Fix #454 Add oauth_settings.state_validation_enabled to customize the OAuth flow (#455)

* Fix #454 Add oauth_settings.state_validation_enabled to customize the OAuth flow
* Add more tests

Author: seratch

slack_bolt/oauth/async_oauth_flow.py

@@ -161,30 +161,32 @@ def sqlite3(
     # -----------------------------
 
     async def handle_installation(self, request: AsyncBoltRequest) -> BoltResponse:
-        state = await self.issue_new_state(request)
-        url = await self.build_authorize_url(state, request)
-        set_cookie_value = self.settings.state_utils.build_set_cookie_for_new_state(
-            state
-        )
+        set_cookie_value: Optional[str] = None
+        url = await self.build_authorize_url("", request)
+        if self.settings.state_validation_enabled is True:
+            state = await self.issue_new_state(request)
+            url = await self.build_authorize_url(state, request)
+            set_cookie_value = self.settings.state_utils.build_set_cookie_for_new_state(
+                state
+            )
         if self.settings.install_page_rendering_enabled:
             html = await self.build_install_page_html(url, request)
             return BoltResponse(
                 status=200,
                 body=html,
-                headers={
-                    "Content-Type": "text/html; charset=utf-8",
-                    "Set-Cookie": [set_cookie_value],
-                },
+                headers=await self.append_set_cookie_headers(
+                    {"Content-Type": "text/html; charset=utf-8"},
+                    set_cookie_value,
+                ),
             )
         else:
             return BoltResponse(
                 status=302,
                 body="",
-                headers={
-                    "Content-Type": "text/html; charset=utf-8",
-                    "Location": url,
-                    "Set-Cookie": [set_cookie_value],
-                },
+                headers=await self.append_set_cookie_headers(
+                    {"Content-Type": "text/html; charset=utf-8", "Location": url},
+                    set_cookie_value,
+                ),
             )
 
     # ----------------------
@@ -199,6 +201,13 @@ async def build_authorize_url(self, state: str, request: AsyncBoltRequest) -> st
     async def build_install_page_html(self, url: str, request: AsyncBoltRequest) -> str:
         return _build_default_install_page_html(url)
 
+    async def append_set_cookie_headers(
+        self, headers: dict, set_cookie_value: Optional[str]
+    ):
+        if set_cookie_value is not None:
+            headers["Set-Cookie"] = [set_cookie_value]
+        return headers
+
     # -----------------------------
     # Callback
     # -----------------------------
@@ -219,29 +228,30 @@ async def handle_callback(self, request: AsyncBoltRequest) -> BoltResponse:
             )
 
         # state parameter verification
-        state: Optional[str] = request.query.get("state", [None])[0]
-        if not self.settings.state_utils.is_valid_browser(state, request.headers):
-            return await self.failure_handler(
-                AsyncFailureArgs(
-                    request=request,
-                    reason="invalid_browser",
-                    suggested_status_code=400,
-                    settings=self.settings,
-                    default=self.default_callback_options,
+        if self.settings.state_validation_enabled is True:
+            state: Optional[str] = request.query.get("state", [None])[0]
+            if not self.settings.state_utils.is_valid_browser(state, request.headers):
+                return await self.failure_handler(
+                    AsyncFailureArgs(
+                        request=request,
+                        reason="invalid_browser",
+                        suggested_status_code=400,
+                        settings=self.settings,
+                        default=self.default_callback_options,
+                    )
                 )
-            )
 
-        valid_state_consumed = await self.settings.state_store.async_consume(state)
-        if not valid_state_consumed:
-            return await self.failure_handler(
-                AsyncFailureArgs(
-                    request=request,
-                    reason="invalid_state",
-                    suggested_status_code=401,
-                    settings=self.settings,
-                    default=self.default_callback_options,
+            valid_state_consumed = await self.settings.state_store.async_consume(state)
+            if not valid_state_consumed:
+                return await self.failure_handler(
+                    AsyncFailureArgs(
+                        request=request,
+                        reason="invalid_state",
+                        suggested_status_code=401,
+                        settings=self.settings,
+                        default=self.default_callback_options,
+                    )
                 )
-            )
 
         # run installation
         code = request.query.get("code", [None])[0]

slack_bolt/oauth/async_oauth_settings.py

@@ -44,6 +44,7 @@ class AsyncOAuthSettings:
     token_rotation_expiration_minutes: int
     authorize: AsyncAuthorize
     # state parameter related configurations
+    state_validation_enabled: bool
     state_store: AsyncOAuthStateStore
     state_cookie_name: str
     state_expiration_seconds: int
@@ -76,6 +77,7 @@ def __init__(
         installation_store_bot_only: bool = False,
         token_rotation_expiration_minutes: int = 120,
         # state parameter related configurations
+        state_validation_enabled: bool = True,
         state_store: Optional[AsyncOAuthStateStore] = None,
         state_cookie_name: str = OAuthStateUtils.default_cookie_name,
         state_expiration_seconds: int = OAuthStateUtils.default_expiration_seconds,
@@ -100,6 +102,7 @@ def __init__(
             installation_store: Specify the instance of `InstallationStore` (Default: `FileInstallationStore`)
             installation_store_bot_only: Use `InstallationStore#find_bot()` if True (Default: False)
             token_rotation_expiration_minutes: Minutes before refreshing tokens (Default: 2 hours)
+            state_validation_enabled: Set False if your OAuth flow omits the state parameter validation (Default: True)
             state_store: Specify the instance of `InstallationStore` (Default: `FileOAuthStateStore`)
             state_cookie_name: The cookie name that is set for installers' browser. (Default: "slack-app-oauth-state")
             state_expiration_seconds: The seconds that the state value is alive (Default: 600 seconds)
@@ -153,6 +156,7 @@ def __init__(
             bot_only=self.installation_store_bot_only,
         )
         # state parameter related configurations
+        self.state_validation_enabled = state_validation_enabled
         self.state_store = state_store or FileOAuthStateStore(
             expiration_seconds=state_expiration_seconds,
             client_id=client_id,

slack_bolt/oauth/oauth_flow.py

@@ -158,30 +158,33 @@ def sqlite3(
     # -----------------------------
 
     def handle_installation(self, request: BoltRequest) -> BoltResponse:
-        state = self.issue_new_state(request)
-        url = self.build_authorize_url(state, request)
-        set_cookie_value = self.settings.state_utils.build_set_cookie_for_new_state(
-            state
-        )
+        set_cookie_value: Optional[str] = None
+        url = self.build_authorize_url("", request)
+        if self.settings.state_validation_enabled is True:
+            state = self.issue_new_state(request)
+            url = self.build_authorize_url(state, request)
+            set_cookie_value = self.settings.state_utils.build_set_cookie_for_new_state(
+                state
+            )
+
         if self.settings.install_page_rendering_enabled:
             html = self.build_install_page_html(url, request)
             return BoltResponse(
                 status=200,
                 body=html,
-                headers={
-                    "Content-Type": "text/html; charset=utf-8",
-                    "Set-Cookie": [set_cookie_value],
-                },
+                headers=self.append_set_cookie_headers(
+                    {"Content-Type": "text/html; charset=utf-8"},
+                    set_cookie_value,
+                ),
             )
         else:
             return BoltResponse(
                 status=302,
                 body="",
-                headers={
-                    "Content-Type": "text/html; charset=utf-8",
-                    "Location": url,
-                    "Set-Cookie": [set_cookie_value],
-                },
+                headers=self.append_set_cookie_headers(
+                    {"Content-Type": "text/html; charset=utf-8", "Location": url},
+                    set_cookie_value,
+                ),
             )
 
     # ----------------------
@@ -196,6 +199,11 @@ def build_authorize_url(self, state: str, request: BoltRequest) -> str:
     def build_install_page_html(self, url: str, request: BoltRequest) -> str:
         return _build_default_install_page_html(url)
 
+    def append_set_cookie_headers(self, headers: dict, set_cookie_value: Optional[str]):
+        if set_cookie_value is not None:
+            headers["Set-Cookie"] = [set_cookie_value]
+        return headers
+
     # -----------------------------
     # Callback
     # -----------------------------
@@ -216,29 +224,30 @@ def handle_callback(self, request: BoltRequest) -> BoltResponse:
             )
 
         # state parameter verification
-        state = request.query.get("state", [None])[0]
-        if not self.settings.state_utils.is_valid_browser(state, request.headers):
-            return self.failure_handler(
-                FailureArgs(
-                    request=request,
-                    reason="invalid_browser",
-                    suggested_status_code=400,
-                    settings=self.settings,
-                    default=self.default_callback_options,
+        if self.settings.state_validation_enabled is True:
+            state = request.query.get("state", [None])[0]
+            if not self.settings.state_utils.is_valid_browser(state, request.headers):
+                return self.failure_handler(
+                    FailureArgs(
+                        request=request,
+                        reason="invalid_browser",
+                        suggested_status_code=400,
+                        settings=self.settings,
+                        default=self.default_callback_options,
+                    )
                 )
-            )
 
-        valid_state_consumed = self.settings.state_store.consume(state)
-        if not valid_state_consumed:
-            return self.failure_handler(
-                FailureArgs(
-                    request=request,
-                    reason="invalid_state",
-                    suggested_status_code=401,
-                    settings=self.settings,
-                    default=self.default_callback_options,
+            valid_state_consumed = self.settings.state_store.consume(state)
+            if not valid_state_consumed:
+                return self.failure_handler(
+                    FailureArgs(
+                        request=request,
+                        reason="invalid_state",
+                        suggested_status_code=401,
+                        settings=self.settings,
+                        default=self.default_callback_options,
+                    )
                 )
-            )
 
         # run installation
         code = request.query.get("code", [None])[0]

slack_bolt/oauth/oauth_settings.py

@@ -39,6 +39,7 @@ class OAuthSettings:
     token_rotation_expiration_minutes: int
     authorize: Authorize
     # state parameter related configurations
+    state_validation_enabled: bool
     state_store: OAuthStateStore
     state_cookie_name: str
     state_expiration_seconds: int
@@ -71,6 +72,7 @@ def __init__(
         installation_store_bot_only: bool = False,
         token_rotation_expiration_minutes: int = 120,
         # state parameter related configurations
+        state_validation_enabled: bool = True,
         state_store: Optional[OAuthStateStore] = None,
         state_cookie_name: str = OAuthStateUtils.default_cookie_name,
         state_expiration_seconds: int = OAuthStateUtils.default_expiration_seconds,
@@ -95,6 +97,7 @@ def __init__(
             installation_store: Specify the instance of `InstallationStore` (Default: `FileInstallationStore`)
             installation_store_bot_only: Use `InstallationStore#find_bot()` if True (Default: False)
             token_rotation_expiration_minutes: Minutes before refreshing tokens (Default: 2 hours)
+            state_validation_enabled: Set False if your OAuth flow omits the state parameter validation (Default: True)
             state_store: Specify the instance of `InstallationStore` (Default: `FileOAuthStateStore`)
             state_cookie_name: The cookie name that is set for installers' browser. (Default: "slack-app-oauth-state")
             state_expiration_seconds: The seconds that the state value is alive (Default: 600 seconds)
@@ -147,6 +150,7 @@ def __init__(
             bot_only=self.installation_store_bot_only,
         )
         # state parameter related configurations
+        self.state_validation_enabled = state_validation_enabled
         self.state_store = state_store or FileOAuthStateStore(
             expiration_seconds=state_expiration_seconds,
             client_id=client_id,

tests/slack_bolt/oauth/test_oauth_flow.py

@@ -4,7 +4,10 @@
 
 from slack_sdk import WebClient
 from slack_sdk.oauth.installation_store import FileInstallationStore
-from slack_sdk.oauth.state_store import FileOAuthStateStore
+from slack_sdk.oauth.state_store import (
+    OAuthStateStore,
+    FileOAuthStateStore,
+)
 from slack_sdk.signature import SignatureVerifier
 
 from slack_bolt import BoltRequest, BoltResponse, App
@@ -56,10 +59,11 @@ def test_handle_installation_default(self):
         resp = oauth_flow.handle_installation(req)
         assert resp.status == 200
         assert resp.headers.get("content-type") == ["text/html; charset=utf-8"]
+        assert resp.headers.get("set-cookie") is not None
         assert "https://slack.com/oauth/v2/authorize?state=" in resp.body
 
     # https://github.com/slackapi/bolt-python/issues/183
-    # For direct install URL suppport
+    # For direct install URL support
     def test_handle_installation_no_rendering(self):
         oauth_flow = OAuthFlow(
             settings=OAuthSettings(
@@ -77,6 +81,25 @@ def test_handle_installation_no_rendering(self):
         assert resp.status == 302
         location_header = resp.headers.get("location")[0]
         assert "https://slack.com/oauth/v2/authorize?state=" in location_header
+        assert resp.headers.get("set-cookie") is not None
+
+    def test_handle_installation_no_state_validation(self):
+        oauth_flow = OAuthFlow(
+            settings=OAuthSettings(
+                client_id="111.222",
+                client_secret="xxx",
+                scopes=["chat:write", "commands"],
+                user_scopes=["search:read"],
+                installation_store=FileInstallationStore(),
+                install_page_rendering_enabled=False,  # disabled
+                state_validation_enabled=False,  # disabled
+                state_store=None,
+            )
+        )
+        req = BoltRequest(body="")
+        resp = oauth_flow.handle_installation(req)
+        assert resp.status == 302
+        assert resp.headers.get("set-cookie") is None
 
     def test_scopes_as_str(self):
         settings = OAuthSettings(
@@ -160,6 +183,52 @@ def test_handle_callback_invalid_state(self):
         resp = oauth_flow.handle_callback(req)
         assert resp.status == 400
 
+    def test_handle_callback_already_expired_state(self):
+        class MyOAuthStateStore(OAuthStateStore):
+            def issue(self, *args, **kwargs) -> str:
+                return "expired_one"
+
+            def consume(self, state: str) -> bool:
+                return False
+
+        oauth_flow = OAuthFlow(
+            settings=OAuthSettings(
+                client_id="111.222",
+                client_secret="xxx",
+                scopes=["chat:write", "commands"],
+                state_store=MyOAuthStateStore(),
+            )
+        )
+        state = oauth_flow.issue_new_state(None)
+        req = BoltRequest(
+            body="",
+            query=f"code=foo&state={state}",
+            headers={"cookie": [f"{oauth_flow.settings.state_cookie_name}={state}"]},
+        )
+        resp = oauth_flow.handle_callback(req)
+        assert resp.status == 401
+
+    def test_handle_callback_no_state_validation(self):
+        oauth_flow = OAuthFlow(
+            client=WebClient(base_url=self.mock_api_server_base_url),
+            settings=OAuthSettings(
+                client_id="111.222",
+                client_secret="xxx",
+                scopes=["chat:write", "commands"],
+                installation_store=FileInstallationStore(),
+                state_validation_enabled=False,  # disabled
+                state_store=None,
+            ),
+        )
+        state = oauth_flow.issue_new_state(None)
+        req = BoltRequest(
+            body="",
+            query=f"code=foo&state=invalid",
+            headers={"cookie": [f"{oauth_flow.settings.state_cookie_name}={state}"]},
+        )
+        resp = oauth_flow.handle_callback(req)
+        assert resp.status == 200
+
     def test_handle_callback_using_options(self):
         def success(args: SuccessArgs) -> BoltResponse:
             assert args.request is not None