looker-open-source · jeffrey-martinez · Mar 20, 2026 · Mar 20, 2026 · Mar 21, 2026 · Mar 24, 2026
@@ -18,9 +18,38 @@ export declare class SlackAction extends Hub.DelegateOAuthAction {
     minimumSupportedLookerVersion: string;
     usesStreaming: boolean;
     executeInOwnProcess: boolean;
+    private readonly crypto;
+    /**
+     * Executes the Slack action.
+     * Decrypts state_json if it was previously encrypted and passes it to the client manager.
+     * If execution succeeds and the feature flag is on, it encrypts the state before returning.
+     */
     execute(request: Hub.ActionRequest): Promise<Hub.ActionResponse>;
+    /**
+     * Retrieves the form fields for the action.
+     * Decrypts state_json before creating clients to fetch available workspaces.
+     * If the response state needs to be maintained, it encrypts it before sending it back to Looker.
+     */
     form(request: Hub.ActionRequest): Promise<Hub.ActionForm>;
     loginForm(request: Hub.ActionRequest, form?: Hub.ActionForm): Promise<Hub.ActionForm>;
+    /**
+     * Checks if the OAuth connection is valid.
+     * Opportunistically decrypts the state and returns whether the connection holds.
+     */
     oauthCheck(request: Hub.ActionRequest): Promise<Hub.ActionForm>;
     authTest(clients: WebClient[]): Promise<any[]>;
+    /**
+     * Re-encrypts the state_json if it was decrypted successfully and the feature flag is on.
+     */
+    private updateStateIfNeeded;
+    /**
+     * Decrypts the state_json parsing it as plain text if decryption fails.
+     * This ensures backward compatibility with older, unencrypted states.
+     */
+    private decryptStateIfNeeded;
+    /**
+     * Encrypts the state_json string if the feature flag is enabled.
+     * Returns the encrypted string or the original state if encryption fails or is disabled.
+     */
+    private encryptStateJson;
 }
@@ -2,6 +2,7 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SlackAction = void 0;
 const winston = require("winston");
+const aes_transit_crypto_1 = require("../../crypto/aes_transit_crypto");
 const http_errors_1 = require("../../error_types/http_errors");
 const Hub = require("../../hub");
 const action_response_1 = require("../../hub/action_response");
@@ -30,10 +31,17 @@ class SlackAction extends Hub.DelegateOAuthAction {
         this.minimumSupportedLookerVersion = "6.23.0";
         this.usesStreaming = true;
         this.executeInOwnProcess = true;
+        this.crypto = new aes_transit_crypto_1.AESTransitCrypto();
     }
+    /**
+     * Executes the Slack action.
+     * Decrypts state_json if it was previously encrypted and passes it to the client manager.
+     * If execution succeeds and the feature flag is on, it encrypts the state before returning.
+     */
     async execute(request) {
         const resp = new Hub.ActionResponse();
-        const clientManager = new slack_client_manager_1.SlackClientManager(request, true);
+        const decryptedState = await this.decryptStateIfNeeded(request);
+        const clientManager = new slack_client_manager_1.SlackClientManager(request, true, decryptedState);
         const selectedClient = clientManager.getSelectedClient();
         if (!selectedClient) {
             const error = (0, action_response_1.errorWith)(http_errors_1.HTTP_ERROR.bad_request, `${LOG_PREFIX} Missing client`);
@@ -45,11 +53,19 @@ class SlackAction extends Hub.DelegateOAuthAction {
             return resp;
         }
         else {
-            return await (0, utils_1.handleExecute)(request, selectedClient);
+            const executedResponse = await (0, utils_1.handleExecute)(request, selectedClient);
+            await this.updateStateIfNeeded(executedResponse, decryptedState, request.params.state_json);
+            return executedResponse;
         }
     }
+    /**
+     * Retrieves the form fields for the action.
+     * Decrypts state_json before creating clients to fetch available workspaces.
+     * If the response state needs to be maintained, it encrypts it before sending it back to Looker.
+     */
     async form(request) {
-        const clientManager = new slack_client_manager_1.SlackClientManager(request, false);
+        const decryptedState = await this.decryptStateIfNeeded(request);
+        const clientManager = new slack_client_manager_1.SlackClientManager(request, false, decryptedState);
         if (!clientManager.hasAnyClients()) {
             return this.loginForm(request);
         }
@@ -89,6 +105,7 @@ class SlackAction extends Hub.DelegateOAuthAction {
             winston.error(`${LOG_PREFIX} Displaying Form Fields: ${e.message}`, { webhookId: request.webhookId });
             return this.loginForm(request, form);
         }
+        await this.updateStateIfNeeded(form, decryptedState, request.params.state_json);
         return form;
     }
     async loginForm(request, form = new Hub.ActionForm()) {
@@ -109,9 +126,14 @@ class SlackAction extends Hub.DelegateOAuthAction {
         }
         return form;
     }
+    /**
+     * Checks if the OAuth connection is valid.
+     * Opportunistically decrypts the state and returns whether the connection holds.
+     */
     async oauthCheck(request) {
         const form = new Hub.ActionForm();
-        const clientManager = new slack_client_manager_1.SlackClientManager(request);
+        const decryptedState = await this.decryptStateIfNeeded(request);
+        const clientManager = new slack_client_manager_1.SlackClientManager(request, false, decryptedState);
         if (!clientManager.hasAnyClients()) {
             form.error = AUTH_MESSAGE;
             winston.error(`${LOG_PREFIX} ${AUTH_MESSAGE}`, { webhookId: request.webhookId });
@@ -134,6 +156,7 @@ class SlackAction extends Hub.DelegateOAuthAction {
             form.error = utils_1.displayError[e.message] || e;
             winston.error(`${LOG_PREFIX} ${form.error}`, { webhookId: request.webhookId });
         }
+        await this.updateStateIfNeeded(form, decryptedState, request.params.state_json);
         return form;
     }
     async authTest(clients) {
@@ -147,6 +170,50 @@ class SlackAction extends Hub.DelegateOAuthAction {
         }
         return result;
     }
+    /**
+     * Re-encrypts the state_json if it was decrypted successfully and the feature flag is on.
+     */
+    async updateStateIfNeeded(response, decryptedState, originalState) {
+        if (decryptedState && decryptedState === originalState && process.env.ENCRYPT_PAYLOAD_SLACK_APP === "true") {
+            response.state = new Hub.ActionState();
+            response.state.data = await this.encryptStateJson(decryptedState);
+        }
+    }
+    /**
+     * Decrypts the state_json parsing it as plain text if decryption fails.
+     * This ensures backward compatibility with older, unencrypted states.
+     */
+    async decryptStateIfNeeded(request) {
+        if (!request.params.state_json) {
+            return undefined;
+        }
+        if (!request.params.state_json.startsWith("1")) {
+            return request.params.state_json;
+        }
+        try {
+            return await this.crypto.decrypt(request.params.state_json);
+        }
+        catch (e) {
+            winston.warn(`${LOG_PREFIX} Decryption failed, assuming plain text: ${e.message}`);
+            return request.params.state_json;
+        }
+    }
+    /**
+     * Encrypts the state_json string if the feature flag is enabled.
+     * Returns the encrypted string or the original state if encryption fails or is disabled.
+     */
+    async encryptStateJson(stateJson) {
+        if (process.env.ENCRYPT_PAYLOAD_SLACK_APP === "true") {
+            try {
+                return await this.crypto.encrypt(stateJson);
+            }
+            catch (e) {
+                winston.error(`${LOG_PREFIX} Encryption failed: ${e.message}`);
+                return stateJson;
+            }
+        }
+        return stateJson;
+    }
 }
 exports.SlackAction = SlackAction;
 Hub.addAction(new SlackAction());
@@ -7,10 +7,19 @@ export declare const makeSlackClient: (token: string, disableRetries?: boolean)
 export declare class SlackClientManager {
     private selectedInstallId;
     private clients;
-    constructor(request: Hub.ActionRequest, disableRetries?: boolean);
+    /**
+     * Initializes the Slack clients by parsing the stateJson payload.
+     * Overrides with decryptedStateJson if provided (opportunistic decryption).
+     */
+    constructor(request: Hub.ActionRequest, disableRetries?: boolean, decryptedStateJson?: string);
+    /** Checks if there are any initialized Slack clients. */
     hasAnyClients: () => boolean;
+    /** Gets all initialized Slack clients as an array. */
     getClients: () => WebClient[];
+    /** Checks if a specific client is selected. */
     hasSelectedClient: () => boolean;
+    /** Gets the currently selected Slack client or defaults to the first available connection. */
     getSelectedClient: () => WebClient | undefined;
+    /** Gets a specific client by its install ID. */
     getClient: (installId: string) => WebClient | undefined;
 }
@@ -19,14 +19,23 @@ const makeSlackClient = (token, disableRetries = false) => {
 };
 exports.makeSlackClient = makeSlackClient;
 class SlackClientManager {
-    constructor(request, disableRetries = false) {
+    /**
+     * Initializes the Slack clients by parsing the stateJson payload.
+     * Overrides with decryptedStateJson if provided (opportunistic decryption).
+     */
+    constructor(request, disableRetries = false, decryptedStateJson) {
+        /** Checks if there are any initialized Slack clients. */
         this.hasAnyClients = () => Object.entries(this.clients).length > 0;
+        /** Gets all initialized Slack clients as an array. */
         this.getClients = () => Object.values(this.clients);
+        /** Checks if a specific client is selected. */
         this.hasSelectedClient = () => !!this.selectedInstallId;
+        /** Gets the currently selected Slack client or defaults to the first available connection. */
         this.getSelectedClient = () => this.selectedInstallId ?
             this.clients[this.selectedInstallId] : undefined;
+        /** Gets a specific client by its install ID. */
         this.getClient = (installId) => this.clients[installId];
-        const stateJson = request.params.state_json;
+        const stateJson = decryptedStateJson || request.params.state_json;
         if (!stateJson) {
             this.clients = {};
         }

@@ -1,6 +1,7 @@
 import {WebClient} from "@slack/web-api"
 import {WebAPICallResult} from "@slack/web-api/dist/WebClient"
 import * as winston from "winston"
+import { AESTransitCrypto } from "../../crypto/aes_transit_crypto"
 import {HTTP_ERROR} from "../../error_types/http_errors"
 import * as Hub from "../../hub"
 import {Error, errorWith} from "../../hub/action_response"
@@ -37,9 +38,17 @@ export class SlackAction extends Hub.DelegateOAuthAction {
   usesStreaming = true
   executeInOwnProcess = true
 
+  private readonly crypto = new AESTransitCrypto()
+
+  /**
+   * Executes the Slack action.
+   * Decrypts state_json if it was previously encrypted and passes it to the client manager.
+   * If execution succeeds and the feature flag is on, it encrypts the state before returning.
+   */
   async execute(request: Hub.ActionRequest) {
     const resp = new Hub.ActionResponse()
-    const clientManager = new SlackClientManager(request, true)
+    const decryptedState = await this.decryptStateIfNeeded(request)
+    const clientManager = new SlackClientManager(request, true, decryptedState)
     const selectedClient = clientManager.getSelectedClient()
     if (!selectedClient) {
       const error: Error = errorWith(
@@ -55,12 +64,20 @@ export class SlackAction extends Hub.DelegateOAuthAction {
       winston.error(`${error.message}`, {error, webhookId: request.webhookId})
       return resp
     } else {
-      return await handleExecute(request, selectedClient)
+      const executedResponse = await handleExecute(request, selectedClient)
+      await this.updateStateIfNeeded(executedResponse, decryptedState, request.params.state_json)
+      return executedResponse
     }
   }
 
+  /**
+   * Retrieves the form fields for the action.
+   * Decrypts state_json before creating clients to fetch available workspaces.
+   * If the response state needs to be maintained, it encrypts it before sending it back to Looker.
+   */
   async form(request: Hub.ActionRequest) {
-    const clientManager = new SlackClientManager(request, false)
+    const decryptedState = await this.decryptStateIfNeeded(request)
+    const clientManager = new SlackClientManager(request, false, decryptedState)
     if (!clientManager.hasAnyClients()) {
       return this.loginForm(request)
     }
@@ -107,6 +124,7 @@ export class SlackAction extends Hub.DelegateOAuthAction {
       return this.loginForm(request, form)
     }
 
+    await this.updateStateIfNeeded(form, decryptedState, request.params.state_json)
     return form
   }
 
@@ -128,10 +146,14 @@ export class SlackAction extends Hub.DelegateOAuthAction {
     return form
   }
 
+  /**
+   * Checks if the OAuth connection is valid.
+   * Opportunistically decrypts the state and returns whether the connection holds.
+   */
   async oauthCheck(request: Hub.ActionRequest) {
     const form = new Hub.ActionForm()
-
-    const clientManager = new SlackClientManager(request)
+    const decryptedState = await this.decryptStateIfNeeded(request)
+    const clientManager = new SlackClientManager(request, false, decryptedState)
     if (!clientManager.hasAnyClients()) {
       form.error = AUTH_MESSAGE
       winston.error(`${LOG_PREFIX} ${AUTH_MESSAGE}`, {webhookId: request.webhookId})
@@ -155,6 +177,7 @@ export class SlackAction extends Hub.DelegateOAuthAction {
       form.error = displayError[e.message] || e
       winston.error(`${LOG_PREFIX} ${form.error}`, {webhookId: request.webhookId})
     }
+    await this.updateStateIfNeeded(form, decryptedState, request.params.state_json)
     return form
   }
 
@@ -172,6 +195,54 @@ export class SlackAction extends Hub.DelegateOAuthAction {
     }
     return result
   }
+  /**
+   * Re-encrypts the state_json if it was decrypted successfully and the feature flag is on.
+   */
+  private async updateStateIfNeeded(
+    response: Hub.ActionResponse | Hub.ActionForm,
+    decryptedState: string | undefined,
+    originalState: string | undefined,
+  ) {
+    if (decryptedState && decryptedState === originalState && process.env.ENCRYPT_PAYLOAD_SLACK_APP === "true") {
+      response.state = new Hub.ActionState()
+      response.state.data = await this.encryptStateJson(decryptedState)
+    }
+  }
+
+  /**
+   * Decrypts the state_json parsing it as plain text if decryption fails.
+   * This ensures backward compatibility with older, unencrypted states.
+   */
+  private async decryptStateIfNeeded(request: Hub.ActionRequest): Promise<string | undefined> {
+    if (!request.params.state_json) {
+      return undefined
+    }
+    if (!request.params.state_json.startsWith("1")) {
+      return request.params.state_json
+    }
+    try {
+      return await this.crypto.decrypt(request.params.state_json)
+    } catch (e: any) {
+      winston.warn(`${LOG_PREFIX} Decryption failed, assuming plain text: ${e.message}`)
+      return request.params.state_json
+    }
+  }
+
+  /**
+   * Encrypts the state_json string if the feature flag is enabled.
+   * Returns the encrypted string or the original state if encryption fails or is disabled.
+   */
+  private async encryptStateJson(stateJson: string): Promise<string> {
+    if (process.env.ENCRYPT_PAYLOAD_SLACK_APP === "true") {
+      try {
+        return await this.crypto.encrypt(stateJson)
+      } catch (e: any) {
+        winston.error(`${LOG_PREFIX} Encryption failed: ${e.message}`)
+        return stateJson
+      }
+    }
+    return stateJson
+  }
 }
 
 Hub.addAction(new SlackAction())
@@ -29,8 +29,12 @@ export class SlackClientManager {
     private selectedInstallId: string | undefined
     private clients: { [key: string]: WebClient }
 
-    constructor(request: Hub.ActionRequest, disableRetries = false) {
-        const stateJson = request.params.state_json
+    /**
+     * Initializes the Slack clients by parsing the stateJson payload.
+     * Overrides with decryptedStateJson if provided (opportunistic decryption).
+     */
+    constructor(request: Hub.ActionRequest, disableRetries = false, decryptedStateJson?: string) {
+        const stateJson = decryptedStateJson || request.params.state_json
 
         if (!stateJson) {
             this.clients = {}
@@ -72,14 +76,19 @@ export class SlackClientManager {
         }
     }
 
+    /** Checks if there are any initialized Slack clients. */
     hasAnyClients = (): boolean => Object.entries(this.clients).length > 0
 
+    /** Gets all initialized Slack clients as an array. */
     getClients = (): WebClient[] => Object.values(this.clients)
 
+    /** Checks if a specific client is selected. */
     hasSelectedClient = (): boolean => !!this.selectedInstallId
 
+    /** Gets the currently selected Slack client or defaults to the first available connection. */
     getSelectedClient = (): WebClient | undefined => this.selectedInstallId ?
         this.clients[this.selectedInstallId] : undefined
 
+    /** Gets a specific client by its install ID. */
     getClient = (installId: string): WebClient | undefined => this.clients[installId]
 }