remove oauth flow and focus on self-hosted use case

OAuth can be re-added later on

Author: yasunariw

README.md

@@ -38,23 +38,6 @@ Run the `_build/default/src/monorobot.exe` binary. The following commands are su
     3. Click "Install to Workspace", and when prompted to grant permissions to your workspace, click "Allow".
     4. Copy the generated OAuth access token (`xoxb-XXXX`) to the `slack_access_token` field of your secrets file. This token is used by the bot to authenticate to the workspace, and remains valid until the token is revoked or the app is uninstalled.
 
-### OAuth Authorization
-
-If you are preparing the app for distribution, you also need to enable automatic OAuth exchange.
-
-You should...
-
-1. In your Slack app dashboard, click on "OAuth & Permissions" in the sidebar. Set the *Redirect URL* to be `<server_domain>/slack/oauth`, and ensure your bot has a *Bot Token Scope* of `chat:write`.
-1. You can optionally provide a value for `slack_oauth_state` in your secrets file to [avoid forgery attacks](https://tools.ietf.org/html/rfc6749#section-4.1.1) during the OAuth exchange.
-1. Launch the server with the `run` command. Make sure it's reachable externally from same the `server_domain` you used for the GitHub Payload URL. The bot server will listen on `/slack/oauth` for incoming OAuth requests.
-1. When the server completes an OAuth exchange and doesn't have an access token defined yet, the secrets file on the server will be regenerated to include a `slack_access_token` field.
-
-Your users should...
-
-1. Go to the following address, replacing the appropriate values (the `state` argument is only needed if you set `slack_oauth_state` in the previous step). `https://slack.com/oauth/v2/authorize?scope=chat:write&client_id=<slack_client_id>&redirect_uri=<server_domain>/slack/oauth&state=<slack_oauth_state>`
-1. A page should open asking for permission to install the bot to the workspace. When prompted, click "Allow".
-1. Add the bot to all Slack channels the user wants to send notifications to.
-
 ### Documentation
 
 The bot expects two configuration files to be present.

documentation/secret_docs.md

@@ -8,20 +8,16 @@ A secrets file stores sensitive information. Unlike the repository configuration
 
 ```json
 {
-    "slack_client_id": "",
-    "slack_client_secret": ""
+    "gh_token": "",
+    "slack_access_token": ""
 }
 ```
 
 | value | description | optional | default |
 |-|-|-|-|
 | `gh_token` | specify to grant the bot access to private repositories; omit for public repositories | Yes | - |
 | `gh_hook_token` | specify to ensure the bot only receives GitHub notifications from pre-approved repositories | Yes | - |
-| `slack_client_id` | slack client ID, used for [oauth](https://api.slack.com/authentication/oauth-v2) authentication; can be found in your slack app's [management page](https://api.slack.com/apps) | No | - |
-| `slack_client_secret` | slack client secret, used for [oauth](https://api.slack.com/authentication/oauth-v2) authentication; can be found in your slack app's [management page](https://api.slack.com/apps) | No | - |
-| `slack_signing_secret` | specify to verify incoming slack requests; can be found in your slack app's [management page](https://api.slack.com/apps) | Yes | - |
-| `slack_oauth_state` | specify some unique value to maintain state b/w oauth request and callback and prevent CSRF (see [RFC6749](https://tools.ietf.org/html/rfc6749#section-4.1.1)) | Yes | - |
-| `slack_access_token` | slack bot token obtained via [oauth](https://api.slack.com/authentication/oauth-v2), enabling message posting to the workspace; if not provided initially, the first sucessful oauth exchange will update this field both in memory and on disk | Yes | - |
+| `slack_access_token` | slack bot token obtained via [oauth](https://api.slack.com/authentication/oauth-v2), enabling message posting to the workspace | Yes | - |
 
 ## `gh_token`
 

lib/action.ml

@@ -232,25 +232,4 @@ module Action (Github_api : Api.Github) (Slack_api : Api.Slack) = struct
     | Context.Context_error msg ->
       log#error "%s" msg;
       Lwt.return_unit
-
-  let process_slack_oauth (ctx : Context.t) args =
-    try%lwt
-      let secrets = Context.get_secrets_exn ctx in
-      match secrets.slack_access_token with
-      | Some _ -> Lwt.return_unit
-      | None ->
-      match Slack.has_valid_state ?oauth_state:secrets.slack_oauth_state ~args with
-      | false -> action_error "expected state not found in slack authorization request"
-      | true ->
-      match List.Assoc.find args "code" ~equal:String.equal with
-      | None -> action_error "argument `code` not found in slack authorization request"
-      | Some code ->
-        ( match%lwt Slack_api.update_access_token_of_context ~ctx ~code with
-        | Error e -> action_error e
-        | Ok () -> Lwt.return_unit
-        )
-    with
-    | Yojson.Json_error msg -> Lwt.return @@ log#error "failed to parse file as valid JSON (%s)" msg
-    | Action_error msg -> Lwt.return @@ log#error "%s\naborting slack oauth exchange" msg
-    | Context.Context_error msg -> Lwt.return @@ log#error "%s" msg
 end

lib/api.ml

@@ -10,6 +10,4 @@ end
 
 module type Slack = sig
   val send_notification : ctx:Context.t -> msg:post_message_req -> (unit, string) Result.t Lwt.t
-
-  val update_access_token_of_context : ctx:Context.t -> code:string -> (unit, string) Result.t Lwt.t
 end

lib/api_local.ml

@@ -26,10 +26,6 @@ module Slack : Api.Slack = struct
     Stdio.printf "will notify #%s\n" msg.channel;
     Stdio.printf "%s\n" json;
     Lwt.return @@ Ok ()
-
-  let update_access_token_of_context ~ctx:_ ~code:_ =
-    Stdio.printf "will generate token\n";
-    Lwt.return @@ Ok ()
 end
 
 module Slack_simple : Api.Slack = struct
@@ -42,8 +38,6 @@ module Slack_simple : Api.Slack = struct
       | Some s -> Printf.sprintf " with %S" s
       );
     Lwt.return @@ Ok ()
-
-  let update_access_token_of_context ~ctx:_ ~code:_ = Lwt.return @@ Error "undefined for local setup"
 end
 
 module Slack_json : Api.Slack = struct
@@ -57,6 +51,4 @@ module Slack_json : Api.Slack = struct
     log#info "%s" (Uri.to_string url);
     log#info "%s" json;
     Lwt.return @@ Ok ()
-
-  let update_access_token_of_context ~ctx:_ ~code:_ = Lwt.return @@ Error "undefined for local setup"
 end

lib/api_remote.ml

@@ -70,31 +70,4 @@ module Slack : Api.Slack = struct
         )
       | Error e -> Lwt.return @@ fmt_error "error while querying %s: %s\nfailed to send Slack notification" url e
       )
-
-  let access_token_of_code ~(ctx : Context.t) ~code =
-    let secrets = Context.get_secrets_exn ctx in
-    let body = `Form [ "code", code ] in
-    let auth_header =
-      Printf.ksprintf Base64.encode_string "%s:%s" secrets.slack_client_id secrets.slack_client_secret
-    in
-    let headers = [ Printf.sprintf "Authorization: Basic %s" auth_header ] in
-    match%lwt Common.http_request ~body ~headers `POST "https://slack.com/api/oauth.v2.access" with
-    | Error e -> Lwt.return @@ Error e
-    | Ok data ->
-      let response = Slack_j.oauth_access_res_of_string data in
-      ( match response.access_token, response.error with
-      | Some access_token, _ -> Lwt.return @@ Ok access_token
-      | None, Some e -> Lwt.return @@ Error e
-      | None, None -> Lwt.return @@ Error "an unknown error occurred while getting access token"
-      )
-
-  let update_access_token_of_context ~ctx ~code =
-    let secrets = Context.get_secrets_exn ctx in
-    match%lwt access_token_of_code ~ctx ~code with
-    | Error e -> Lwt.return @@ Error e
-    | Ok access_token ->
-      let secrets = { secrets with slack_access_token = Some access_token } in
-      ctx.secrets <- Some secrets;
-      let data = Config_j.string_of_secrets secrets |> Yojson.Basic.from_string |> Yojson.Basic.pretty_to_string in
-      Lwt.return @@ write_to_local_file ~data ctx.secrets_filepath
 end

lib/config.atd

@@ -37,17 +37,6 @@ type secrets = {
   ?gh_token : string option;
   (* GitHub webhook token to secure the webhook *)
   ?gh_hook_token : string option;
-  (* Client ID of the Slack bot; used for OAuth authentication  *)
-  slack_client_id : string;
-  (* Client secret of the Slack bot; used for OAuth authentication  *)
-  slack_client_secret : string;
-  (* Slack uses this secret to sign requests; provide to verify incoming Slack requests *)
-  ?slack_signing_secret : string option;
-  (* if specified, maintains state b/w OAuth request and callback to prevent CSRF
-    see: https://tools.ietf.org/html/rfc6749#section-4.1.1 *)
-  ?slack_oauth_state : string option;
-  (* Slack bot token obtained via OAuth, enabling message posting to the workspace;
-    if not provided initially, the first successful OAuth exchange will update this
-    field both in memory and on disk *)
+  (* Slack bot token obtained via OAuth, enabling message posting to the workspace *)
   ?slack_access_token : string option;
 }

lib/slack.atd

@@ -60,13 +60,6 @@ type post_message_req = {
   ?blocks: message_block list nullable;
 }
 
-(* expected payload when exchanging oauth code for access token *)
-type oauth_access_res = {
-  ok: bool;
-  ?access_token: string option;
-  ?error: string option;
-}
-
 type post_message_res = {
   ok: bool;
   ?channel: string option;

lib/slack.ml

@@ -358,25 +358,3 @@ let generate_commit_comment_notification api_commit notification channel =
     }
   in
   { channel; text = None; attachments = Some [ attachment ]; blocks = None }
-
-let validate_signature ?(version = "v0") ?signing_key ~headers body =
-  match signing_key with
-  | None -> Ok ()
-  | Some key ->
-  match List.Assoc.find headers "x-slack-signature" ~equal:String.equal with
-  | None -> Error "unable to find header X-Slack-Signature"
-  | Some signature ->
-  match List.Assoc.find headers "x-slack-request-timestamp" ~equal:String.equal with
-  | None -> Error "unable to find header X-Slack-Request-Timestamp"
-  | Some timestamp ->
-    let basestring = Printf.sprintf "%s:%s:%s" version timestamp body in
-    let expected_signature = Printf.sprintf "%s=%s" version (Common.sign_string_sha256 ~key ~basestring) in
-    if String.equal expected_signature signature then Ok () else Error "signatures don't match"
-
-let has_valid_state ?oauth_state ~args =
-  match oauth_state with
-  | None -> true
-  | Some expected_state ->
-  match List.Assoc.find args "state" ~equal:String.equal with
-  | None -> false
-  | Some state -> String.equal state expected_state

src/request_handler.ml

@@ -38,10 +38,6 @@ let setup_http ~ctx ~signature ~port ~ip =
           log#info "%s" request.body;
           let%lwt () = Action.process_github_notification ctx request.headers request.body in
           ret (Lwt.return "ok")
-        | _, [ "slack"; "oauth" ] ->
-          log#info "slack oauth authorization request received";
-          let%lwt () = Action.process_slack_oauth ctx request.args in
-          ret (Lwt.return "ok")
         | _, _ ->
           log#error "unknown path : %s" (Httpev.show_request request);
           ret_err `Not_found "not found"