Merge pull request #170 from blockful/feat/OAuth_and_Multi-Workspace_support

Feat/o auth and multi workspace support

Author: LeonardoVieira1630

.env.example

@@ -1,54 +1,21 @@
 # Notification System Environment Variables
-# Copy this file to .env and fill in your values
+# Copy this file to .env and configure your settings
 
-# ========================================
-# GraphQL Endpoint (Required for all services)
-# ========================================
+# === REQUIRED CONFIGURATION ===
 ANTICAPTURE_GRAPHQL_ENDPOINT=https://api-gateway-production-0879.up.railway.app/graphql
 
-# ========================================
-# Telegram Configuration
-# ========================================
-# Get your bot token from @BotFather on Telegram
-TELEGRAM_BOT_TOKEN=your-telegram-bot-token-here
+# === NOTIFICATION PLATFORMS ===
+TELEGRAM_BOT_TOKEN=
+SLACK_CLIENT_ID=
+SLACK_CLIENT_SECRET=
+SLACK_REDIRECT_URI=https://your-domain.com/slack/oauth/callback
+SLACK_APP_TOKEN=xapp-
+SLACK_SIGNING_SECRET=
+TOKEN_ENCRYPTION_KEY=  # Generate: openssl rand -hex 32
 
-# ========================================
-# Slack Configuration
-# ========================================
-# Get these from https://api.slack.com/apps after creating your app
-
-# Bot User OAuth Token (starts with xoxb-)
-# From: OAuth & Permissions > Bot User OAuth Token
-SLACK_BOT_TOKEN=xoxb-your-bot-token-here
-
-# App-Level Token for Socket Mode (starts with xapp-)
-# From: Basic Information > App-Level Tokens
-SLACK_APP_TOKEN=xapp-your-app-token-here
-
-# Signing Secret for request verification
-# From: Basic Information > App Credentials > Signing Secret
-SLACK_SIGNING_SECRET=your-signing-secret-here
-
-# Optional: Default channel for notifications (starts with C)
-# Leave empty to use DMs only
-SLACK_CHANNEL_ID=
-
-# ========================================
-# Database Configuration (for local development)
-# ========================================
-# These are set in docker-compose.yml for containerized services
-# Only needed if running services locally outside Docker
+# === LOCAL DEV CONFIGURATION ===
 DATABASE_URL=postgresql://postgres:postgres@localhost:5432/postgres
 RABBITMQ_URL=amqp://admin:admin@localhost:5672
-
-# ========================================
-# Optional: Service Configuration
-# ========================================
-# Subscription server port (default: 3003)
 PORT=3003
-
-# Logic system trigger interval in milliseconds (default: 30000)
-TRIGGER_INTERVAL=30000
-
-# Proposal status to monitor (default: ACTIVE)
+TRIGGER_INTERVAL=30000  # ms
 PROPOSAL_STATUS=ACTIVE

CLAUDE.md

@@ -4,6 +4,13 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ## Recent Changes
 
+### Slack OAuth Multi-Workspace Support (2025-09-18)
+- OAuth 2.0 flow implementation in Subscription Server (`/slack/install`, `/slack/oauth/callback`)
+- Workspace token storage with AES-256-CBC encryption in `slack_workspaces` table
+- Dynamic token distribution via RabbitMQ messages (bot_token field)
+- Backward compatible with workspace:user ID format (T_DEFAULT for legacy)
+- See `docs/slack-oauth-setup.md` for configuration guide
+
 ### Slack Integration (2025-09-17)
 - Added Socket Mode support for interactive Slack features in Consumer service
 - New service classes: SlackDAOService, SlackWalletService for command handling

Caddyfile

@@ -0,0 +1,12 @@
+# Caddy configuration for local HTTPS development
+# Automatically generates self-signed certificates for localhost
+
+localhost {
+    # Reverse proxy all requests to subscription-server
+    reverse_proxy subscription-server:3003
+    
+    # Caddy automatically handles:
+    # - Self-signed certificate generation
+    # - HTTPS setup
+    # - HTTP/2 support
+}

apps/consumers/src/clients/slack.client.test.ts

@@ -20,12 +20,12 @@ describe('SlackClient', () => {
     mockWebClient = new WebClient() as jest.Mocked<WebClient>;
     (WebClient as unknown as jest.Mock).mockImplementation(() => mockWebClient);
 
-    slackClient = new SlackClient('test-token', 'test-app-token', 'test-signing-secret');
+    slackClient = new SlackClient('test-app-token', 'test-signing-secret');
   });
 
   describe('constructor', () => {
     it('should create client with valid token', () => {
-      expect(new SlackClient('valid-token', 'valid-app-token', 'valid-signing-secret')).toBeInstanceOf(SlackClient);
+      expect(new SlackClient('valid-app-token', 'valid-signing-secret')).toBeInstanceOf(SlackClient);
     });
   });
 
@@ -45,7 +45,7 @@ describe('SlackClient', () => {
 
       (mockWebClient.chat.postMessage as jest.Mock).mockResolvedValue(mockResponse as never);
 
-      const result = await slackClient.sendMessage('C1234567890', 'Test message');
+      const result = await slackClient.sendMessage('C1234567890', 'Test message', { token: 'xoxb-test-token' });
 
       expect(mockWebClient.chat.postMessage).toHaveBeenCalledWith({
         channel: 'C1234567890',
@@ -73,7 +73,7 @@ describe('SlackClient', () => {
 
       (mockWebClient.chat.postMessage as jest.Mock).mockResolvedValue(mockResponse as never);
 
-      await slackClient.sendMessage('C1234567890', 'Check [this link](https://example.com)');
+      await slackClient.sendMessage('C1234567890', 'Check [this link](https://example.com)', { token: 'xoxb-test-token' });
 
       expect(mockWebClient.chat.postMessage).toHaveBeenCalledWith({
         channel: 'C1234567890',
@@ -95,7 +95,7 @@ describe('SlackClient', () => {
 
       (mockWebClient.chat.postMessage as jest.Mock).mockResolvedValue(mockResponse as never);
 
-      await slackClient.sendMessage('C1234567890', 'This is **bold** text');
+      await slackClient.sendMessage('C1234567890', 'This is **bold** text', { token: 'xoxb-test-token' });
 
       expect(mockWebClient.chat.postMessage).toHaveBeenCalledWith({
         channel: 'C1234567890',
@@ -118,6 +118,7 @@ describe('SlackClient', () => {
       (mockWebClient.chat.postMessage as jest.Mock).mockResolvedValue(mockResponse as never);
 
       await slackClient.sendMessage('C1234567890', 'Test message', {
+        token: 'xoxb-test-token',
         parse: 'full',
         link_names: false,
         unfurl_links: true,
@@ -155,20 +156,20 @@ describe('SlackClient', () => {
     });
 
     it('should always initialize with Socket Mode', () => {
-      const client = new SlackClient('xoxb-token', 'xapp-token', 'signing-secret');
+      const client = new SlackClient('xapp-token', 'signing-secret');
 
       expect(App).toHaveBeenCalledWith({
-        token: 'xoxb-token',
         appToken: 'xapp-token',
         signingSecret: 'signing-secret',
         socketMode: true,
-        processBeforeResponse: true
+        processBeforeResponse: true,
+        authorize: expect.any(Function)
       });
     });
 
 
     it('should setup command handlers', () => {
-      const client = new SlackClient('xoxb-token', 'xapp-token', 'signing-secret');
+      const client = new SlackClient('xapp-token', 'signing-secret');
 
       client.setupHandlers?.((handlers) => {
         handlers.command('/test', async (ctx) => {
@@ -180,7 +181,7 @@ describe('SlackClient', () => {
     });
 
     it('should setup action handlers', () => {
-      const client = new SlackClient('xoxb-token', 'xapp-token', 'signing-secret');
+      const client = new SlackClient('xapp-token', 'signing-secret');
 
       client.setupHandlers?.((handlers) => {
         handlers.action('button_click', async (ctx) => {
@@ -192,15 +193,15 @@ describe('SlackClient', () => {
     });
 
     it('should launch the Bolt app', async () => {
-      const client = new SlackClient('xoxb-token', 'xapp-token', 'signing-secret');
+      const client = new SlackClient('xapp-token', 'signing-secret');
 
       await client.launch?.();
 
       expect(mockBoltApp.start).toHaveBeenCalled();
     });
 
     it('should stop the Bolt app', () => {
-      const client = new SlackClient('xoxb-token', 'xapp-token', 'signing-secret');
+      const client = new SlackClient('xapp-token', 'signing-secret');
 
       client.stop?.('SIGTERM');
 

apps/consumers/src/clients/slack.client.ts

@@ -21,40 +21,49 @@ import {
 } from '../interfaces/slack-context.interface';
 
 export class SlackClient implements SlackClientInterface {
-  private client: WebClient;
   private boltApp: App;
   private sessionStorage: SlackSessionStorage;
 
   constructor(
-    token: string,
     appToken: string,
     signingSecret: string
   ) {
-    this.client = new WebClient(token);
-
     // Initialize session storage
     this.sessionStorage = new InMemorySessionStorage();
 
     // Initialize Bolt app with Socket Mode
+    // For OAuth multi-workspace support, we use an authorize function
+    // that returns empty credentials since we handle tokens per-message
     this.boltApp = new App({
-      token,
       appToken,
       signingSecret,
       socketMode: true,
-      processBeforeResponse: true
+      processBeforeResponse: true,
+      authorize: async () => {
+        return {
+          botToken: '', 
+          botId: 'oauth-bot',
+          botUserId: 'oauth-bot-user'
+        };
+      }
     });
-    console.log('✅ Slack client initialized with Socket Mode support');
+    console.log('✅ Slack client initialized with Socket Mode support (OAuth mode)');
   }
 
   async sendMessage(
     channel: string,
     text: string,
     options?: SlackSendMessageOptions
   ): Promise<SlackMessage> {
+    if (!options?.token) {
+      throw new Error('Slack notification requires workspace OAuth token. No token provided in message options.');
+    }
+
     // Convert markdown to Slack mrkdwn format
     const slackText = this.convertMarkdownToSlackFormat(text);
+    const clientToUse = new WebClient(options.token);
 
-    const result = await this.client.chat.postMessage({
+    const result = await clientToUse.chat.postMessage({
       channel,
       text: slackText,
       parse: options?.parse || 'none',

apps/consumers/src/config/env.ts

@@ -7,12 +7,11 @@ import { z } from 'zod';
 import * as dotenv from 'dotenv';
 
 const envSchema = z.object({
-  TELEGRAM_BOT_TOKEN: z.string().min(1, "Telegram bot token is required"),
-  SLACK_BOT_TOKEN: z.string().min(1, "Slack bot token is required"),
-  SLACK_APP_TOKEN: z.string().min(1, "Slack app token is required for Socket Mode"),
-  SLACK_SIGNING_SECRET: z.string().min(1, "Slack signing secret is required for request verification"),
+  TELEGRAM_BOT_TOKEN: z.string(),
+  SLACK_APP_TOKEN: z.string(),
+  SLACK_SIGNING_SECRET: z.string(),
   ANTICAPTURE_GRAPHQL_ENDPOINT: z.string().url("ANTICAPTURE_GRAPHQL_ENDPOINT must be a valid URL"),
-  SUBSCRIPTION_SERVER_URL: z.string().min(1, "Subscription server URL is required"),
+  SUBSCRIPTION_SERVER_URL: z.string(),
   RABBITMQ_URL: z.string().url(),
 });
 
@@ -22,7 +21,6 @@ export function loadConfig() {
 
   return {
     telegramBotToken: env.TELEGRAM_BOT_TOKEN,
-    slackBotToken: env.SLACK_BOT_TOKEN,
     slackAppToken: env.SLACK_APP_TOKEN,
     slackSigningSecret: env.SLACK_SIGNING_SECRET,
     anticaptureGraphqlEndpoint: env.ANTICAPTURE_GRAPHQL_ENDPOINT,

apps/consumers/src/index.ts

@@ -26,7 +26,6 @@ const telegramClient = new TelegramClient(config.telegramBotToken);
 
 // Create Slack client 
 const slackClient = new SlackClient(
-  config.slackBotToken,
   config.slackAppToken,
   config.slackSigningSecret
 );

apps/consumers/src/interfaces/notification.interface.ts

@@ -8,6 +8,7 @@ export interface NotificationPayload {
   channel: string;
   channelUserId: string | number;
   message: string;
+  bot_token?: string; // Optional bot token for multi-workspace
   metadata?: {
     addresses?: Record<string, string>; // key: placeholder name, value: ethereum address
     transaction?: {

apps/consumers/src/interfaces/slack-client.interface.ts

@@ -13,6 +13,7 @@ export interface SlackSendMessageOptions {
   mrkdwn?: boolean;
   blocks?: any[];
   attachments?: any[];
+  token?: string; // Optional token for multi-workspace support
 }
 
 export interface SlackMessage {

apps/consumers/src/services/bot/slack-bot.service.test.ts

@@ -40,8 +40,9 @@ describe('SlackBotService', () => {
     const mockPayload: NotificationPayload = {
       userId: 'user123',
       channel: 'slack',
-      channelUserId: 'U1234567890',
-      message: 'Test notification message'
+      channelUserId: 'T_WORKSPACE:U1234567890',
+      message: 'Test notification message',
+      bot_token: 'xoxb-test-workspace-token'
     };
 
     beforeEach(() => {
@@ -59,6 +60,7 @@ describe('SlackBotService', () => {
         'U1234567890',
         'Test notification message',
         {
+          token: 'xoxb-test-workspace-token',
           mrkdwn: true,
           unfurl_links: false
         }
@@ -71,6 +73,7 @@ describe('SlackBotService', () => {
       const payloadWithTx: NotificationPayload = {
         ...mockPayload,
         message: 'New proposal created!\n\n{{txLink}}',
+        bot_token: 'xoxb-test-workspace-token',
         metadata: {
           transaction: {
             hash: '0x123abc',
@@ -87,6 +90,7 @@ describe('SlackBotService', () => {
         'U1234567890',
         'New proposal created!\n\n<https://etherscan.io/tx/0x123abc|Transaction details>',
         {
+          token: 'xoxb-test-workspace-token',
           mrkdwn: true,
           unfurl_links: false
         }
@@ -96,7 +100,8 @@ describe('SlackBotService', () => {
     it('should remove transaction link placeholder when no transaction metadata', async () => {
       const payloadWithTx: NotificationPayload = {
         ...mockPayload,
-        message: 'New proposal created!\n\n{{txLink}}'
+        message: 'New proposal created!\n\n{{txLink}}',
+        bot_token: 'xoxb-test-workspace-token'
       };
 
       await slackBotService.sendNotification(payloadWithTx);
@@ -105,6 +110,7 @@ describe('SlackBotService', () => {
         'U1234567890',
         'New proposal created!',
         {
+          token: 'xoxb-test-workspace-token',
           mrkdwn: true,
           unfurl_links: false
         }
@@ -115,6 +121,7 @@ describe('SlackBotService', () => {
       const payloadWithAddresses: NotificationPayload = {
         ...mockPayload,
         message: 'Proposal by {{proposer}} in {{dao}}',
+        bot_token: 'xoxb-test-workspace-token',
         metadata: {
           addresses: {
             proposer: '0x742d35Cc6634C0532925a3b8D76be9D5B65F6a',
@@ -136,6 +143,7 @@ describe('SlackBotService', () => {
         'U1234567890',
         'Proposal by alice.eth in coolDAO.eth',
         {
+          token: 'xoxb-test-workspace-token',
           mrkdwn: true,
           unfurl_links: false
         }
@@ -146,6 +154,7 @@ describe('SlackBotService', () => {
       const complexPayload: NotificationPayload = {
         ...mockPayload,
         message: 'New proposal by {{proposer}}!\n\n{{txLink}}',
+        bot_token: 'xoxb-test-workspace-token',
         metadata: {
           addresses: {
             proposer: '0x742d35Cc6634C0532925a3b8D76be9D5B65F6a'
@@ -166,6 +175,7 @@ describe('SlackBotService', () => {
         'U1234567890',
         'New proposal by alice.eth!\n\n<https://etherscan.io/tx/0x123abc|Transaction details>',
         {
+          token: 'xoxb-test-workspace-token',
           mrkdwn: true,
           unfurl_links: false
         }