fix: keep oauth picker on gateway origin

Author: osolmaz

docs/2026-04-25-react-management-ui-migration-plan.md

@@ -148,19 +148,28 @@ Target flow:
 2. React links to gateway: `/slack-gateway/slack/install`.
 3. Gateway redirects to Slack OAuth.
 4. Slack calls gateway callback: `/slack-gateway/slack/oauth/callback`.
-5. If target selection is needed, gateway redirects to React:
-   `/settings/slack/install/select`.
+5. If target selection is needed and gateway APIs are same-origin/proxied with
+   React, gateway redirects to React: `/settings/slack/install/select`.
 6. React fetches selection data from gateway JSON and submits the selected
    opaque target payload back to gateway JSON.
-7. Gateway upserts the install and redirects to React result:
+7. If target selection is needed but the gateway and React are different
+   origins, gateway renders the minimal target picker itself so its HTTP-only
+   pending-state cookie remains readable by the gateway.
+8. Gateway upserts the install and redirects to React result:
    `/settings/slack/install/result?...`.
-8. React renders the result page.
+9. React renders the result page.
 
 The opaque OAuth state stays gateway-owned. The callback stores pending
 selection state in a short-lived, HTTP-only gateway cookie scoped to the
 selection API. React must not receive, parse, or forward Slack token material
 or encrypted OAuth state in the URL.
 
+Exception: when the gateway public URL and the Spritz React URL are different
+origins and there is no same-origin `/slack-gateway` proxy, that HTTP-only
+gateway cookie cannot be sent by browser calls from the React origin. In that
+case the gateway must keep the target picker on the gateway origin as a minimal
+protocol fallback. Same-origin/proxied deployments should use the React picker.
+
 ## Migration Phases
 
 ### Phase 1: JSON API parity

integrations/slack-gateway/gateway_test.go

@@ -202,7 +202,7 @@ func TestOAuthCallbackAutoSelectsSingleInstallTargetAndUpsertsRegistry(t *testin
 	}
 }
 
-func TestOAuthCallbackRendersInstallTargetPickerWhenMultipleTargetsAvailable(t *testing.T) {
+func TestOAuthCallbackRedirectsToReactInstallTargetPickerWhenSameOrigin(t *testing.T) {
 	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
 		case "/internal/v2/spritz/channel-install-targets/list":
@@ -262,7 +262,7 @@ func TestOAuthCallbackRendersInstallTargetPickerWhenMultipleTargetsAvailable(t *
 		SlackBotScopes:       []string{"chat:write"},
 		BackendBaseURL:       backend.URL,
 		BackendInternalToken: "backend-internal-token",
-		SpritzBaseURL:        "https://spritz.example.test",
+		SpritzBaseURL:        "https://gateway.example.test",
 		SpritzServiceToken:   "spritz-service-token",
 		PrincipalID:          "shared-slack-gateway",
 		HTTPTimeout:          5 * time.Second,
@@ -284,7 +284,7 @@ func TestOAuthCallbackRendersInstallTargetPickerWhenMultipleTargetsAvailable(t *
 	if err != nil {
 		t.Fatalf("parse picker redirect: %v", err)
 	}
-	if redirectURL.Scheme != "https" || redirectURL.Host != "spritz.example.test" {
+	if redirectURL.Scheme != "https" || redirectURL.Host != "gateway.example.test" {
 		t.Fatalf("expected picker redirect to use Spritz host, got %s", redirectURL.String())
 	}
 	if redirectURL.Path != "/settings/slack/install/select" {
@@ -341,6 +341,104 @@ func TestOAuthCallbackRendersInstallTargetPickerWhenMultipleTargetsAvailable(t *
 	}
 }
 
+func TestOAuthCallbackRendersGatewayInstallTargetPickerWhenCrossOrigin(t *testing.T) {
+	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/internal/v2/spritz/channel-install-targets/list":
+			writeJSON(w, http.StatusOK, map[string]any{
+				"status": "resolved",
+				"targets": []map[string]any{
+					{
+						"id": "ag_123",
+						"profile": map[string]any{
+							"name": "Personal Helper",
+						},
+						"ownerLabel": "Personal",
+						"presetInputs": map[string]any{
+							"agentId": "ag_123",
+						},
+					},
+					{
+						"id": "ag_456",
+						"profile": map[string]any{
+							"name": "Workspace Helper",
+						},
+						"ownerLabel": "Workspace",
+						"presetInputs": map[string]any{
+							"agentId": "ag_456",
+						},
+					},
+				},
+			})
+		case "/internal/v1/spritz/channel-installations/upsert":
+			t.Fatal("upsert should not happen before the picker selection")
+		default:
+			t.Fatalf("unexpected backend path %s", r.URL.Path)
+		}
+	}))
+	defer backend.Close()
+
+	slackAPI := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		writeJSON(w, http.StatusOK, map[string]any{
+			"ok":           true,
+			"app_id":       "A_app_1",
+			"scope":        "chat:write",
+			"access_token": "xoxb-installed",
+			"bot_user_id":  "U_bot",
+			"team":         map[string]any{"id": "T_workspace_1"},
+			"authed_user":  map[string]any{"id": "U_installer"},
+		})
+	}))
+	defer slackAPI.Close()
+
+	gateway := newSlackGateway(config{
+		PublicURL:            "https://gateway.example.test",
+		SlackClientID:        "client-id",
+		SlackClientSecret:    "client-secret",
+		SlackSigningSecret:   "signing-secret",
+		OAuthStateSecret:     "oauth-state-secret",
+		SlackAPIBaseURL:      slackAPI.URL,
+		SlackBotScopes:       []string{"chat:write"},
+		BackendBaseURL:       backend.URL,
+		BackendInternalToken: "backend-internal-token",
+		SpritzBaseURL:        "https://spritz.example.test",
+		SpritzServiceToken:   "spritz-service-token",
+		PrincipalID:          "shared-slack-gateway",
+		HTTPTimeout:          5 * time.Second,
+		DedupeTTL:            time.Minute,
+	}, slog.New(slog.NewTextHandler(io.Discard, nil)))
+	state, err := gateway.state.generate()
+	if err != nil {
+		t.Fatalf("state generate failed: %v", err)
+	}
+
+	req := httptest.NewRequest(http.MethodGet, "/slack/oauth/callback?code=test-code&state="+url.QueryEscape(state), nil)
+	rec := httptest.NewRecorder()
+	gateway.handleOAuthCallback(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected gateway picker page, got %d: %s", rec.Code, rec.Body.String())
+	}
+	body := rec.Body.String()
+	if !strings.Contains(body, "Choose an install target") {
+		t.Fatalf("expected picker title, got %q", body)
+	}
+	if !strings.Contains(body, "Personal Helper") || !strings.Contains(body, "Workspace Helper") {
+		t.Fatalf("expected picker targets, got %q", body)
+	}
+	if !strings.Contains(body, `/slack/install/select`) {
+		t.Fatalf("expected picker form action, got %q", body)
+	}
+	if strings.Contains(body, "xoxb-installed") {
+		t.Fatalf("expected picker state to keep bot token encrypted, got %q", body)
+	}
+	for _, cookie := range rec.Result().Cookies() {
+		if strings.HasPrefix(cookie.Name, pendingInstallCookieName) {
+			t.Fatalf("expected cross-origin picker to avoid pending install cookie, got %#v", cookie)
+		}
+	}
+}
+
 func TestInstallTargetSelectionAPIUsesRequestScopedPendingCookie(t *testing.T) {
 	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path != "/internal/v2/spritz/channel-install-targets/list" {
@@ -7628,6 +7726,30 @@ func TestReactRouteURLUsesSpritzBaseURL(t *testing.T) {
 	}
 }
 
+func TestReactRoutesShareGatewayOrigin(t *testing.T) {
+	sameOrigin := newSlackGateway(
+		config{
+			PublicURL:     "https://spritz.example.test/slack-gateway",
+			SpritzBaseURL: "https://spritz.example.test",
+		},
+		slog.New(slog.NewTextHandler(io.Discard, nil)),
+	)
+	if !sameOrigin.reactRoutesShareGatewayOrigin() {
+		t.Fatal("expected same host and scheme to share gateway origin")
+	}
+
+	crossOrigin := newSlackGateway(
+		config{
+			PublicURL:     "https://gateway.example.test",
+			SpritzBaseURL: "https://spritz.example.test",
+		},
+		slog.New(slog.NewTextHandler(io.Discard, nil)),
+	)
+	if crossOrigin.reactRoutesShareGatewayOrigin() {
+		t.Fatal("expected different hosts not to share gateway origin")
+	}
+}
+
 func signSlackRequest(header http.Header, signingSecret string, body []byte, now time.Time) {
 	timestamp := fmt.Sprintf("%d", now.Unix())
 	base := "v0:" + timestamp + ":" + string(body)

integrations/slack-gateway/install_result.go

@@ -173,6 +173,20 @@ func (g *slackGateway) installRedirectPath() string {
 	return g.publicPathPrefix() + "/slack/install"
 }
 
+func (g *slackGateway) installRedirectURL() string {
+	base, err := url.Parse(strings.TrimRight(strings.TrimSpace(g.cfg.PublicURL), "/"))
+	if err != nil || base.Scheme == "" || base.Host == "" {
+		return g.installRedirectPath()
+	}
+	basePath := strings.TrimRight(base.Path, "/")
+	routePath := "/slack/install"
+	base.RawPath = ""
+	base.Path = basePath + routePath
+	base.RawQuery = ""
+	base.Fragment = ""
+	return base.String()
+}
+
 func (g *slackGateway) redirectToInstallResult(w http.ResponseWriter, r *http.Request, result installResult) {
 	target := url.URL{Path: g.installResultPath()}
 	query := target.Query()

integrations/slack-gateway/management_api.go

@@ -179,9 +179,9 @@ func (g *slackGateway) handleInstallResultAPI(w http.ResponseWriter, r *http.Req
 }
 
 func (g *slackGateway) writeInstallResultAPI(w http.ResponseWriter, status int, result installResult) {
-	descriptor := installResultDescriptorFor(result.Code, g.installRedirectPath())
+	descriptor := installResultDescriptorFor(result.Code, g.installRedirectURL())
 	if result.Status == installResultStatusSuccess && result.Code == installResultCodeInternalError {
-		descriptor = installResultDescriptorFor(installResultCodeInstalled, g.installRedirectPath())
+		descriptor = installResultDescriptorFor(installResultCodeInstalled, g.installRedirectURL())
 	}
 	writeAPIJSON(w, status, map[string]any{
 		"status":      result.Status,

integrations/slack-gateway/react_routes.go

@@ -67,6 +67,19 @@ func (g *slackGateway) reactRouteURL(target string) string {
 	return base.String()
 }
 
+func (g *slackGateway) reactRoutesShareGatewayOrigin() bool {
+	gatewayURL, err := url.Parse(strings.TrimSpace(g.cfg.PublicURL))
+	if err != nil || gatewayURL.Scheme == "" || gatewayURL.Host == "" {
+		return false
+	}
+	reactURL, err := url.Parse(strings.TrimSpace(g.cfg.SpritzBaseURL))
+	if err != nil || reactURL.Scheme == "" || reactURL.Host == "" {
+		return false
+	}
+	return strings.EqualFold(gatewayURL.Scheme, reactURL.Scheme) &&
+		strings.EqualFold(gatewayURL.Host, reactURL.Host)
+}
+
 func (g *slackGateway) redirectToReactRoute(w http.ResponseWriter, r *http.Request, target string) {
 	http.Redirect(w, r, g.reactRouteURL(target), http.StatusSeeOther)
 }

integrations/slack-gateway/slack_oauth.go

@@ -215,6 +215,10 @@ func (g *slackGateway) handleOAuthCallback(w http.ResponseWriter, r *http.Reques
 			})
 			return
 		}
+		if !g.reactRoutesShareGatewayOrigin() {
+			g.renderInstallTargetPicker(w, pendingState, requestID, targets)
+			return
+		}
 		g.setPendingInstallCookie(w, r, requestID, pendingState)
 		g.redirectToReactRoute(w, r, reactSlackInstallSelectPath(requestID))
 		return