Closed stevengill closed 4 years ago
Related issue: https://github.com/slackapi/bolt-js/issues/492
After chatting with @aoberoi, it seems the best course of action is to not support "Add to Slack" from "Manage Distributions" tab. The button here is missing a state
parameter which is unsecure as state
helps against CSRF attacks. We will instead work with the app config team internally here to see if we can get this resolved on the site itself.
It is recommend for developers who run into this issue to generate their own secure "Add to Slack" button using the installer.generateInstallUrl()
method in this oauth library. They can replace the href
attribute's value with the output from installer.generateInstallUrl()
.
<a href="REPLACE_WITH_OUTPUT_FROM_installer.generateInstallUrl()"><img alt="Add to Slack" height="40" width="139" src="https://platform.slack-edge.com/img/add_to_slack.png" srcset="https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/add_to_slack@2x.png 2x"></a>
Description
On your app configuration page, an "Add to Slack" button exists under the "Manage Distribution" navigation. This "Add to Slack" doesn't include a
state
. Without astate
, ourhandleCallback
currently throws an error.I propose we fix this by removing that error check for
state
to be mandatory and havingverifyState
return an empty object in this scenario.What type of issue is this? (place an
x
in one of the[ ]
)Requirements (place an
x
in each of the[ ]
)Bug Report
Filling out the following details about bugs will help us solve your issue sooner.
Packages:
Select all that apply:
@slack/oauth