! So here is more code I wrote to help with that:

const updatedTag = eTag.replace('W/"', '"').replace('\\"', "");

view raw etag.js hosted with ❤ by GitHub

Then when you make the call you place the tag in the headers: If-Match. And do not forget to add the Content-type, and to see the returned result the Prefer as well:

The final submission looks like this:

And let me stress this. You must PATCH this, not “patch.” Another thing I found is that GET/get, PUT/put, DELETE/delete, and POST/post all work interchangeably. But if you “patch” you will get some bazaar error about CORS and that path is not supported. And if you hit the service with OPTIONS you will see all the supported methods are returned in CAPS. Oddly, all work with lowercase or upper case, except for PATCH.

So, there you have it. 3 days of my life.

Procure the Board Button in Trello

October 24, 2023October 22, 2023 David E. CraigLeave a comment

I was recently posting an issue in the Developer Forum for Trello and found a post I could answer fairly quickly since I knew the answer already. Thought I would share it here on my blog as well.

The question was along the lines of:

How do I show my board button only to members of the board who have paid for it? Or how do I block guests from getting the board button?

Here is the code:

	/// <reference path="trello.d.js" />
	/** @type {TrelloPowerUp} */
	const tpu = window.TrelloPowerUp;
	tpu.initialize({
	'board-buttons':
	/**
	* Returns the board button
	* @param {TrelloObject} t
	* @returns {TrelloBoardButtonOption[]}
	*/
	async (t) => {
	/** @type {TrelloMemberObject} */
	const member = await t.member("id");
	/** @type {TrelloBoard} */
	const board = await t.board("memberships");
	/** @type {TrelloMembership} */
	const membership = board.memberships.find(o=>o.idMember === member.id);
	if(!membership \|\| membership.memberType === "observer") {
	t.alert({
	message: "Sorry you are only a guest on this board!",
	duration: 1,
	});
	return []; // no board button for you
	}
	/** @type {TrelloBoardButtonOption} */
	const button = {
	text: "hello",
	icon: `data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsIAAA7CARUoSoAAAAF2SURBVDhPtZMxT8JQEMfb0pI2xMbA0JWyNXQEJLHO7VrmfgAHTfgMLMTo0FknDU0TNze+gCbOSmSBwU2hgxMlAevd8wV95GG6+Euu73/v/e/aXlPhX8myrIBBUy4iXRmCIDicTqeeqqoHmKdp+lir1YaDweCeGHZx1u/vHTnOpWEYqSiKGWyRQI17juNc9cFDzNvEUay2ms1bkJtCXjTBE0WRCprFc70TTdO4Rb8DPa7rnoL+odfr6bZtP4HkFm0HeJ+xBrQg4WU+n7eSJLFR5wH8dfC3UJMGy+WyDJNGmQvwC4vFooyaNFAUZVUo/Pm5GdBbLBZXqEkD2Bjpuv6BOg/olSRpRNNv2u32NSzcoW0HeG9gJZAnQOx6/cKsVmc03YlZNWfgPacpi+/7rmma7yC5d8azDnhAb2AmNx6PJ77fGWqaqsmyvF8qleB19c9KpfJqWdZdo9E4juP4gdoJ3J8J6Xa7BgzXQr1er1/CMHwjBwyC8AW6vpgYpmCzMQAAAABJRU5ErkJggg==`, // for card front badges only
	condition: "always",
	callback: (tt) => {
	tt.alert({
	message: "You are all paid up!",
	duration: 1,
	})
	}
	};
	// return the button
	return [button];
	}
	});

view raw client.js hosted with ❤ by GitHub

Happy coding!

Creating a Trello Power-Up in Visual Studio Code

October 23, 2023October 22, 2023 David E. CraigLeave a comment

Are you a Trello enthusiast looking to start developing you own Power-Up? Trello Power-Ups are custom integrations add new functionality to your Trello boards, and creating one yourself is easier than you might think.

I created the following tutorial to walk you through the process of developing a Trello Power-Up in Visual Studio Code using npm (Node Package Manager). By the end, you’ll have a basic project that you can further enhance as needed. But this will take you some time. I took my time walking through this and it took me a good hour to get through all the steps below. The good news is once you have done this, you will have a quick, easy to use project that is totally reusable for multiple Power-Ups. With that said, let’s get started…

Prerequisites

Before we dive in, make sure you have the following prerequisites:

Node.js and npm: If you don’t have Node.js and npm installed, download and install them from the official website here.
Trello Account: You’ll need a Trello account to create and test your Power-Up.
Visual Studio Code: If you don’t have VS Code, download and install it from https://code.visualstudio.com/.
Once you have VS Code install, here are some suggested Extensions to make your life MUCH easier:

ESLint
Code Spell Checker
Prettier – Code formatter
Inline HTML

Something to read so you can get an idea of how powerful VS Code can be with extensions and other capabilities, here is more about JavaScript development in VS Code:
https://code.visualstudio.com/Docs/languages/javascript

Step 1: Create your Project Folder

In the least you ONLY need two files [index.js] and [index.html].
But it helps to build out your project with the proper folder structure right off the bat. So here are the folders I create:

[certs] – required for local development and covered later
[js] – for all your code files
+– [common] – where you will keep common files (usually static defined stuff)
+– [pages] – for all your js page files (more below)
+– [components] – we will not get to this here, but might cover it in a future post.
[types] – Go get this file: https://github.com/davecra/Trello-Power-Up-TypeDefs/blob/main/trello.d.ts, never Power-Up develop without it (*).

When I decided to make the Type Definitions file for Trello Power-Ups it CHANGED MY LIFE. Now, it is not perfect and I am still working on adding things to it, and find errors every now and then, but please notify me if you find anything wrong. But when I added this to my project it took the guesswork out of creating a Power-Up, in that “what does this return”, or “what are the properties of this or that.” And I did not have to have the Trello API reference page open in the browser all the time. My code got cleaner, more concise, and I was able to more quickly develop Power-Ups.

Step 2: Add files and Code

So, now we add the files.

If you do things “creatively” – correctly in my opinion – you really only need one HTML file for your WHOLE project even if you open multiple forms.

In the [views] folder, create the [index.html] file:

	<!DOCTYPE html>
	<html lang="en-us">
	<head>
	<meta http-equiv="Cache-control" content="no-cache"/>
	<meta http-equiv="pragma" content="no-cache"/>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width">
	<!– if you want Trello sizeTo to work correctly, you need to keep this –>
	<link crossorigin="anonymous" rel="stylesheet" href="https://p.trellocdn.com/power-up.min.css">
	<title>Power-Up</title>
	</head>
	<body>
	<div id="content"></div>
	</body>
	<script crossorigin="anonymous" src="https://p.trellocdn.com/power-up.min.js"></script>
	</html>

view raw index.html hosted with ❤ by GitHub

Now in the root of the [js/common] folder you will create a file [common.js]:

	const PACKAGE = require('../../package.json');
	/**
	* CommonFunctions to be shared across all the project
	*/
	export default class Common {
	/** @type {String} */
	static APPNAME = PACKAGE.appName;
	/** @type {String} */
	static VERSION = PACKAGE.version;
	/** @type {String} */
	static detailsPage = "./details.html";
	}

view raw common.js hosted with ❤ by GitHub

Now in the root of the [js] folder create the [client.js] file:

	/* global TrelloPowerUp */
	/// <reference path="../types/trello.d.js" />
	import Common from './common/common';
	/** @type {TrelloPowerUp} */
	const tpu = window.TrelloPowerUp;
	tpu.initialize({
	'board-buttons': async (t) => await getBoardButton(t),
	});
	/**
	* Returns the board button
	* @param {TrelloObject} t
	* @return {TrelloBoardButtonOption[]}
	*/
	const getBoardButton = async (t) => {
	/** @type {String} */
	const buttonName = await t.get("board", "private", "buttonName", "Hello World");
	/** @type {TrelloBoardButtonOption} */
	const boardButton = {
	text: buttonName,
	condition: "always",
	icon: `data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsIAAA7CARUoSoAAAAF2SURBVDhPtZMxT8JQEMfb0pI2xMbA0JWyNXQEJLHO7VrmfgAHTfgMLMTo0FknDU0TNze+gCbOSmSBwU2hgxMlAevd8wV95GG6+Euu73/v/e/aXlPhX8myrIBBUy4iXRmCIDicTqeeqqoHmKdp+lir1YaDweCeGHZx1u/vHTnOpWEYqSiKGWyRQI17juNc9cFDzNvEUay2ms1bkJtCXjTBE0WRCprFc70TTdO4Rb8DPa7rnoL+odfr6bZtP4HkFm0HeJ+xBrQg4WU+n7eSJLFR5wH8dfC3UJMGy+WyDJNGmQvwC4vFooyaNFAUZVUo/Pm5GdBbLBZXqEkD2Bjpuv6BOg/olSRpRNNv2u32NSzcoW0HeG9gJZAnQOx6/cKsVmc03YlZNWfgPacpi+/7rmma7yC5d8azDnhAb2AmNx6PJ77fGWqaqsmyvF8qleB19c9KpfJqWdZdo9E4juP4gdoJ3J8J6Xa7BgzXQr1er1/CMHwjBwyC8AW6vpgYpmCzMQAAAABJRU5ErkJggg==`,
	callback: (tt) => { getBoardMenu(tt) },
	};
	// technically we send back an array with only one item
	return [boardButton];
	}
	/**
	* Gets the menu for the board button when the board button is clicked
	* @param {TrelloObject} t
	*/
	const getBoardMenu = (t) => {
	/** @type {TrelloPopupListOptions} */
	const boardMenuPopup = {
	title: "Hello World menu",
	items: [],
	};
	boardMenuPopup.items.push({
	text: "Settings",
	callback: (tt) => { return showSettings(tt) },
	});
	// show it
	t.popup(boardMenuPopup);
	}
	/**
	* Shows the settings form
	* @param {TrelloObject} t
	*/
	const showSettings = (t) => {
	/** @type {TrelloPopupIFrameOptions} */
	const settingsIframeOptions = {
	title: "Settings",
	url: Common.detailsPage,
	args: { page: "settings" }
	}
	// show settings page
	t.popup(settingsIframeOptions);
	}

view raw client.js hosted with ❤ by GitHub

So, what this is doing is:

Initializing the Trello Power-Up
Hooking to the board buttons callback from Trello and adding a custom board button
The button calls the Trello List Popup (essentially menu), when clicked.
In that menu, I added ONE item, to show the settings in a pop-up iframe. Now, this is where things get interesting…

You might see how I might be doing something different from what Trello tutorials might have you doing. But if you look at the iframe reference, to Common.detailsPage, you will see that we added that as “details.html.” But WAIT, you did not ask me to create that page, so how is it going to work? Trust me, it will and in a moment, I will show you how it all works out. First clue is something called Web Pack. The second is pay close attention to the ARGS we are sending.

Next, create a new file called [details.js] and place it in the [js] folder with [details.js]. Here is the code for that page:

	/* global TrelloPowerUp */
	/// <reference path="../types/trello.d.js" />
	import SettingsPage from "./pages/settingsPage";
	/** @type {TrelloPowerUp} */
	const tpu = window.TrelloPowerUp;
	/** @type {TrelloObject} Trello iframe object */
	const t = tpu.iframe();
	t.render(() => {
	/** @type { "settings" } */
	const page = t.arg("page");
	switch (page) {
	case "settings":
	const settings = new SettingsPage();
	settings.render(t);
	break;
	}
	});

view raw details.js hosted with ❤ by GitHub

What we are doing here is setting this up for “reuse.” Gosh, I love that word. “Reuse,” said it again. REUSE. Ok…

So, we read the PAGE args (remember how I told you to pay close attention). I ask Trello for the arg passed call “page” and from that get which page to load. I then create an instance of a page object.

Now this is where I love, love, love ES6 and classes. I created an instance of the SettingsPage class and called render on it, passing the ever-important reference to the Trello context object (t). But what the heck, there still is not a Settings Page and details.html still does not exist??? Wait for it…

Now, in the [pages] folder, you will create the [settingsPage.js] file, and you will add this code:

	/// <reference path="../../types/trello.d.js" />
	import Common from "../common/common";
	export default class SettingsPage {
	constructor() { }
	/**
	* Renders the settings page
	* @param {TrelloObject} t
	*/
	render = async (t) => {
	/** @type {String} */
	const html = /html/`
	<p>You are on the setting page for ${Common.APPNAME}, ${Common.VERSION}</p>
	<p>Set the label for your button:</p>
	<input type="text" id="boardButtonTextInput" />
	<button id="saveButton" disabled>Save</button> <button id="closeButton">Close</button>
	`;
	// If you look at the index.html you will see there is a single div with this ID
	// this is how we DYNAMICALLY build a page in memory (above) and plop it in place
	document.getElementById("content").innerHTML = html;
	// now hook up things…
	/** @type {HTMLButtonElement} */
	const saveButton = document.getElementById("saveButton");
	/** @type {HTMLInputElement} */
	const input = document.getElementById("boardButtonTextInput");
	input.value = await t.get("board", "private", "buttonName", "Hello World");
	input.addEventListener("keypress", () => saveButton.disabled = false);
	saveButton.addEventListener("click", () => {
	t.set("board", "private", "buttonName", input.value);
	saveButton.disabled = true;
	});
	document.getElementById("closeButton").addEventListener("click", () => {
	t.closePopup();
	});
	t.sizeTo("#content");
	};
	}

view raw settingsPage.js hosted with ❤ by GitHub

What we are doing here is PURE ES6 GLORIOUS MAGIC. I generate a string using inline HTML (via the beautiful backtick), and you will see some VS Code fun stuff (/*html*/), this makes your code look like React inline HTML via the Inline HTML extension. OMG, it is awesome. Ok, then remember in the [index.html] file the div with the “id” of “content.” Well, I then assign the HTML string to the content div and viola, the settings page comes alive in the iframe of the Trello Popup window – just like that. And then because it is dynamic, I hook to the controls I created, add event hooks and such. I then call t.sizeTo() to tell Trello to fit the contents of the iframe neatly into the Popup window.

Hey, but there still is not a [details.html] page… should I not go and create that? NO!!! It’s coming, I promise.

Now, that is it for the code that makes your Power-Up tick. The rest is getting the development environment configured for runtime testing and building your code via Web Pack.

Step 3: Set Up Node and Web Pack

So, writing the code is half the battle. You could just make a copy if index.html and called it details.html place all the above code on a web server and call it a day. And everything will run.

But building a Power-Up and being able to update and test your code live is crucial to being able to make a compelling Power-Up in short order. You could just make changes, publish to the web, test, rinse – repeat. But it will take you a long time, frustration and for just a little more work, you will get SO MUCH MORE. And finally, your code will not be optimized (minified) for better browser runtime compile. So, here is how you round out your development environment for a Trello Power-Up.

Next thing you do is create a [package.json] at the root of the project folder. This file will tell NODE which packages to go pull of the Internet so that you can do the paragraph above. Here is the code:

	{
	"name": "trello-hello-world",
	"appName": "Hello World",
	"version": "1.0",
	"description": "A Power-Up to say hello.",
	"scripts": {
	"start": "webpack-dev-server –mode development",
	"build": "node webpack –mode production"
	},
	"dependencies": {
	"browserify": "^17.0.0",
	"cors": "^2.8.5",
	"express": "^4.15.2",
	"marked": "^4.0.17",
	"node": "^19.8.1",
	"openssl": "^2.0.0"
	},
	"engines": {
	"node": "6.10.x"
	},
	"license": "MIT",
	"author": "<your name>",
	"devDependencies": {
	"babel-core": "^6.26.3",
	"babel-loader": "^8.2.3",
	"babel-preset-es2015": "^6.24.1",
	"copy-webpack-plugin": "^10.2.4",
	"html-loader": "^3.1.0",
	"html-webpack-plugin": "^5.5.0",
	"terser-webpack-plugin": "^5.3.6",
	"webpack": "^5.69.1",
	"webpack-cli": "^4.9.2",
	"webpack-dev-server": "^4.7.4"
	}
	}

view raw package.json hosted with ❤ by GitHub

The next thing you need is the Web Pack file. Ok, remember how I kept putting off the creating the [details.html] file. Wait for it…

The following file is going to look rather complex if you have not used Web PAck before. What this does it tells NODE how to “compile” your code and setup the development environment for local development testing.

So, let’s get started by adding the following file to the root of you project folder [webpack.config.js]:

	const CopyWebpackPlugin = require("copy-webpack-plugin");
	const HtmlWebpackPlugin = require("html-webpack-plugin");
	const fs = require("fs");
	module.exports = async (env, options) => {
	const isProduction = options.mode === 'production';
	const config = {
	devtool: isProduction ? false : 'source-map',
	mode: isProduction ? "production" : "development",
	entry: {
	details: "./js/details.js",
	client: "./js/client.js",
	},
	output: {
	devtoolModuleFilenameTemplate: "webpack:///[resource-path]?[loaders]",
	clean: true,
	},
	resolve: {
	extensions: [".ts", ".tsx", ".html", ".js"],
	},
	module: { },
	plugins: [
	new HtmlWebpackPlugin({
	filename: "index.html",
	template: "./views/index.html",
	chunks: ["client"],
	}),
	new HtmlWebpackPlugin({
	filename: "details.html",
	template: "./views/index.html",
	chunks: ["details"],
	}),
	],
	devServer: {
	hot: true,
	headers: {
	"Access-Control-Allow-Origin": "*",
	},
	https: env.WEBPACK_BUILD \|\| options.https !== undefined ? options.https : {
	key: fs.readFileSync('./certs/server.key'),
	cert: fs.readFileSync('./certs/server.crt'),
	},
	port: process.env.npm_package_config_dev_server_port \|\| 12345,
	},
	};

	return config;
	};

view raw webpack.config.js hosted with ❤ by GitHub

I am not going into huge depth explaining this file as that is a whole post on its own. Bottom line what this is doing is configuring web pack. I will explain it like this:

defines the core entry points as chunks [detial.js] and [client.js].
in the plugins section, you will see the “reuse” coolness I was referring to above. On the fly we use the same file [index.html] for creating TWO files: index and details. And there you have it.
the devServer is the last bit that makes this whole journey worthwhile. This creates a NODE server on your box, running on port 12345.

Your own Dev Server running locally on your box is the key but it will not work without this next bit. Trello REQUIRES all connections to be protected by HTTPS, so you MUST have SSL certificates.

Generating certs is a mild amount of pain, but with a LONG-TERM gain. So, you WILL need to do this part. And it is not hard. Here is how you generate a cert (and key) for yourself:

Go here: https://slproweb.com/products/Win32OpenSSL.html
Download the light version that is for your OS (for me it was Windows x64 – Light)
Install it.
Once installed you can run this command in VS Code (in Windows):

& "C:\Program Files\OpenSSL-Win64\bin\openssl" req -newkey rsa:2048 -x509 -nodes -keyout server.key -new -out server.crt -sha256 -days 3650

It will ask you for a passphrase (something like “test” is ok), and to confirm the passphrase, then country, state, city, company, unit, and such. Nothing is critical here, put what you want for these fields.
It will create two files in the root of your project [server.crt] and [server.key].
Move these files to the [certs] folder.

And this cert is good for 10 years, so you can add it to all your future projects.

You are now ready to start development. Open a terminal (press CTRL+`) and in the root directory of your project, run the following command to enable/init/update the project:

npm update

This pulls in all the bits to make your development environment come alive.

Step 4: Setup Trello Admin Panel

To test your Power-Up, you can use the Trello development sandbox. Ensure you’ve created a Trello board and head to https://trello.com/power-ups/admin to enable the developer mode (see Trello documentation on this part).

Then, add your Power-Up to start testing. Here are the steps for our demo:

Click New
In the first field type “Hello World”
Next, select your workspace.
In the iframe URL, you type in your (soon to be launched local sandbox web server): https://localhost:12345/index.html
Fill in the emails and your name fields, then click Create.
You go to Capabilities and tick on “Board Buttons”

You are ready for the next step.

Step 5: Start your local web server and Test

In the terminal window, type this command:

npm start

You will see the web server start and now it is time to approve the certificate:

Open your browser and go to: https://localhost:12345/index.html
You will see a REJECTION, something like: Your connection isn’t private!
You must click Advanced, then click [Continue to localhost (unsafe)]

You can get around this by adding the certificate to the Trusted Root Certificate Authorities on your computer. But that is different for Mac and Windows users, so I will let you look that one up on your own.

By the way, I never do that. I just ALWAYS run this step before I run locally. Just remember if you go into Trello and it appears to hang and your Power-Up is not loaded… did you forget this step?

Now we go to Trello to add your Power-Up. Go to Trello, and go to your board:

Click Power-Ups, Add Power-Up.
Go to the Custom option.
Select Hello World, then click Add.

You will now see the [Hello World] board button appears. You are now running a local developer environment from VS Code with a live running debug in Trello. Go make a code change, refresh the browser and viola – your updated code changes are there and ready to test.

Now a word about “DEBUG.” I have not found a way to really hook up VS Code to Edge/Chrome yet and live debug. I am sure there is a way and if someone knows, please add a comment — I will give it a whirl and add a future post. What I do instead is open F12. When I get an error, it usually tells me the exact line it failed on, and I can go there in VS Code. I also use a lot of console.log() statements to follow code flow and get results. And when I feel particularly stuck, I though in a good debugger; line or two in the code so the F12 tools stop, and I can review things there. In the end this has worked rather well, but I really would like to be able to set a breakpoint in VS Code too… for now, I am happy enough.

Conclusion

Creating a Trello Power-Up in Visual Studio Code using npm is the only way to go as far as I am concerned.

Happy coding, and remember, the possibilities are endless when it comes to creating Trello Power-Ups to match your specific workflow. And over time, I will probably extend on this Power-Up tutorial as I find new things to write about.