Fix an issue where different user's token may exist in context

seratch · seratch · commit 32f47c45e531 · 2021-02-21T12:36:03.000+09:00
diff --git a/slack_bolt/authorization/async_authorize.py b/slack_bolt/authorization/async_authorize.py
@@ -131,6 +131,8 @@ async def __call__(
         if not self.bot_only and self.find_installation_available:
             # since v1.1, this is the default way
             try:
+                # Note that this is the latest information for the org/workspace.
+                # The installer may not be the user associated with this incoming request.
                 installation: Optional[
                     Installation
                 ] = await self.installation_store.async_find_installation(
@@ -143,6 +145,10 @@ async def __call__(
                     return None
 
                 if installation.user_id != user_id:
+                    # First off, remove the user token as the installer is a different user
+                    installation.user_token = None
+                    installation.user_scopes = []
+
                     # try to fetch the request user's installation
                     # to reflect the user's access token if exists
                     user_installation = (
@@ -154,6 +160,7 @@ async def __call__(
                         )
                     )
                     if user_installation is not None:
+                        # Overwrite the installation with the one for this user
                         installation = user_installation
 
                 bot_token, user_token = installation.bot_token, installation.user_token
diff --git a/slack_bolt/authorization/authorize.py b/slack_bolt/authorization/authorize.py
@@ -131,6 +131,8 @@ def __call__(
         if not self.bot_only and self.find_installation_available:
             # since v1.1, this is the default way
             try:
+                # Note that this is the latest information for the org/workspace.
+                # The installer may not be the user associated with this incoming request.
                 installation: Optional[
                     Installation
                 ] = self.installation_store.find_installation(
@@ -143,6 +145,10 @@ def __call__(
                     return None
 
                 if installation.user_id != user_id:
+                    # First off, remove the user token as the installer is a different user
+                    installation.user_token = None
+                    installation.user_scopes = []
+
                     # try to fetch the request user's installation
                     # to reflect the user's access token if exists
                     user_installation = self.installation_store.find_installation(
@@ -152,6 +158,7 @@ def __call__(
                         is_enterprise_install=context.is_enterprise_install,
                     )
                     if user_installation is not None:
+                        # Overwrite the installation with the one for this user
                         installation = user_installation
 
                 bot_token, user_token = installation.bot_token, installation.user_token
