add functions to query the Slack API for oauth exchange

Author: yasunariw

lib/api.ml

@@ -16,4 +16,6 @@ module type Slack = sig
   val send_notification : ctx:Context.t -> msg:post_message_req -> (unit, string) Result.t Lwt.t
 
   val send_chat_unfurl : ctx:Context.t -> chat_unfurl_req -> (unit, string) Result.t Lwt.t
+
+  val update_access_token_of_context : ctx:Context.t -> code:string -> (unit, string) Result.t Lwt.t
 end

lib/api_local.ml

@@ -28,6 +28,8 @@ module Slack_base : Api.Slack = struct
   let send_notification ~ctx:_ ~msg:_ = Lwt.return @@ Error "undefined for local setup"
 
   let send_chat_unfurl ~ctx:_ _ = Lwt.return @@ Error "undefined for local setup"
+
+  let update_access_token_of_context ~ctx:_ ~code:_ = Lwt.return @@ Error "undefined for local setup"
 end
 
 module Slack : Api.Slack = struct
@@ -38,6 +40,10 @@ module Slack : Api.Slack = struct
     Stdio.printf "will notify #%s\n" msg.channel;
     Stdio.printf "%s\n" json;
     Lwt.return @@ Ok ()
+
+  let update_access_token_of_context ~ctx:_ ~code:_ =
+    Stdio.printf "will generate token\n";
+    Lwt.return @@ Ok ()
 end
 
 module Slack_simple : Api.Slack = struct

lib/api_remote.ml

@@ -120,4 +120,36 @@ module Slack : Api.Slack = struct
         )
       | Error e -> Lwt.return @@ fmt_error "error while querying %s: %s\nfailed to unfurl Slack links" url e
       )
+
+  let access_token_of_code ~(ctx : Context.t) ~code =
+    let secrets = Context.get_secrets_exn ctx in
+    let body = `Form [ "code", code ] in
+    match secrets.slack_client_id with
+    | None -> Lwt.return @@ Error "slack_client_id is undefined"
+    | Some client_id ->
+    match secrets.slack_client_secret with
+    | None -> Lwt.return @@ Error "slack_client_secret is undefined"
+    | Some client_secret ->
+      let auth_header = Base64.encode_string @@ sprintf "%s:%s" client_id client_secret in
+      let headers = [ Printf.sprintf "Authorization: Basic %s" auth_header ] in
+      ( match%lwt Common.http_request ~body ~headers `POST "https://slack.com/api/oauth.v2.access" with
+      | Error e -> Lwt.return @@ Error e
+      | Ok data ->
+        let response = Slack_j.oauth_access_res_of_string data in
+        ( match response.access_token, response.error with
+        | Some access_token, _ -> Lwt.return @@ Ok access_token
+        | None, Some e -> Lwt.return @@ Error e
+        | None, None -> Lwt.return @@ Error "an unknown error occurred while getting access token"
+        )
+      )
+
+  let update_access_token_of_context ~ctx ~code =
+    let secrets = Context.get_secrets_exn ctx in
+    match%lwt access_token_of_code ~ctx ~code with
+    | Error e -> Lwt.return @@ Error e
+    | Ok access_token ->
+      let secrets = { secrets with slack_access_token = Some access_token } in
+      ctx.secrets <- Some secrets;
+      let data = Config_j.string_of_secrets secrets |> Yojson.Basic.from_string |> Yojson.Basic.pretty_to_string in
+      Lwt.return @@ write_to_local_file ~data ctx.secrets_filepath
 end

lib/config.atd

@@ -49,4 +49,11 @@ type secrets = {
   ?slack_access_token : string nullable;
  (* Slack uses this secret to sign requests; provide to verify incoming Slack requests *)
   ?slack_signing_secret : string nullable;
+  (* Client ID of the Slack bot; used for OAuth authentication  *)
+  ?slack_client_id : string nullable;
+  (* Client secret of the Slack bot; used for OAuth authentication  *)
+  ?slack_client_secret : string nullable;
+  (* if specified, maintains state b/w OAuth request and callback to prevent CSRF
+    see: https://tools.ietf.org/html/rfc6749#section-4.1.1 *)
+  ?slack_oauth_state : string nullable;
 }

lib/slack.atd

@@ -118,3 +118,10 @@ type chat_unfurl_res = {
   ok: bool;
   ?error: string option;
 }
+
+(* expected payload when exchanging oauth code for access token *)
+type oauth_access_res = {
+  ok: bool;
+  ?access_token: string option;
+  ?error: string option;
+}

lib/slack.ml

@@ -373,3 +373,14 @@ let validate_signature ?(version = "v0") ?signing_key ~headers body =
     let basestring = Printf.sprintf "%s:%s:%s" version timestamp body in
     let expected_signature = Printf.sprintf "%s=%s" version (Common.sign_string_sha256 ~key ~basestring) in
     if String.equal expected_signature signature then Ok () else Error "signatures don't match"
+
+let validate_state ?oauth_state ~args =
+  match oauth_state with
+  | None -> Ok ()
+  | Some expected_state ->
+  match List.Assoc.find args "state" ~equal:String.equal with
+  | None -> Error "argument `state` not found in slack authorization request"
+  | Some state ->
+  match String.equal state expected_state with
+  | false -> Error "argument `state` is present in slack authorization request but does not match expected value"
+  | true -> Ok ()