Fix #913 user-scope only OAuth does not work since v1.10 (#914)

Author: seratch

bolt-helidon/src/test/java/test_locally/MainTest.java

@@ -75,7 +75,7 @@ public void oauthStart() throws Exception {
         assertEquals(302, conn.getResponseCode());
         String authorizationUrl = conn.getHeaderField("Location");
         assertTrue(authorizationUrl, authorizationUrl.startsWith(
-                "https://slack.com/oauth/v2/authorize?client_id=123.123&scope=app_mention:read,chat:write,commands&user_scope=&state="));
+                "https://slack.com/oauth/v2/authorize?client_id=123.123&scope=app_mention%3Aread%2Cchat%3Awrite%2Ccommands&user_scope=&state="));
     }
 
 }

bolt-http4k/src/test/java/test_locally/Http4kSlackAppTest.java

@@ -154,7 +154,7 @@ public void oauth() {
         Response installResponse = oauthSlackApp.invoke(installRequest);
         assertThat(installResponse.getStatus().getCode(), equalTo(302));
         assertTrue(installResponse.header("Location").startsWith(
-                "https://slack.com/oauth/v2/authorize?client_id=111.222&scope=commands,chat:write&user_scope=&state="));
+                "https://slack.com/oauth/v2/authorize?client_id=111.222&scope=commands%2Cchat%3Awrite&user_scope=&state="));
 
         assertThat(installResponse.getStatus().getCode(), equalTo(302));
 

bolt/src/main/java/com/slack/api/bolt/App.java

@@ -38,16 +38,14 @@
 import lombok.extern.slf4j.Slf4j;
 
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.net.URLEncoder;
-import java.nio.charset.StandardCharsets;
 import java.util.*;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.regex.Pattern;
 
 import static com.slack.api.bolt.util.EventsApiPayloadParser.buildEventPayload;
 import static com.slack.api.bolt.util.EventsApiPayloadParser.getEventTypeAndSubtype;
+import static com.slack.api.bolt.util.UrlEncodingOps.urlEncode;
 
 /**
  * A Slack App instance.
@@ -351,15 +349,26 @@ public String buildAuthorizeUrl(String state) {
      */
     public String buildAuthorizeUrl(String state, String nonce) {
         AppConfig config = config();
-
-        if (config.getClientId() == null
-                // OpenID Connect does not use require the bot scopes
-                || (!config.isOpenIDConnectEnabled() && config.getScope() == null)
-                || (config.isStateValidationEnabled() && state == null)) {
+        if (config.getClientId() == null) {
+            log.warn("To enable th Slack OAuth flow, set config#clientId and so on properly. " +
+                    "Refer to https://api.slack.com/authentication for more information.");
+            return null;
+        }
+        if (config.isStateValidationEnabled() && state == null) {
+            log.warn("Your OAuthStateService might generate a null value for some reason.");
+            return null;
+        }
+        if (config.isOpenIDConnectEnabled() && config.getUserScope() == null) {
+            log.warn("For OpenID Connect authorization, set config#userScope properly. " +
+                    "Refer to https://api.slack.com/authentication/sign-in-with-slack for more information.");
             return null;
         }
+        if (config.isOpenIDConnectEnabled() && config.getScope() != null) {
+            // The config#scope value will be ignored
+            log.warn("For OpenID Connect authorization, use config#userScope() instead of #scope()");
+        }
 
-        String scope = config.getScope() == null ? "" : config.getScope();
+        String scope = config.getScope() == null ? "" : urlEncode(config.getScope());
         String redirectUriParam = redirectUriQueryParam(appConfig);
 
         if (config.isClassicAppPermissionsEnabled()) {
@@ -373,14 +382,14 @@ public String buildAuthorizeUrl(String state, String nonce) {
             return "https://slack.com/openid/connect/authorize" +
                     "?client_id=" + config.getClientId() +
                     "&response_type=code" +
-                    "&scope=" + (config.getUserScope() != null ? config.getUserScope() : scope) +
+                    "&scope=" + (config.getUserScope() != null ? urlEncode(config.getUserScope()) : scope) +
                     "&state=" + state +
                     redirectUriParam +
                     // The nonce parameter is an optional one in the OpenID Connect Spec
                     // https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
                     (nonce != null ? "&nonce=" + nonce : "");
         } else {
-            String userScope = config.getUserScope() == null ? "" : config.getUserScope();
+            String userScope = config.getUserScope() == null ? "" : urlEncode(config.getUserScope());
             return "https://slack.com/oauth/v2/authorize" +
                     "?client_id=" + config.getClientId() +
                     "&scope=" + scope +
@@ -403,16 +412,8 @@ private String redirectUriQueryParam(AppConfig appConfig) {
             return "";
         }
 
-        try {
-            String urlEncodedRedirectUri = URLEncoder.encode(
-                    appConfig.getRedirectUri(),
-                    StandardCharsets.UTF_8.name()
-            );
-
-            return String.format("&redirect_uri=%s", urlEncodedRedirectUri);
-        } catch (UnsupportedEncodingException e) {
-            return "";
-        }
+        String urlEncodedRedirectUri = urlEncode(appConfig.getRedirectUri());
+        return String.format("&redirect_uri=%s", urlEncodedRedirectUri);
     }
 
     // -------------------------------------
@@ -1023,7 +1024,7 @@ protected Response runHandler(Request slackRequest) throws IOException, SlackApi
                             String nonce = openIDConnectNonceService.issueNewNonce(slackRequest, response);
                             String authorizeUrl = buildAuthorizeUrl(state, nonce);
                             if (authorizeUrl == null) {
-                                log.error("App#buildAuthorizeUrl(String) returned null due to some missing settings");
+                                log.error("App#buildAuthorizeUrl(String) returned null due to missing/invalid settings");
                                 if (config().getOauthCancellationUrl() == null) {
                                     response.setContentType("text/html; charset=utf-8");
                                     String installPath = config().getOauthInstallRequestURI();

bolt/src/main/java/com/slack/api/bolt/util/UrlEncodingOps.java

@@ -0,0 +1,26 @@
+package com.slack.api.bolt.util;
+
+import lombok.extern.slf4j.Slf4j;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+
+@Slf4j
+public class UrlEncodingOps {
+
+    private UrlEncodingOps() {
+    }
+
+    public static String urlEncode(String value) {
+        if (value == null) {
+            return null;
+        }
+        try {
+            return URLEncoder.encode(value, StandardCharsets.UTF_8.name());
+        } catch (UnsupportedEncodingException e) {
+            log.warn("Unexpectedly UnsupportedEncodingException was thrown while URL-encoding a string value.");
+            return value;
+        }
+    }
+}

bolt/src/test/java/test_locally/AppTest.java

@@ -55,7 +55,7 @@ public void buildAuthorizeUrl_v1() {
                 .build();
         App app = new App(config);
         String url = app.buildAuthorizeUrl("state-value");
-        assertEquals("https://slack.com/oauth/authorize?client_id=123&scope=commands,chat:write&state=state-value", url);
+        assertEquals("https://slack.com/oauth/authorize?client_id=123&scope=commands%2Cchat%3Awrite&state=state-value", url);
     }
 
     @Test
@@ -69,7 +69,7 @@ public void buildAuthorizeUrl_v1_with_redirect_uri() {
                 .build();
         App app = new App(config);
         String url = app.buildAuthorizeUrl("state-value");
-        assertEquals("https://slack.com/oauth/authorize?client_id=123&scope=commands,chat:write&state=state-value&redirect_uri=https%3A%2F%2Fmy.app%2Foauth%2Fcallback", url);
+        assertEquals("https://slack.com/oauth/authorize?client_id=123&scope=commands%2Cchat%3Awrite&state=state-value&redirect_uri=https%3A%2F%2Fmy.app%2Foauth%2Fcallback", url);
     }
 
     @Test
@@ -82,7 +82,7 @@ public void buildAuthorizeUrl_v2() {
                 .build();
         App app = new App(config);
         String url = app.buildAuthorizeUrl("state-value");
-        assertEquals("https://slack.com/oauth/v2/authorize?client_id=123&scope=commands,chat:write&user_scope=search:read&state=state-value", url);
+        assertEquals("https://slack.com/oauth/v2/authorize?client_id=123&scope=commands%2Cchat%3Awrite&user_scope=search%3Aread&state=state-value", url);
     }
 
     @Test
@@ -96,7 +96,7 @@ public void buildAuthorizeUrl_v2_with_redirect_uri() {
                 .build();
         App app = new App(config);
         String url = app.buildAuthorizeUrl("state-value");
-        assertEquals("https://slack.com/oauth/v2/authorize?client_id=123&scope=commands,chat:write&user_scope=search:read&state=state-value&redirect_uri=https%3A%2F%2Fmy.app%2Foauth%2Fcallback", url);
+        assertEquals("https://slack.com/oauth/v2/authorize?client_id=123&scope=commands%2Cchat%3Awrite&user_scope=search%3Aread&state=state-value&redirect_uri=https%3A%2F%2Fmy.app%2Foauth%2Fcallback", url);
     }
 
     @Test
@@ -106,6 +106,114 @@ public void buildAuthorizeUrl_null() {
         assertNull(url);
     }
 
+    @Test
+    public void buildAuthorizeUrl_bot_scope() {
+        App app = new App(AppConfig.builder()
+                .signingSecret("secret")
+                .clientId("111.222")
+                .clientSecret("secret")
+                .scope("commands,chat:write")
+                .build());
+        String generatedUrl = app.buildAuthorizeUrl("state-value");
+        assertEquals("https://slack.com/oauth/v2/authorize" +
+                "?client_id=111.222&scope=commands%2Cchat%3Awrite&user_scope=&state=state-value", generatedUrl);
+    }
+
+    @Test
+    public void buildAuthorizeUrl_bot_and_user_scope() {
+        App app = new App(AppConfig.builder()
+                .signingSecret("secret")
+                .clientId("111.222")
+                .clientSecret("secret")
+                .scope("commands,chat:write")
+                .userScope("search:read,chat:write")
+                .build());
+        String generatedUrl = app.buildAuthorizeUrl("state-value");
+        assertEquals("https://slack.com/oauth/v2/authorize" +
+                "?client_id=111.222&scope=commands%2Cchat%3Awrite&user_scope=search%3Aread%2Cchat%3Awrite&state=state-value", generatedUrl);
+    }
+
+    @Test
+    public void buildAuthorizeUrl_user_scope() {
+        App app = new App(AppConfig.builder()
+                .signingSecret("secret")
+                .clientId("111.222")
+                .clientSecret("secret")
+                .userScope("search:read,chat:write")
+                .build());
+        String generatedUrl = app.buildAuthorizeUrl("state-value");
+        assertEquals("https://slack.com/oauth/v2/authorize?client_id=111.222&scope=&user_scope=search%3Aread%2Cchat%3Awrite&state=state-value", generatedUrl);
+    }
+
+    @Test
+    public void buildAuthorizeUrl_OpenID_Connect() {
+        App app = new App(AppConfig.builder()
+                .openIDConnectEnabled(true)
+                .signingSecret("secret")
+                .clientId("111.222")
+                .userScope("openid,email")
+                .build());
+        String generatedUrl = app.buildAuthorizeUrl("state-value");
+        assertEquals("https://slack.com/openid/connect/authorize?client_id=111.222&response_type=code&scope=openid%2Cemail&state=state-value", generatedUrl);
+    }
+
+    @Test
+    public void buildAuthorizeUrl_OpenID_Connect_invalid() {
+        App app = new App(AppConfig.builder()
+                .openIDConnectEnabled(true)
+                .signingSecret("secret")
+                .clientId("111.222")
+                .scope("openid,email")
+                .build());
+        String generatedUrl = app.buildAuthorizeUrl("state-value");
+        assertNull(generatedUrl);
+    }
+
+    @Test
+    public void buildAuthorizeUrl_bot_scope_classic() {
+        App app = new App(AppConfig.builder()
+                .classicAppPermissionsEnabled(true)
+                .signingSecret("secret")
+                .clientId("111.222")
+                .clientSecret("secret")
+                .scope("commands,chat:write")
+                .build());
+        String generatedUrl = app.buildAuthorizeUrl("state-value");
+        // use_scope= does not exist in the Slack OAuth v1
+        assertEquals("https://slack.com/oauth/authorize" +
+                "?client_id=111.222&scope=commands%2Cchat%3Awrite&state=state-value", generatedUrl);
+    }
+
+    @Test
+    public void buildAuthorizeUrl_bot_and_user_scope_classic() {
+        App app = new App(AppConfig.builder()
+                .classicAppPermissionsEnabled(true)
+                .signingSecret("secret")
+                .clientId("111.222")
+                .clientSecret("secret")
+                .scope("commands,chat:write")
+                .userScope("search:read,chat:write")
+                .build());
+        String generatedUrl = app.buildAuthorizeUrl("state-value");
+        // use_scope= does not exist in the Slack OAuth v1
+        assertEquals("https://slack.com/oauth/authorize" +
+                "?client_id=111.222&scope=commands%2Cchat%3Awrite&state=state-value", generatedUrl);
+    }
+
+    @Test
+    public void buildAuthorizeUrl_user_scope_classic() {
+        App app = new App(AppConfig.builder()
+                .classicAppPermissionsEnabled(true)
+                .signingSecret("secret")
+                .clientId("111.222")
+                .clientSecret("secret")
+                .userScope("search:read,chat:write")
+                .build());
+        String generatedUrl = app.buildAuthorizeUrl("state-value");
+        // use_scope= does not exist in the Slack OAuth v1
+        assertEquals("https://slack.com/oauth/authorize?client_id=111.222&scope=&state=state-value", generatedUrl);
+    }
+
     @Test
     public void status() {
         App app = new App(AppConfig.builder()

bolt/src/test/java/test_locally/app/OAuthStartTest.java

@@ -48,7 +48,7 @@ public String issueNewState(Request request, Response response) {
                 "</head>\n" +
                 "<body>\n" +
                 "<h2>Slack App Installation</h2>\n" +
-                "<p><a href=\"https://slack.com/oauth/v2/authorize?client_id=111.222&scope=commands,chat:write&user_scope=&state=generated-state-value\"><img alt=\"\"Add to Slack\"\" height=\"40\" width=\"139\" src=\"https://platform.slack-edge.com/img/add_to_slack.png\" srcset=\"https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/[email protected] 2x\" /></a></p>\n" +
+                "<p><a href=\"https://slack.com/oauth/v2/authorize?client_id=111.222&scope=commands%2Cchat%3Awrite&user_scope=&state=generated-state-value\"><img alt=\"\"Add to Slack\"\" height=\"40\" width=\"139\" src=\"https://platform.slack-edge.com/img/add_to_slack.png\" srcset=\"https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/[email protected] 2x\" /></a></p>\n" +
                 "</body>\n" +
                 "</html>", response.getBody());
     }
@@ -78,7 +78,7 @@ public void start_state_validation_disabled() throws Exception {
                 "</head>\n" +
                 "<body>\n" +
                 "<h2>Slack App Installation</h2>\n" +
-                "<p><a href=\"https://slack.com/oauth/v2/authorize?client_id=111.222&scope=commands,chat:write&user_scope=&state=\"><img alt=\"\"Add to Slack\"\" height=\"40\" width=\"139\" src=\"https://platform.slack-edge.com/img/add_to_slack.png\" srcset=\"https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/[email protected] 2x\" /></a></p>\n" +
+                "<p><a href=\"https://slack.com/oauth/v2/authorize?client_id=111.222&scope=commands%2Cchat%3Awrite&user_scope=&state=\"><img alt=\"\"Add to Slack\"\" height=\"40\" width=\"139\" src=\"https://platform.slack-edge.com/img/add_to_slack.png\" srcset=\"https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/[email protected] 2x\" /></a></p>\n" +
                 "</body>\n" +
                 "</html>", response.getBody());
     }

bolt/src/test/java/test_locally/app/OpenIDConnectTest.java

@@ -66,7 +66,7 @@ public void deleteNonceFromDatastore(String nonce) {
             "</head>\n" +
             "<body>\n" +
             "<h2>Slack App Installation</h2>\n" +
-            "<p><a href=\"https://slack.com/openid/connect/authorize?client_id=111.222&response_type=code&scope=openid,email,profile&state=generated-state-value&nonce=generated-nonce-value\"><img alt=\"\"Add to Slack\"\" height=\"40\" width=\"139\" src=\"https://platform.slack-edge.com/img/add_to_slack.png\" srcset=\"https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/[email protected] 2x\" /></a></p>\n" +
+            "<p><a href=\"https://slack.com/openid/connect/authorize?client_id=111.222&response_type=code&scope=openid%2Cemail%2Cprofile&state=generated-state-value&nonce=generated-nonce-value\"><img alt=\"\"Add to Slack\"\" height=\"40\" width=\"139\" src=\"https://platform.slack-edge.com/img/add_to_slack.png\" srcset=\"https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/[email protected] 2x\" /></a></p>\n" +
             "</body>\n" +
             "</html>";
 

bolt/src/test/java/test_locally/util/UrlEncodingOpsTest.java

@@ -0,0 +1,30 @@
+package test_locally.util;
+
+import org.junit.Test;
+
+import static com.slack.api.bolt.util.UrlEncodingOps.urlEncode;
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.nullValue;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+public class UrlEncodingOpsTest {
+
+    @Test
+    public void testUrlEncode() {
+        String result = urlEncode("foo,bar,baz");
+        assertThat(result, is("foo%2Cbar%2Cbaz"));
+    }
+
+    @Test
+    public void testUrlEncode_CJK() {
+        String result = urlEncode("日本語");
+        assertThat(result, is("%E6%97%A5%E6%9C%AC%E8%AA%9E"));
+    }
+
+    @Test
+    public void testUrlEncode_null() {
+        String result = urlEncode(null);
+        assertThat(result, is(nullValue()));
+    }
+
+}