slack-status-cli/auth.go

package main

import (
	"context"
	"crypto/tls"
	_ "embed"
	"errors"
	"fmt"
	"log"
	"net/http"
	"strings"
	"time"

	"github.com/slack-go/slack"
)

var (
	// These are set via build flags but can be overridden via environment variables.
	defaultClientID     = ""
	defaultClientSecret = ""

	//go:embed "certs/cert.pem"
	certPem []byte
	//go:embed "certs/key.pem"
	keyPem []byte
)

const (
	httpReadTimeout  = 5 * time.Second
	httpWriteTimeout = 10 * time.Second
	httpIdleTimeout  = 120 * time.Second
)

type slackApp struct {
	clientID, clientSecret, redirectURI string
	scopes, userScopes                  []string
	listenHost, listenPath              string
}

func (app slackApp) getAuthURL() string {
	scopes := strings.Join(app.scopes, ",")
	userScopes := strings.Join(app.userScopes, ",")

	return fmt.Sprintf(
		"https://slack.com/oauth/authorize?scope=%s&user_scope=%s&client_id=%s&redirect_uri=%s",
		scopes,
		userScopes,
		app.clientID,
		app.redirectURI,
	)
}

func (app slackApp) listenForCode() (string, error) {
	// start an http listener and listen for the redirect and return the code from params
	var code string

	certPath, err := getConfigFilePath("cert.pem")
	if err != nil {
		return "", fmt.Errorf("failed checking config path for cert: %w", err)
	}

	keyPath, err := getConfigFilePath("key.pem")
	if err != nil {
		return "", fmt.Errorf("failed checking config path for key: %w", err)
	}

	tlsCfg := &tls.Config{
		MinVersion: tls.VersionTLS12,
	}

	// If config files don't exist, use embedded
	if !fileExists(certPath) && !fileExists(keyPath) {
		cert, err := tls.X509KeyPair(certPem, keyPem)
		if err != nil {
			return "", fmt.Errorf("failed loading embedded key pair: %w", err)
		}

		tlsCfg.Certificates = make([]tls.Certificate, 1)
		tlsCfg.Certificates[0] = cert

		// Empty out paths since they don't exist so embedded certs will be used
		certPath = ""
		keyPath = ""
	}

	// Also, should generate TLS certificate to use since https is a required scheme
	server := http.Server{
		Addr:         app.listenHost,
		ReadTimeout:  httpReadTimeout,
		WriteTimeout: httpWriteTimeout,
		IdleTimeout:  httpIdleTimeout,
		TLSConfig:    tlsCfg,
	}

	http.HandleFunc(app.listenPath, func(w http.ResponseWriter, r *http.Request) {
		codes := r.URL.Query()["code"]
		if len(codes) == 0 {
			log.Fatal("no oauth code found in response")
		}

		code = codes[0]
		fmt.Fprintf(w, "Got code %s", code)

		// Shutdown after response
		go func() {
			if err := server.Shutdown(context.Background()); err != nil {
				fmt.Println("Fatal?")
				log.Fatal(err)
			}
		}()
	})

	if err := server.ListenAndServeTLS(certPath, keyPath); err != nil && !errors.Is(err, http.ErrServerClosed) {
		return "", err
	}

	return code, nil
}

func authenticate() (string, error) {
	app := slackApp{
		userScopes:   []string{"dnd:write", "users.profile:write", "team:read"},
		scopes:       []string{"dnd:write", "users.profile:write", "team:read"},
		clientID:     getEnvOrDefault("CLIENT_ID", defaultClientID),
		clientSecret: getEnvOrDefault("CLIENT_SECRET", defaultClientSecret),
		redirectURI:  "https://localhost:8888/auth",
		listenHost:   "localhost:8888",
		listenPath:   "/auth",
	}

	fmt.Println("To authenticate, go to the following URL:")
	fmt.Println("NOTE: After you authenticate with Slack, it will redirect you to a server running on your local computer. Your browser will present a security error because it cann't verify the server. You will need to manually add an exception or tell your browser to proceed anyway.")
	fmt.Println(app.getAuthURL())

	code, err := app.listenForCode()
	if err != nil {
		return "", err
	}

	accessToken, _, err := slack.GetOAuthToken(&http.Client{}, app.clientID, app.clientSecret, code, app.redirectURI)
	if err != nil {
		return "", err
	}

	return accessToken, nil
}
Working oauth flow 2021-01-06 18:44:29 +00:00			`package main`

			`import (`
			`"context"`
Add embedded certificates Removes runtime requirement on openssl Fixes #1 2021-02-16 22:16:45 +00:00			`"crypto/tls"`
			`_ "embed"`
Working oauth flow 2021-01-06 18:44:29 +00:00			`"errors"`
			`"fmt"`
			`"log"`
			`"net/http"`
			`"strings"`
Auto-generate self-signed certs 2021-01-07 17:19:56 +00:00			`"time"`
Working oauth flow 2021-01-06 18:44:29 +00:00
			`"github.com/slack-go/slack"`
			`)`

			`var (`
Update linting 2021-02-09 18:20:38 +00:00			`// These are set via build flags but can be overridden via environment variables.`
Working oauth flow 2021-01-06 18:44:29 +00:00			`defaultClientID = ""`
			`defaultClientSecret = ""`
Add embedded certificates Removes runtime requirement on openssl Fixes #1 2021-02-16 22:16:45 +00:00
			`//go:embed "certs/cert.pem"`
			`certPem []byte`
			`//go:embed "certs/key.pem"`
			`keyPem []byte`
Working oauth flow 2021-01-06 18:44:29 +00:00			`)`

Update linting 2021-02-09 18:20:38 +00:00			`const (`
			`httpReadTimeout = 5 * time.Second`
			`httpWriteTimeout = 10 * time.Second`
			`httpIdleTimeout = 120 * time.Second`
			`)`

Working oauth flow 2021-01-06 18:44:29 +00:00			`type slackApp struct {`
			`clientID, clientSecret, redirectURI string`
			`scopes, userScopes []string`
			`listenHost, listenPath string`
			`}`

			`func (app slackApp) getAuthURL() string {`
			`scopes := strings.Join(app.scopes, ",")`
			`userScopes := strings.Join(app.userScopes, ",")`

			`return fmt.Sprintf(`
			`"https://slack.com/oauth/authorize?scope=%s&user_scope=%s&client_id=%s&redirect_uri=%s",`
			`scopes,`
			`userScopes,`
			`app.clientID,`
			`app.redirectURI,`
			`)`
			`}`

			`func (app slackApp) listenForCode() (string, error) {`
			`// start an http listener and listen for the redirect and return the code from params`
			`var code string`

Add embedded certificates Removes runtime requirement on openssl Fixes #1 2021-02-16 22:16:45 +00:00			`certPath, err := getConfigFilePath("cert.pem")`
			`if err != nil {`
			`return "", fmt.Errorf("failed checking config path for cert: %w", err)`
			`}`

			`keyPath, err := getConfigFilePath("key.pem")`
			`if err != nil {`
			`return "", fmt.Errorf("failed checking config path for key: %w", err)`
			`}`

			`tlsCfg := &tls.Config{`
			`MinVersion: tls.VersionTLS12,`
			`}`

			`// If config files don't exist, use embedded`
			`if !fileExists(certPath) && !fileExists(keyPath) {`
			`cert, err := tls.X509KeyPair(certPem, keyPem)`
			`if err != nil {`
			`return "", fmt.Errorf("failed loading embedded key pair: %w", err)`
			`}`

			`tlsCfg.Certificates = make([]tls.Certificate, 1)`
			`tlsCfg.Certificates[0] = cert`

Fix typo 2021-02-17 18:24:34 +00:00			`// Empty out paths since they don't exist so embedded certs will be used`
Add embedded certificates Removes runtime requirement on openssl Fixes #1 2021-02-16 22:16:45 +00:00			`certPath = ""`
			`keyPath = ""`
			`}`

Working oauth flow 2021-01-06 18:44:29 +00:00			`// Also, should generate TLS certificate to use since https is a required scheme`
Auto-generate self-signed certs 2021-01-07 17:19:56 +00:00			`server := http.Server{`
			`Addr: app.listenHost,`
Update linting 2021-02-09 18:20:38 +00:00			`ReadTimeout: httpReadTimeout,`
			`WriteTimeout: httpWriteTimeout,`
			`IdleTimeout: httpIdleTimeout,`
Add embedded certificates Removes runtime requirement on openssl Fixes #1 2021-02-16 22:16:45 +00:00			`TLSConfig: tlsCfg,`
Auto-generate self-signed certs 2021-01-07 17:19:56 +00:00			`}`
Working oauth flow 2021-01-06 18:44:29 +00:00
			`http.HandleFunc(app.listenPath, func(w http.ResponseWriter, r *http.Request) {`
			`codes := r.URL.Query()["code"]`
			`if len(codes) == 0 {`
			`log.Fatal("no oauth code found in response")`
			`}`

			`code = codes[0]`
			`fmt.Fprintf(w, "Got code %s", code)`

			`// Shutdown after response`
			`go func() {`
			`if err := server.Shutdown(context.Background()); err != nil {`
			`fmt.Println("Fatal?")`
			`log.Fatal(err)`
			`}`
			`}()`
			`})`

Auto-generate self-signed certs 2021-01-07 17:19:56 +00:00			`if err := server.ListenAndServeTLS(certPath, keyPath); err != nil && !errors.Is(err, http.ErrServerClosed) {`
Working oauth flow 2021-01-06 18:44:29 +00:00			`return "", err`
			`}`

			`return code, nil`
			`}`

			`func authenticate() (string, error) {`
			`app := slackApp{`
Add ability to support multiple workspaces Adds a new perm to allow fetching the workspace domain 2021-02-02 19:57:39 +00:00			`userScopes: []string{"dnd:write", "users.profile:write", "team:read"},`
			`scopes: []string{"dnd:write", "users.profile:write", "team:read"},`
Working oauth flow 2021-01-06 18:44:29 +00:00			`clientID: getEnvOrDefault("CLIENT_ID", defaultClientID),`
			`clientSecret: getEnvOrDefault("CLIENT_SECRET", defaultClientSecret),`
Auto-generate self-signed certs 2021-01-07 17:19:56 +00:00			`redirectURI: "https://localhost:8888/auth",`
Working oauth flow 2021-01-06 18:44:29 +00:00			`listenHost: "localhost:8888",`
			`listenPath: "/auth",`
			`}`

			`fmt.Println("To authenticate, go to the following URL:")`
Auto-generate self-signed certs 2021-01-07 17:19:56 +00:00			`fmt.Println("NOTE: After you authenticate with Slack, it will redirect you to a server running on your local computer. Your browser will present a security error because it cann't verify the server. You will need to manually add an exception or tell your browser to proceed anyway.")`
Working oauth flow 2021-01-06 18:44:29 +00:00			`fmt.Println(app.getAuthURL())`

			`code, err := app.listenForCode()`
			`if err != nil {`
			`return "", err`
			`}`

			`accessToken, _, err := slack.GetOAuthToken(&http.Client{}, app.clientID, app.clientSecret, code, app.redirectURI)`
			`if err != nil {`
			`return "", err`
			`}`

			`return accessToken, nil`
			`}`