Skip to content

Commit

Permalink
Improve the default OAuth page content renderer not to embed external…
Browse files Browse the repository at this point in the history
… parameters as-is (#1352)
  • Loading branch information
seratch authored Apr 13, 2023
1 parent b085a4c commit 8b7fe5b
Show file tree
Hide file tree
Showing 12 changed files with 51 additions and 256 deletions.
15 changes: 7 additions & 8 deletions docs-src/oauth/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ The code snippet below demonstrates how to build it using `Flask <https://flask.
.. code-block:: python
import os
import html
from slack_sdk.oauth import AuthorizeUrlGenerator
from slack_sdk.oauth.installation_store import FileInstallationStore, Installation
from slack_sdk.oauth.state_store import FileOAuthStateStore
Expand All @@ -59,7 +60,7 @@ The code snippet below demonstrates how to build it using `Flask <https://flask.
state = state_store.issue()
# https://slack.com/oauth/v2/authorize?state=(generated value)&client_id={client_id}&scope=app_mentions:read,chat:write&user_scope=search:read
url = authorize_url_generator.generate(state)
return f'<a href="{url}">' \
return f'<a href="{html.escape(url)}">' \
f'<img alt=""Add to Slack"" height="40" width="139" src="https://platform.slack-edge.com/img/add_to_slack.png" srcset="https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/add_to_slack@2x.png 2x" /></a>'
When accessing ``https://(your domain)/slack/install``, you will see "Add to Slack" button in the webpage. You can start the app's installation flow by clicking the button.
Expand Down Expand Up @@ -90,13 +91,11 @@ The redirection gives you a ``code`` parameter. You can exchange the value for a
redirect_uri=redirect_uri,
code=request.args["code"]
)
installed_enterprise = oauth_response.get("enterprise", {})
installed_enterprise = oauth_response.get("enterprise") or {}
is_enterprise_install = oauth_response.get("is_enterprise_install")
installed_team = oauth_response.get("team", {})
installer = oauth_response.get("authed_user", {})
incoming_webhook = oauth_response.get("incoming_webhook", {})
installed_team = oauth_response.get("team") or {}
installer = oauth_response.get("authed_user") or {}
incoming_webhook = oauth_response.get("incoming_webhook") or {}
bot_token = oauth_response.get("access_token")
# NOTE: oauth.v2.access doesn't include bot_id in response
bot_id = None
Expand Down Expand Up @@ -137,7 +136,7 @@ The redirection gives you a ``code`` parameter. You can exchange the value for a
return make_response(f"Try the installation again (the state value is already expired)", 400)
error = request.args["error"] if "error" in request.args else ""
return make_response(f"Something is wrong with the installation (error: {error})", 400)
return make_response(f"Something is wrong with the installation (error: {html.escape(error)})", 400)
Token Lookup
*************************************************
Expand Down
13 changes: 7 additions & 6 deletions integration_tests/samples/oauth/oauth_v2.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# ---------------------
# Flask App for Slack OAuth flow
# ---------------------
import html

# pip3 install flask
from flask import Flask, request, make_response
Expand Down Expand Up @@ -41,7 +42,7 @@ def oauth_start():
state = state_store.issue()
url = authorization_url_generator.generate(state)
return (
f'<a href="{url}">'
f'<a href="{html.escape(url)}">'
f'<img alt=""Add to Slack"" height="40" width="139" src="https://platform.slack-edge.com/img/add_to_slack.png" srcset="https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/add_to_slack@2x.png 2x" /></a>'
)

Expand All @@ -57,11 +58,11 @@ def oauth_callback():
oauth_response = client.oauth_v2_access(client_id=client_id, client_secret=client_secret, code=code)
logger.info(f"oauth.v2.access response: {oauth_response}")

installed_enterprise = oauth_response.get("enterprise", {})
installed_enterprise = oauth_response.get("enterprise") or {}
is_enterprise_install = oauth_response.get("is_enterprise_install")
installed_team = oauth_response.get("team", {})
installer = oauth_response.get("authed_user", {})
incoming_webhook = oauth_response.get("incoming_webhook", {})
installed_team = oauth_response.get("team") or {}
installer = oauth_response.get("authed_user") or {}
incoming_webhook = oauth_response.get("incoming_webhook") or {}

bot_token = oauth_response.get("access_token")
# NOTE: oauth.v2.access doesn't include bot_id in response
Expand Down Expand Up @@ -105,7 +106,7 @@ def oauth_callback():
return redirect_page_renderer.render_failure_page("the state value is already expired")

error = request.args["error"] if "error" in request.args else ""
return make_response(f"Something is wrong with the installation (error: {error})", 400)
return redirect_page_renderer.render_failure_page(error)


# ---------------------
Expand Down
13 changes: 10 additions & 3 deletions integration_tests/samples/oauth/oauth_v2_async.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# ---------------------
# Sanic App for Slack OAuth flow
# ---------------------

import html
import logging
import os
from slack_sdk.web.async_client import AsyncWebClient
Expand Down Expand Up @@ -44,7 +44,7 @@ async def oauth_start(req: Request):
url = authorization_url_generator.generate(state)
return HTTPResponse(
status=200,
body=f'<a href="{url}">'
body=f'<a href="{html.escape(url)}">'
f'<img alt=""Add to Slack"" height="40" width="139" src="https://platform.slack-edge.com/img/add_to_slack.png" srcset="https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/add_to_slack@2x.png 2x" /></a>',
)

Expand All @@ -61,6 +61,7 @@ async def oauth_callback(req: Request):
logger.info(f"oauth.v2.access response: {oauth_response}")

installed_enterprise = oauth_response.get("enterprise") or {}
is_enterprise_install = oauth_response.get("is_enterprise_install")
installed_team = oauth_response.get("team") or {}
installer = oauth_response.get("authed_user") or {}
incoming_webhook = oauth_response.get("incoming_webhook") or {}
Expand All @@ -85,6 +86,8 @@ async def oauth_callback(req: Request):
incoming_webhook_url=incoming_webhook.get("url"),
incoming_webhook_channel_id=incoming_webhook.get("channel_id"),
incoming_webhook_configuration_url=incoming_webhook.get("configuration_url"),
is_enterprise_install=is_enterprise_install,
token_type=oauth_response.get("token_type"),
)
installation_store.save(installation)
html = redirect_page_renderer.render_success_page(
Expand All @@ -111,7 +114,11 @@ async def oauth_callback(req: Request):
)

error = req.args.get("error") if "error" in req.args else ""
return HTTPResponse(status=400, body=f"Something is wrong with the installation (error: {error})")
return HTTPResponse(
status=400,
headers={"Content-Type": "text/html; charset=utf-8"},
body=redirect_page_renderer.render_failure_page(error),
)


# ---------------------
Expand Down
224 changes: 0 additions & 224 deletions integration_tests/samples/oauth/oauth_v2_legacy.py

This file was deleted.

2 changes: 1 addition & 1 deletion integration_tests/samples/openid_connect/flask_example.py
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@ def oauth_callback():
return redirect_page_renderer.render_failure_page("The state value is already expired")

error = request.args["error"] if "error" in request.args else ""
return make_response(f"Something is wrong with the installation (error: {error})", 400)
return redirect_page_renderer.render_failure_page(error)


if __name__ == "__main__":
Expand Down
Loading

0 comments on commit 8b7fe5b

Please sign in to comment.