OAuth module doesn't support manage distribution "Add to Slack" button in app config

stevengill commented 4 years ago

Description

On your app configuration page, an "Add to Slack" button exists under the "Manage Distribution" navigation. This "Add to Slack" doesn't include a state. Without a state, our handleCallback currently throws an error.

I propose we fix this by removing that error check for state to be mandatory and having verifyState return an empty object in this scenario.

What type of issue is this? (place an `x` in one of the `[ ]`)

[x] bug

Requirements (place an `x` in each of the `[ ]`)

[x] I've read and understood the Contributing guidelines and have done my best effort to follow them.
[x] I've read and agree to the Code of Conduct.
[x] I've searched for any related issues and avoided creating a duplicate issue.

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Packages:

Select all that apply:

[x] @slack/oauth

stevengill commented 4 years ago

After chatting with @aoberoi, it seems the best course of action is to not support "Add to Slack" from "Manage Distributions" tab. The button here is missing a state parameter which is unsecure as state helps against CSRF attacks. We will instead work with the app config team internally here to see if we can get this resolved on the site itself.

It is recommend for developers who run into this issue to generate their own secure "Add to Slack" button using the installer.generateInstallUrl() method in this oauth library. They can replace the href attribute's value with the output from installer.generateInstallUrl().

<a href="REPLACE_WITH_OUTPUT_FROM_installer.generateInstallUrl()"><img alt="Add to Slack" height="40" width="139" src="https://platform.slack-edge.com/img/add_to_slack.png" srcset="https://platform.slack-edge.com/img/add_to_slack.png 1x, https://platform.slack-edge.com/img/add_to_slack@2x.png 2x"></a>

slackapi / node-slack-sdk