Expose optional State parameter returned from Add to Slack button (#95)

aok-solutions · dblock · commit d3a24ddbc0d6 · 2019-03-13T11:03:24.000-04:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,8 @@
 
 * Your contribution here.
 
+* [#95](https://github.com/slack-ruby/slack-ruby-bot-server/pull/95): Expose the optional `state` parameter that is returned from the Add to Slack button - [@aok-solutions](https://github.com/aok-solutions).
+
 #### 0.9.0 (2019/2/25)
 
 * [#93](https://github.com/slack-ruby/slack-ruby-bot-server/pull/93): Removed ping worker in favor of slack-ruby-client lower level ping - [@dblock](https://github.com/dblock).
diff --git a/README.md b/README.md
@@ -103,15 +103,15 @@ You can introduce custom behavior into the service lifecycle via callbacks. This
 ```ruby
 instance = SlackRubyBotServer::Service.instance
 
-instance.on :created do |team, error|
+instance.on :created do |team, error, options|
   # a new team has been registered
 end
 
-instance.on :deactivated do |team, error|
+instance.on :deactivated do |team, error, options|
   # an existing team has been deactivated in Slack
 end
 
-instance.on :error do |team, error|
+instance.on :error do |team, error, options|
   # an error has occurred
 end
 ```
@@ -132,6 +132,22 @@ The following callbacks are supported. All callbacks receive a `team`, except `e
 | deactivating   | a team is being deactivated                                      |
 | deactivated    | a team has been deactivated                                      |
 
+
+The [Add to Slack button](https://api.slack.com/docs/slack-button) also allows for an optional `state` parameter that will be returned on completion of the request. The `creating` and `created` callbacks include an options hash where this value can be accessed (to check for forgery attacks for instance).
+```ruby
+auth = OpenSSL::HMAC.hexdigest("SHA256", "key", "data")
+```
+```html
+<a href="https://slack.com/oauth/authorize?scope=bot&client_id=<%= ENV['SLACK_CLIENT_ID'] %>&state=#{auth)"> ... </a>
+```
+```ruby
+instance = SlackRubyBotServer::Service.instance
+instance.on :creating do |team, error, options|
+  raise "Unauthorized response" unless options[:state] == auth
+end
+```
+
+
 #### Server Class
 
 You can override the server class to handle additional events, and configure the service to use it.
diff --git a/lib/slack-ruby-bot-server/api/endpoints/teams_endpoint.rb b/lib/slack-ruby-bot-server/api/endpoints/teams_endpoint.rb
@@ -33,6 +33,7 @@ class TeamsEndpoint < Grape::API
           desc 'Create a team using an OAuth token.'
           params do
             requires :code, type: String
+            optional :state, type: String
           end
           post do
             client = Slack::Web::Client.new
@@ -60,7 +61,9 @@ class TeamsEndpoint < Grape::API
               )
             end
 
-            Service.instance.create!(team)
+            options = params.slice(:state)
+
+            Service.instance.create!(team, options)
             present team, with: Presenters::TeamPresenter
           end
         end
diff --git a/lib/slack-ruby-bot-server/service.rb b/lib/slack-ruby-bot-server/service.rb
@@ -21,10 +21,10 @@ def on(type, &block)
       @callbacks[type.to_s] << block
     end
 
-    def create!(team)
-      run_callbacks :creating, team
+    def create!(team, options = {})
+      run_callbacks :creating, team, nil, options
       start!(team)
-      run_callbacks :created, team
+      run_callbacks :created, team, nil, options
     end
 
     def start!(team)
@@ -103,11 +103,11 @@ def start_server!(team, server, wait = 1)
       end
     end
 
-    def run_callbacks(type, team = nil, error = nil)
+    def run_callbacks(type, team = nil, error = nil, options = {})
       callbacks = @callbacks[type.to_s]
       return false unless callbacks
       callbacks.each do |c|
-        c.call team, error
+        c.call team, error, options
       end
       true
     rescue StandardError => e
diff --git a/public/scripts/register.js b/public/scripts/register.js
@@ -32,14 +32,16 @@ $(document).ready(function() {
 
   // Slack OAuth
   var code = $.url('?code')
+  var state = $.url('?state')
   if (code) {
     SlackRubyBotServer.message('Working, please wait ...');
     $('#register').hide();
     $.ajax({
       type: "POST",
       url: "/api/teams",
       data: {
-        code: code
+        code: code,
+        state: state
       },
       success: function(data) {
         SlackRubyBotServer.message('Team successfully registered!<br><br>DM <b>@bot</b> or create a <b>#channel</b> and invite <b>@bot</b> to it.');
diff --git a/spec/api/endpoints/teams_endpoint_spec.rb b/spec/api/endpoints/teams_endpoint_spec.rb
@@ -72,6 +72,12 @@
           expect(team.token).to eq 'token'
         end.to change(Team, :count).by(1)
       end
+
+      it 'includes optional state parameter' do
+        expect(SlackRubyBotServer::Service.instance).to receive(:create!).with(instance_of(Team), state: 'property')
+        client.teams._post(code: 'code', state: 'property')
+      end
+
       it 'reactivates a deactivated team' do
         expect(SlackRubyBotServer::Service.instance).to receive(:start!)
         existing_team = Fabricate(:team, token: 'token', active: false)
diff --git a/spec/database_adapters/activerecord/activerecord.rb b/spec/database_adapters/activerecord/activerecord.rb
@@ -1,3 +1,4 @@
 db_config = YAML.safe_load(File.read(File.expand_path('../../../sample_apps/sample_app_activerecord/config/postgresql.yml', __dir__)), [], [], true)[ENV['RACK_ENV']]
 ActiveRecord::Tasks::DatabaseTasks.create(db_config)
 ActiveRecord::Base.establish_connection(db_config)
+ActiveRecord::Base.logger.level = :info
diff --git a/spec/fixtures/slack/auth_test.yml b/spec/fixtures/slack/auth_test.yml
diff --git a/spec/integration/teams_spec.rb b/spec/integration/teams_spec.rb
@@ -9,17 +9,23 @@
     ENV.delete 'SLACK_CLIENT_ID'
     ENV.delete 'SLACK_CLIENT_SECRET'
   end
-  context 'oauth', vcr: { cassette_name: 'auth_test' } do
-    it 'registers a team' do
-      allow_any_instance_of(Team).to receive(:ping!).and_return(ok: true)
-      expect(SlackRubyBotServer::Service.instance).to receive(:start!)
+  context 'oauth' do
+    before do
       oauth_access = { 'bot' => { 'bot_access_token' => 'token' }, 'team_id' => 'team_id', 'team_name' => 'team_name' }
       allow_any_instance_of(Slack::Web::Client).to receive(:oauth_access).with(hash_including(code: 'code')).and_return(oauth_access)
+    end
+    it 'registers a team' do
+      allow_any_instance_of(Team).to receive(:ping!).and_return(ok: true)
+      expect(SlackRubyBotServer::Service.instance).to receive(:start!).with(instance_of(Team))
       expect do
         visit '/?code=code'
         expect(page.find('#messages')).to have_content 'Team successfully registered!'
       end.to change(Team, :count).by(1)
     end
+    it 'includes optional parameter' do
+      expect(SlackRubyBotServer::Service.instance).to receive(:create!).with(instance_of(Team), state: 'property')
+      visit '/?code=code&state=property'
+    end
   end
   context 'homepage' do
     before do
