0.1.0 • Published 2 years ago

@robotsandpencils/express-oauth v0.1.0

Weekly downloads
-
License
MIT
Repository
github
Last release
2 years ago

express-oauth

tests Coverage Status

@robotsandpencils/express-oauth is an express middleware for mitigating CSRF attacks in OAuth 2.0 flows. It is not intended to be used on it's own. Examples follow for leveraging this package to produce more specific OAuth middleware.

Usage

npm install --save @robotsandpencils/express-oauth
const { ExpressOAuth } = require('@robotsandpencils/express-oauth')
const { App, ExpressReceiver } = require('@slack/bolt')
const { WebClient } = require('@slack/web-api')
const qs = require('qs')

const { makeState, verifyState } = new ExpressOAuth({
  secret: process.env.OAUTH_SECRET, // minimum 256 bit string (i.e. 32 char utf8 string)
})

const receiver = new ExpressReceiver({
  signingSecret: process.env.SLACK_SIGNING_SECRET,
})
const app = receiver.app
const bolt = new App({
  receiver,
  authorize: async (ctx) => { /* ... */ },
  convoStore: false,
})

const authorizePath = '/slack/install/authorize'
const verifyPath = '/slack/install/verify'

app.get(authorizePath, async (req, res, next) => {
  const { synchronizer } = await makeState(req, res)
  const queryObject = {
    client_id: process.env.SLACK_CLIENT_ID,
    response_type: 'code',
    response_mode: 'query',
    redirect_uri: `https://${req.get('host')}${verifyPath}`,
    scope: ['app_mentions:read', 'chat:write', 'commands', 'users:read'],
    state: synchronizer,
  }

  const query = qs.stringify(queryObject)
  const redirectURL = `https://slack.com/oauth/v2/authorize?${query}`

  /*
    * NOTE that this redirects the client to Slack immediately because
    * the OAuth flow is time sensitive (only valid for 3 minutes in this example)
    */
  const htmlResponse = '<html>' +
    `\n<meta http-equiv="refresh" content="0; URL=${redirectURL}">` +
    '\n<body>' +
    '\n  <h1>Success! Redirecting to the Slack App...</h1>' +
    `\n  <button onClick="window.location = '${redirectURL}'">Click here to redirect</button>` +
    '\n</body></html>'
  res.writeHead(200, { 'Content-Type': 'text/html' })
  res.end(htmlResponse)
})

app.get(verifyPath, async (req, res, next) => {
  await verifyState(req, res)
  const tokenRes = await new WebClient()
    .oauth.v2.access({
      code: req.query.code,
      client_id: slackClientId,
      client_secret: slackClientSecret,
      redirect_uri: `https://${req.get('host')}${verifyPath}`,
    })

  const testRes = await new WebClient(tokenRes.access_token)
          .auth.test()

  // save user and team data to a database

  const redirectURL = `slack://app?team=${team.id}&id=${team.appId}`
  const htmlResponse = '<html>' +
    `\n<meta http-equiv="refresh" content="0; URL=${redirectURL}">` +
    '\n<body>' +
    '\n  <h1>Success! Redirecting to the Slack App...</h1>' +
    `\n  <button onClick="window.location = '${redirectURL}'">Click here to redirect</button>` +
    `\n  <a href="${installPath}">Install again</a>`
  '\n</body></html>'
  res.writeHead(200, { 'Content-Type': 'text/html' })
  res.end(htmlResponse)
})

app.listen('3000')
expressoauthmiddleware
@polyn/blueprint@polyn/immutablecookiejsonwebtoken
@infinitebrahmanuniverse/nolb-_rob@everything-registry/sub-chunk-786@zalastax/nolb-_rob
0.1.0

2 years ago