Fix #584 Wrong user_token assigned to new user (affected versions: v1.11.2, v1.11.3) (#586)

Author: seratch

slack_bolt/authorization/async_authorize.py

@@ -194,7 +194,10 @@ async def __call__(
 
                     if latest_installation.user_id != user_id:
                         # First off, remove the user token as the installer is a different user
+                        user_token = None
                         latest_installation.user_token = None
+                        latest_installation.user_refresh_token = None
+                        latest_installation.user_token_expires_at = None
                         latest_installation.user_scopes = []
 
                         # try to fetch the request user's installation

slack_bolt/authorization/authorize.py

@@ -194,7 +194,10 @@ def __call__(
 
                     if latest_installation.user_id != user_id:
                         # First off, remove the user token as the installer is a different user
+                        user_token = None
                         latest_installation.user_token = None
+                        latest_installation.user_refresh_token = None
+                        latest_installation.user_token_expires_at = None
                         latest_installation.user_scopes = []
 
                         # try to fetch the request user's installation

tests/mock_web_api_server.py

@@ -155,19 +155,21 @@ def _handle(self):
                     self.logger.info(f"request body: {request_body}")
 
                     if request_body.get("grant_type") == "refresh_token":
-                        if "bot-valid" in request_body.get("refresh_token"):
-                            self.send_response(200)
-                            self.set_common_headers()
-                            body = self.oauth_v2_access_bot_refresh_response
-                            self.wfile.write(body.encode("utf-8"))
-                            return
-                        if "user-valid" in request_body.get("refresh_token"):
-                            self.send_response(200)
-                            self.set_common_headers()
-                            body = self.oauth_v2_access_user_refresh_response
-                            self.wfile.write(body.encode("utf-8"))
-                            return
-                    if request_body.get("code") is not None:
+                        refresh_token = request_body.get("refresh_token")
+                        if refresh_token is not None:
+                            if "bot-valid" in refresh_token:
+                                self.send_response(200)
+                                self.set_common_headers()
+                                body = self.oauth_v2_access_bot_refresh_response
+                                self.wfile.write(body.encode("utf-8"))
+                                return
+                            if "user-valid" in refresh_token:
+                                self.send_response(200)
+                                self.set_common_headers()
+                                body = self.oauth_v2_access_user_refresh_response
+                                self.wfile.write(body.encode("utf-8"))
+                                return
+                    elif request_body.get("code") is not None:
                         self.send_response(200)
                         self.set_common_headers()
                         self.wfile.write(self.oauth_v2_access_response.encode("utf-8"))

tests/slack_bolt/authorization/test_authorize.py

@@ -245,6 +245,55 @@ def test_fetch_different_user_token_with_rotation(self):
         assert result.user_token == "xoxp-valid-refreshed"
         assert_auth_test_count(self, 1)
 
+    def test_remove_latest_user_token_if_it_is_not_relevant(self):
+        installation_store = ValidUserTokenInstallationStore()
+        authorize = InstallationStoreAuthorize(
+            logger=installation_store.logger, installation_store=installation_store
+        )
+        context = BoltContext()
+        context["client"] = WebClient(base_url=self.mock_api_server_base_url)
+        result = authorize(
+            context=context, enterprise_id="E111", team_id="T0G9PQBBK", user_id="W333"
+        )
+        assert result.bot_id == "BZYBOTHED"
+        assert result.bot_user_id == "W23456789"
+        assert result.bot_token == "xoxb-valid"
+        assert result.user_token is None
+        assert_auth_test_count(self, 1)
+
+    def test_rotate_only_bot_token(self):
+        context = BoltContext()
+        mock_client = WebClient(base_url=self.mock_api_server_base_url)
+        context["client"] = mock_client
+
+        installation_store = ValidUserTokenRotationInstallationStore()
+        invalid_authorize = InstallationStoreAuthorize(
+            logger=installation_store.logger, installation_store=installation_store
+        )
+        with pytest.raises(BoltError):
+            invalid_authorize(
+                context=context,
+                enterprise_id="E111",
+                team_id="T0G9PQBBK",
+                user_id="W333",
+            )
+
+        authorize = InstallationStoreAuthorize(
+            client_id="111.222",
+            client_secret="secret",
+            client=mock_client,
+            logger=installation_store.logger,
+            installation_store=installation_store,
+        )
+        result = authorize(
+            context=context, enterprise_id="E111", team_id="T0G9PQBBK", user_id="W333"
+        )
+        assert result.bot_id == "BZYBOTHED"
+        assert result.bot_user_id == "W23456789"
+        assert result.bot_token == "xoxb-valid-refreshed"
+        assert result.user_token is None
+        assert_auth_test_count(self, 1)
+
 
 class LegacyMemoryInstallationStore(InstallationStore):
     @property

tests/slack_bolt_async/authorization/test_async_authorize.py

@@ -272,6 +272,57 @@ async def test_fetch_different_user_token_with_rotation(self):
         assert result.user_token == "xoxp-valid-refreshed"
         await assert_auth_test_count_async(self, 1)
 
+    @pytest.mark.asyncio
+    async def test_remove_latest_user_token_if_it_is_not_relevant(self):
+        installation_store = ValidUserTokenInstallationStore()
+        authorize = AsyncInstallationStoreAuthorize(
+            logger=installation_store.logger, installation_store=installation_store
+        )
+        context = AsyncBoltContext()
+        context["client"] = AsyncWebClient(base_url=self.mock_api_server_base_url)
+        result = await authorize(
+            context=context, enterprise_id="E111", team_id="T0G9PQBBK", user_id="W333"
+        )
+        assert result.bot_id == "BZYBOTHED"
+        assert result.bot_user_id == "W23456789"
+        assert result.bot_token == "xoxb-valid"
+        assert result.user_token is None
+        await assert_auth_test_count_async(self, 1)
+
+    @pytest.mark.asyncio
+    async def test_rotate_only_bot_token(self):
+        context = AsyncBoltContext()
+        mock_client = AsyncWebClient(base_url=self.mock_api_server_base_url)
+        context["client"] = mock_client
+
+        installation_store = ValidUserTokenRotationInstallationStore()
+        invalid_authorize = AsyncInstallationStoreAuthorize(
+            logger=installation_store.logger, installation_store=installation_store
+        )
+        with pytest.raises(BoltError):
+            await invalid_authorize(
+                context=context,
+                enterprise_id="E111",
+                team_id="T0G9PQBBK",
+                user_id="W333",
+            )
+
+        authorize = AsyncInstallationStoreAuthorize(
+            client_id="111.222",
+            client_secret="secret",
+            client=mock_client,
+            logger=installation_store.logger,
+            installation_store=installation_store,
+        )
+        result = await authorize(
+            context=context, enterprise_id="E111", team_id="T0G9PQBBK", user_id="W333"
+        )
+        assert result.bot_id == "BZYBOTHED"
+        assert result.bot_user_id == "W23456789"
+        assert result.bot_token == "xoxb-valid-refreshed"
+        assert result.user_token is None
+        await assert_auth_test_count_async(self, 1)
+
 
 class LegacyMemoryInstallationStore(AsyncInstallationStore):
     @property