fix: harden slack settings management

Author: osolmaz

integrations/slack-gateway/gateway_test.go

@@ -1514,6 +1514,72 @@ func TestInstallTargetSelectionAPIPreservesClassifiedUpsertFailure(t *testing.T)
 	}
 }
 
+func TestInstallTargetSelectionAPIRejectsStaleRequestID(t *testing.T) {
+	backendCalled := false
+	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		backendCalled = true
+		t.Fatalf("backend should not be called for stale install selection")
+	}))
+	defer backend.Close()
+
+	gateway := newSlackGateway(config{
+		PublicURL:            "https://gateway.example.test",
+		SlackClientID:        "client-id",
+		SlackClientSecret:    "client-secret",
+		SlackSigningSecret:   "signing-secret",
+		OAuthStateSecret:     "oauth-state-secret",
+		SlackAPIBaseURL:      "https://slack.example.test/api",
+		SlackBotScopes:       []string{"chat:write"},
+		BackendBaseURL:       backend.URL,
+		BackendInternalToken: "backend-internal-token",
+		SpritzBaseURL:        "https://spritz.example.test",
+		SpritzServiceToken:   "spritz-service-token",
+		PrincipalID:          "shared-slack-gateway",
+		HTTPTimeout:          5 * time.Second,
+		DedupeTTL:            time.Minute,
+	}, slog.New(slog.NewTextHandler(io.Discard, nil)))
+
+	pendingState, err := gateway.state.generatePendingInstall(pendingInstallState{
+		RequestID: "install-request-current",
+		Installation: slackInstallation{
+			TeamID:           "T_workspace_current",
+			InstallingUserID: "U_installer",
+			BotAccessToken:   "xoxb-installed",
+			BotUserID:        "U_bot",
+			APIAppID:         "A_app_1",
+		},
+	})
+	if err != nil {
+		t.Fatalf("generate pending install state failed: %v", err)
+	}
+	requestBody, err := json.Marshal(map[string]any{
+		"requestId": "install-request-stale",
+		"presetInputs": map[string]any{
+			"agentId": "ag_456",
+		},
+	})
+	if err != nil {
+		t.Fatalf("marshal request body: %v", err)
+	}
+
+	req := httptest.NewRequest(http.MethodPost, "/api/slack/install/selection", bytes.NewReader(requestBody))
+	req.Header.Set("Content-Type", "application/json")
+	req.AddCookie(&http.Cookie{
+		Name:  pendingInstallCookieName,
+		Value: pendingState,
+		Path:  "/api/slack/install/selection",
+	})
+	rec := httptest.NewRecorder()
+	gateway.routes().ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusBadRequest {
+		t.Fatalf("expected 400 for stale request id, got %d: %s", rec.Code, rec.Body.String())
+	}
+	if backendCalled {
+		t.Fatalf("backend was called for stale install selection")
+	}
+}
+
 func TestInstallRedirectUsesConfiguredSlackHost(t *testing.T) {
 	cfg := config{
 		PublicURL:          "https://gateway.example.test",

integrations/slack-gateway/management_api.go

@@ -121,7 +121,12 @@ func (g *slackGateway) handleInstallTargetSelectionAPIPost(w http.ResponseWriter
 		writeAPIError(w, http.StatusBadRequest, "install state is invalid or expired")
 		return
 	}
-	requestID := firstNonEmpty(strings.TrimSpace(body.RequestID), pendingInstall.RequestID)
+	bodyRequestID := strings.TrimSpace(body.RequestID)
+	if bodyRequestID != "" && bodyRequestID != pendingInstall.RequestID {
+		writeAPIError(w, http.StatusBadRequest, "install request is stale")
+		return
+	}
+	requestID := pendingInstall.RequestID
 	if len(body.PresetInputs) == 0 {
 		writeAPIError(w, http.StatusBadRequest, "presetInputs is required")
 		return

ui/src/pages/settings.test.tsx

@@ -215,6 +215,19 @@ describe('SettingsPage', () => {
     ).toBeTruthy();
   });
 
+  it('redirects the Slack settings landing page to workspace settings', async () => {
+    render(
+      <MemoryRouter initialEntries={['/settings/slack']}>
+        <Routes>
+          <Route path="settings/*" element={<SettingsPage />} />
+        </Routes>
+      </MemoryRouter>,
+    );
+
+    expect(await screen.findByRole('heading', { name: 'Slack Workspaces' })).toBeTruthy();
+    expect(await screen.findByText('No Slack workspaces are installed.')).toBeTruthy();
+  });
+
   it('routes typed install picker failures to the install result page', async () => {
     const user = userEvent.setup();
     const installResult = {

ui/src/pages/settings.tsx

@@ -931,6 +931,7 @@ export function SettingsPage() {
     <Routes>
       <Route element={<SettingsShell />}>
         <Route index element={<Navigate to="slack/workspaces" replace />} />
+        <Route path="slack" element={<Navigate to="workspaces" replace />} />
         <Route path="slack/workspaces" element={<WorkspaceListPage />} />
         <Route path="slack/workspaces/target" element={<WorkspaceTargetPage />} />
         <Route path="slack/workspaces/test" element={<WorkspaceTestPage />} />