Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@slack/oauth
Advanced tools
The @slack/oauth
package makes it simple to setup the OAuth flow for Slack apps. It supports V2 OAuth for Slack Apps as well as V1 OAuth for Classic Slack apps. Slack apps that are installed in multiple workspaces, like in the App Directory or in an Enterprise Grid, will need to implement OAuth and store information about each of those installations (such as access tokens).
The package handles URL generation, state verification, and authorization code exchange for access tokens. It also provides an interface for easily plugging in your own database for saving and retrieving installation data.
$ npm install @slack/oauth
These examples show how to get started using the most common features. You'll find more extensive documentation on the package's website.
Before building an app, you'll need to create a Slack app and install it to your development workspace. You'll also need to copy the Client ID and Client Secret given to you by Slack under the Basic Information of your app configuration.
It may be helpful to read the tutorials on getting started and getting a public URL that can be used for development.
This package exposes an InstallProvider
class, which sets up the required configuration and exposes methods such as generateInstallUrl
, handleCallback
, authorize
for use within your apps. At a minimum, InstallProvider
takes a clientId
and clientSecret
(both which can be obtained under the Basic Information of your app configuration). InstallProvider
also requires a stateSecret
, which is used to encode the generated state, and later used to decode that same state to verify it wasn't tampered with during the OAuth flow. Note: This example is not ready for production because it only stores installations (tokens) in memory. Please go to the storing installations in a database section to learn how to plug in your own database.
const { InstallProvider } = require('@slack/oauth');;
// initialize the installProvider
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateSecret: 'my-state-secret'
});
const { InstallProvider } = require('@slack/oauth');;
// initialize the installProvider
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateSecret: 'my-state-secret',
authVersion: 'v1' //required for classic Slack apps
});
You'll need an installation URL when you want to test your own installation, in order to submit your app to the App Directory, and if you need an additional authorizations (user tokens) from users inside a team when your app is already installed. These URLs are also commonly used on your own webpages as the link for an "Add to Slack" button. You may also need to generate an installation URL dynamically when an option's value is only known at runtime, and in this case you would redirect the user to the installation URL.
The installProvider.generateInstallUrl()
method will create an installation URL for you. It takes in an options argument which at a minimum contains a scopes
property. installProvider.generateInstallUrl()
options argument also supports metadata
, teamId
, redirectUri
and userScopes
properties.
installer.generateInstallUrl({
// Add the scopes your app needs
scopes: ['channels:read']
})
You might want to present an "Add to Slack" button while the user is in the middle of some other tasks (e.g. linking their Slack account to your service). In these situations, you want to bring the user back to where they left off after the app installation is complete. Custom metadata can be used to capture partial (incomplete) information about the task (like which page they were on or inputs to form elements the user began to fill out) in progress. Then when the installation is complete, that custom metadata will be available for your app to recreate exactly where they left off. You must also use a custom success handler when handling the OAuth redirect to read the custom metadata after the installation is complete.
installer.generateInstallUrl({
// Add the scopes your app needs
scopes: ['channels:read'],
metadata: JSON.stringify({some:'sessionState'})
})
Note: custom metadata is visible to the user, so don't store any secret information in the metadata. The installation provider will ensure that none of the metadata has been tampered with when the user returns. To change how metadata is handled, including hiding it from users, read about using a custom state store.
After the user approves the request to install your app (and grants access to the required permissions), Slack will redirect the user to your specified redirect url. You can either set the redirect url in the app’s OAuth and Permissions page or pass a redirectUri
when calling installProvider.generateInstallUrl
. Your HTTP server should handle requests to the redirect URL by calling the installProvider.handleCallback()
method. The first two arguments (req
, res
) to installProvider.handleCallback
are required. By default, if the installation is successful the user will be redirected back to your App Home in Slack (or redirected back to the last open workspace in your slack app for classic Slack apps). If the installation is not successful the user will be shown an error page.
const { createServer } = require('http');
const server = createServer((req, res) => {
// our redirect_uri is /slack/oauth_redirect
if (req.url === '/slack/oauth_redirect') {
// call installer.handleCallback to wrap up the install flow
installer.handleCallback(req, res);
}
})
server.listen(3000);
You can easily use installer.handleCallback
within an Express app by setting up a route for the OAuth redirect.
app.get('/slack/oauth_redirect', (req, res) => {
installer.handleCallback(req, res);
});
If you decide you need custom success or failure behaviors (ex: wanting to show a page on your site with instructions on how to use the app), you can pass in your own success/failure functions.
const callbackOptions = {
success: (installation, metadata, req, res) => {
// Do custom success logic here
// tip: you can add javascript and css in the htmlResponse using the <script> and <style> tags
const htmlResponse = `<html><body>Success!</body></html>`
res.writeHead(200, { 'Content-Type': 'text/html' });
res.end(htmlResponse);
},
failure: (error, installOptions , req, res) => {
// Do custom failure logic here
res.writeHead(500, { 'Content-Type': 'text/html' });
res.end('<html><body><h1>Oops, Something Went Wrong! Please Try Again or Contact the App Owner</h1></body></html>');
}
}
app.get('/slack/oauth_redirect', (req, res) => {
installer.handleCallback(req, res, callbackOptions);
});
Although this package uses a default MemoryInstallationStore
, it isn't recommended for production use since the access tokens it stores would be lost when the process terminates or restarts. Instead, InstallProvider
has an option for supplying your own installation store, which is used to save and retrieve install information (like tokens) to your own database.
An installation store is an object that provides two methods: storeInstallation
and fetchInstallation
. storeInstallation
takes an installation
as an argument, which is an object that contains all installation related data (like tokens, teamIds, enterpriseIds, etc). fetchInstallation
takes in a installQuery
, which is used to query the database. The installQuery
can contain teamId
, enterpriseId
, userId
, and conversationId
.
In the following example, the installationStore
option is used and the object is defined in line. The required methods are implemented by calling an example database library with simple get and set operations.
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateSecret: 'my-state-secret',
installationStore: {
// takes in an installation object as an argument
// returns nothing
storeInstallation: (installation) => {
// replace myDB.set with your own database or OEM setter
myDB.set(installation.team.id, installation);
return;
},
// takes in an installQuery as an argument
// installQuery = {teamId: 'string', enterpriseId: 'string', userId: string, conversationId: 'string'};
// returns installation object from database
fetchInstallation: (installQuery) => {
// replace myDB.get with your own database or OEM getter
return myDB.get(installQuery.teamId);
},
},
});
You can use the the installationProvider.authorize()
function to fetch data that has been saved in your installation store.
// installer.authorize takes in an installQuery as an argument
// installQuery = {teamId: 'string', enterpriseId: 'string', userId: string, conversationId: 'string'};
const result = installer.installationStore.fetchInstallation({teamId:'my-team-ID', enterpriseId:'my-enterprise-ID'});
/*
result = {
botToken: '',
userToken: '',
botId: '',
botUserId: '',
}
*/
The installer.authorize()
method only returns a subset of the installation data returned by the installation store. To fetch the entire saved installation, use the installer.installationStore.fetchInstallation()
method.
// installer.installationStore.fetchInstallation takes in an installQuery as an argument
// installQuery = {teamId: 'string', enterpriseId: 'string', userId: string, conversationId: 'string'};
// returns an installation object
const result = installer.installationStore.fetchInstallation({teamId:'my-Team-ID'});
A state store handles generating the OAuth state
parameter in the installation URL for a given set of options, and verifying the state
in the OAuth callback and returning those same options.
The default state store, ClearStateStore
, does not use any storage. Instead, it signs the options (using the stateSecret
) and encodes them along with a signature into state
. Later during the OAuth callback, it verifies the signature.
If you want to conceal the metadata
used in the installation URL options you will need to store state
on your server (in a database) by providing a custom state store. A custom state implements two methods: generateStateParam()
and verifyStateParam()
. When you instantiate the InstallProvider
use the stateStore
option to set your custom state store. And when using the custom state store, you no longer need to use the stateSecret
option.
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateStore: {
// generateStateParam's first argument is the entire InstallUrlOptions object which was passed into generateInstallUrl method
// the second argument is a date object
// the method is expected to return a string representing the state
generateStateParam: (installUrlOptions, date) => {
// generate a random string to use as state in the URL
const randomState = randomStringGenerator();
// save installOptions to cache/db
myDB.set(randomState, installUrlOptions);
// return a state string that references saved options in DB
return randomState;
},
// verifyStateParam's first argument is a date object and the second argument is a string representing the state
// verifyStateParam is expected to return an object representing installUrlOptions
verifyStateParam: (date, state) => {
// fetch saved installOptions from DB using state reference
const installUrlOptions = myDB.get(randomState);
return installUrlOptions;
}
},
});
The InstallProvider
will log interesting information to the console by default. You can use the logLevel
to decide how
much information, or how interesting the information needs to be, in order for it to be output. There are a few possible
log levels, which you can find in the LogLevel
export. By default, the value is set to LogLevel.INFO
. While you're
in development, its sometimes helpful to set this to the most verbose: LogLevel.DEBUG
.
// Import LogLevel from the package
const { InstallProvider, LogLevel } = require('@slack/oauth');
// Log level is one of the options you can set in the constructor
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateSecret: 'my-state-secret',
logLevel: LogLevel.DEBUG,
});
All the log levels, in order of most to least information are: DEBUG
, INFO
, WARN
, and ERROR
.
You can also choose to have logs sent to a custom logger using the logger
option. A custom logger needs to implement
specific methods (known as the Logger
interface):
Method | Parameters | Return type |
---|---|---|
setLevel() | level: LogLevel | void |
setName() | name: string | void |
debug() | ...msgs: any[] | void |
info() | ...msgs: any[] | void |
warn() | ...msgs: any[] | void |
error() | ...msgs: any[] | void |
A very simple custom logger might ignore the name and level, and write all messages to a file.
const { createWriteStream } = require('fs');
const logWritable = createWriteStream('/var/my_log_file'); // Not shown: close this stream
const installer = new InstallProvider({
clientId: process.env.SLACK_CLIENT_ID,
clientSecret: process.env.SLACK_CLIENT_SECRET,
stateSecret: 'my-state-secret',
// Creating a logger as a literal object. It's more likely that you'd create a class.
logger: {
debug(...msgs): { logWritable.write('debug: ' + JSON.stringify(msgs)); },
info(...msgs): { logWritable.write('info: ' + JSON.stringify(msgs)); },
warn(...msgs): { logWritable.write('warn: ' + JSON.stringify(msgs)); },
error(...msgs): { logWritable.write('error: ' + JSON.stringify(msgs)); },
setLevel(): { },
setName(): { },
},
});
This package supports Node v10 LTS and higher. It's highly recommended to use the latest LTS version of node, and the documentation is written using syntax and features from that version.
If you get stuck, we're here to help. The following are the best ways to get assistance working through your issue:
developers@slack.com
FAQs
Official library for interacting with Slack's Oauth endpoints
The npm package @slack/oauth receives a total of 350,170 weekly downloads. As such, @slack/oauth popularity was classified as popular.
We found that @slack/oauth demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 11 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.