fix: scope pending slack installs by request

Author: osolmaz

integrations/slack-gateway/channel_settings_handlers.go

@@ -87,11 +87,25 @@ func (g *slackGateway) matchChannelSettingsConnectionPath(
 	r *http.Request,
 	installations []backendManagedInstallation,
 	relativePath string,
+) (backendManagedInstallation, backendManagedConnection, bool) {
+	installation, connection, ok := matchManagedChannelSettingsConnection(
+		installations,
+		relativePath,
+	)
+	if !ok {
+		http.NotFound(w, r)
+		return backendManagedInstallation{}, backendManagedConnection{}, false
+	}
+	return installation, connection, true
+}
+
+func matchManagedChannelSettingsConnection(
+	installations []backendManagedInstallation,
+	relativePath string,
 ) (backendManagedInstallation, backendManagedConnection, bool) {
 	trimmed := strings.Trim(strings.TrimPrefix(relativePath, "/settings/channels/"), "/")
 	parts := strings.Split(trimmed, "/")
 	if len(parts) != 4 || parts[0] != "installations" || parts[2] != "connections" {
-		http.NotFound(w, r)
 		return backendManagedInstallation{}, backendManagedConnection{}, false
 	}
 	installationID := strings.TrimSpace(parts[1])
@@ -102,12 +116,10 @@ func (g *slackGateway) matchChannelSettingsConnectionPath(
 		}
 		connection, found := managedConnectionByID(installation, connectionID)
 		if !found {
-			http.NotFound(w, r)
 			return backendManagedInstallation{}, backendManagedConnection{}, false
 		}
 		return installation, connection, true
 	}
-	http.NotFound(w, r)
 	return backendManagedInstallation{}, backendManagedConnection{}, false
 }
 

integrations/slack-gateway/gateway_test.go

@@ -284,12 +284,16 @@ func TestOAuthCallbackRendersInstallTargetPickerWhenMultipleTargetsAvailable(t *
 	if redirectURL.Path != "/settings/slack/install/select" {
 		t.Fatalf("expected React picker route, got %q", redirectURL.Path)
 	}
-	if redirectURL.RawQuery != "" {
+	requestID := redirectURL.Query().Get("requestId")
+	if requestID == "" {
+		t.Fatalf("expected picker redirect to include requestId, got %q", redirectURL.RawQuery)
+	}
+	if strings.Contains(redirectURL.RawQuery, "state=") {
 		t.Fatalf("expected picker redirect without pending state query, got %q", redirectURL.RawQuery)
 	}
 	var pendingCookie *http.Cookie
 	for _, cookie := range rec.Result().Cookies() {
-		if cookie.Name == pendingInstallCookieName {
+		if cookie.Name == pendingInstallCookieNameForRequest(requestID) {
 			pendingCookie = cookie
 			break
 		}
@@ -309,7 +313,7 @@ func TestOAuthCallbackRendersInstallTargetPickerWhenMultipleTargetsAvailable(t *
 
 	selectionReq := httptest.NewRequest(
 		http.MethodGet,
-		"/api/slack/install/selection",
+		"/api/slack/install/selection?requestId="+url.QueryEscape(requestID),
 		nil,
 	)
 	selectionReq.AddCookie(pendingCookie)
@@ -331,6 +335,90 @@ func TestOAuthCallbackRendersInstallTargetPickerWhenMultipleTargetsAvailable(t *
 	}
 }
 
+func TestInstallTargetSelectionAPIUsesRequestScopedPendingCookie(t *testing.T) {
+	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/internal/v2/spritz/channel-install-targets/list" {
+			t.Fatalf("unexpected backend path %s", r.URL.Path)
+		}
+		writeJSON(w, http.StatusOK, map[string]any{
+			"status": "resolved",
+			"targets": []map[string]any{
+				{
+					"id": "ag_workspace",
+					"profile": map[string]any{
+						"name": "Workspace Helper",
+					},
+					"presetInputs": map[string]any{
+						"agentId": "ag_workspace",
+					},
+				},
+			},
+		})
+	}))
+	defer backend.Close()
+
+	gateway := newSlackGateway(config{
+		BackendBaseURL:        backend.URL,
+		BackendFastAPIBaseURL: backend.URL,
+		BackendInternalToken:  "backend-internal-token",
+		OAuthStateSecret:      "oauth-state-secret",
+		PrincipalID:           "shared-slack-gateway",
+		HTTPTimeout:           5 * time.Second,
+	}, slog.New(slog.NewTextHandler(io.Discard, nil)))
+
+	pendingStateA, err := gateway.state.generatePendingInstall(pendingInstallState{
+		RequestID: "install-request-a",
+		Installation: slackInstallation{
+			TeamID:           "T_workspace_a",
+			InstallingUserID: "U_installer",
+			BotAccessToken:   "xoxb-installed-a",
+			BotUserID:        "U_bot",
+			APIAppID:         "A_app_1",
+		},
+	})
+	if err != nil {
+		t.Fatalf("generate first pending install state failed: %v", err)
+	}
+	pendingStateB, err := gateway.state.generatePendingInstall(pendingInstallState{
+		RequestID: "install-request-b",
+		Installation: slackInstallation{
+			TeamID:           "T_workspace_b",
+			InstallingUserID: "U_installer",
+			BotAccessToken:   "xoxb-installed-b",
+			BotUserID:        "U_bot",
+			APIAppID:         "A_app_1",
+		},
+	})
+	if err != nil {
+		t.Fatalf("generate second pending install state failed: %v", err)
+	}
+
+	req := httptest.NewRequest(http.MethodGet, "/api/slack/install/selection?requestId=install-request-a", nil)
+	req.AddCookie(&http.Cookie{
+		Name:  pendingInstallCookieNameForRequest("install-request-a"),
+		Value: pendingStateA,
+		Path:  "/api/slack/install/selection",
+	})
+	req.AddCookie(&http.Cookie{
+		Name:  pendingInstallCookieNameForRequest("install-request-b"),
+		Value: pendingStateB,
+		Path:  "/api/slack/install/selection",
+	})
+	rec := httptest.NewRecorder()
+	gateway.routes().ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected 200, got %d: %s", rec.Code, rec.Body.String())
+	}
+	var payload map[string]any
+	if err := json.NewDecoder(rec.Body).Decode(&payload); err != nil {
+		t.Fatalf("decode selection payload: %v", err)
+	}
+	if payload["requestId"] != "install-request-a" || payload["teamId"] != "T_workspace_a" {
+		t.Fatalf("expected first pending install, got %#v", payload)
+	}
+}
+
 func TestWorkspaceManagementRequiresBrowserPrincipal(t *testing.T) {
 	gateway := newSlackGateway(config{
 		BackendFastAPIBaseURL: "https://backend.example.test",
@@ -779,6 +867,67 @@ func TestChannelSettingsAPIUpdatePostsRoutePolicies(t *testing.T) {
 	}
 }
 
+func TestChannelSettingsAPIMissingConnectionReturnsJSON(t *testing.T) {
+	backend := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/internal/v2/spritz/channel-installations/list" {
+			t.Fatalf("unexpected backend path %s", r.URL.Path)
+		}
+		writeJSON(w, http.StatusOK, map[string]any{
+			"status": "resolved",
+			"installations": []map[string]any{
+				{
+					"id": "chinst_example",
+					"route": map[string]any{
+						"principalId":       "shared-slack-gateway",
+						"provider":          "slack",
+						"externalScopeType": "workspace",
+						"externalTenantId":  "T_workspace_1",
+					},
+					"state": "ready",
+					"connections": []map[string]any{
+						{
+							"id":        "chconn_example",
+							"isDefault": true,
+							"state":     "ready",
+						},
+					},
+				},
+			},
+		})
+	}))
+	defer backend.Close()
+
+	gateway := newSlackGateway(config{
+		BackendFastAPIBaseURL: backend.URL,
+		BackendInternalToken:  "backend-internal-token",
+		PrincipalID:           "shared-slack-gateway",
+		HTTPTimeout:           5 * time.Second,
+	}, slog.New(slog.NewTextHandler(io.Discard, nil)))
+
+	req := httptest.NewRequest(
+		http.MethodGet,
+		"/api/settings/channels/installations/chinst_example/connections/missing",
+		nil,
+	)
+	req.Header.Set("X-Spritz-User-Id", "user-1")
+	rec := httptest.NewRecorder()
+	gateway.routes().ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusNotFound {
+		t.Fatalf("expected 404, got %d: %s", rec.Code, rec.Body.String())
+	}
+	if contentType := rec.Header().Get("Content-Type"); !strings.Contains(contentType, "application/json") {
+		t.Fatalf("expected JSON content type, got %q", contentType)
+	}
+	var payload map[string]any
+	if err := json.NewDecoder(rec.Body).Decode(&payload); err != nil {
+		t.Fatalf("decode error payload: %v", err)
+	}
+	if payload["status"] != "error" || payload["message"] != "connection not found" {
+		t.Fatalf("expected structured missing connection error, got %#v", payload)
+	}
+}
+
 func TestWorkspaceManagementAcceptsConfiguredBrowserAuthHeaders(t *testing.T) {
 	t.Setenv("SPRITZ_AUTH_HEADER_ID", "X-Forwarded-User")
 	t.Setenv("SPRITZ_AUTH_HEADER_EMAIL", "X-Forwarded-Email")
@@ -1512,7 +1661,7 @@ func TestInstallTargetSelectionAPIPreservesClassifiedUpsertFailure(t *testing.T)
 	req := httptest.NewRequest(http.MethodPost, "/api/slack/install/selection", bytes.NewReader(requestBody))
 	req.Header.Set("Content-Type", "application/json")
 	req.AddCookie(&http.Cookie{
-		Name:  pendingInstallCookieName,
+		Name:  pendingInstallCookieNameForRequest("install-request-1"),
 		Value: pendingState,
 		Path:  "/api/slack/install/selection",
 	})
@@ -1597,7 +1746,7 @@ func TestInstallTargetSelectionAPIRejectsStaleRequestID(t *testing.T) {
 	req := httptest.NewRequest(http.MethodPost, "/api/slack/install/selection", bytes.NewReader(requestBody))
 	req.Header.Set("Content-Type", "application/json")
 	req.AddCookie(&http.Cookie{
-		Name:  pendingInstallCookieName,
+		Name:  pendingInstallCookieNameForRequest("install-request-current"),
 		Value: pendingState,
 		Path:  "/api/slack/install/selection",
 	})

integrations/slack-gateway/management_api.go

@@ -86,10 +86,11 @@ func (g *slackGateway) handleInstallTargetSelectionAPI(w http.ResponseWriter, r
 }
 
 func (g *slackGateway) handleInstallTargetSelectionAPIGet(w http.ResponseWriter, r *http.Request) {
-	state := g.pendingInstallStateFromRequest(r, "")
+	requestID := strings.TrimSpace(r.URL.Query().Get("requestId"))
+	state := g.pendingInstallStateFromRequest(r, requestID, "")
 	pendingInstall, err := g.state.parsePendingInstall(state)
 	if err != nil {
-		g.clearPendingInstallCookie(w, r)
+		g.clearPendingInstallCookie(w, r, requestID)
 		writeAPIError(w, http.StatusBadRequest, "install state is invalid or expired")
 		return
 	}
@@ -119,14 +120,14 @@ func (g *slackGateway) handleInstallTargetSelectionAPIPost(w http.ResponseWriter
 		writeAPIError(w, http.StatusBadRequest, "invalid request body")
 		return
 	}
-	state := g.pendingInstallStateFromRequest(r, body.State)
+	bodyRequestID := strings.TrimSpace(body.RequestID)
+	state := g.pendingInstallStateFromRequest(r, bodyRequestID, body.State)
 	pendingInstall, err := g.state.parsePendingInstall(state)
 	if err != nil {
-		g.clearPendingInstallCookie(w, r)
+		g.clearPendingInstallCookie(w, r, bodyRequestID)
 		writeAPIError(w, http.StatusBadRequest, "install state is invalid or expired")
 		return
 	}
-	bodyRequestID := strings.TrimSpace(body.RequestID)
 	if bodyRequestID != "" && bodyRequestID != pendingInstall.RequestID {
 		writeAPIError(w, http.StatusBadRequest, "install request is stale")
 		return
@@ -145,7 +146,7 @@ func (g *slackGateway) handleInstallTargetSelectionAPIPost(w http.ResponseWriter
 			"team_id", installation.TeamID,
 			"request_id", requestID,
 		)
-		g.clearPendingInstallCookie(w, r)
+		g.clearPendingInstallCookie(w, r, requestID)
 		g.writeInstallResultAPI(w, http.StatusOK, installResult{
 			Status:    installResultStatusError,
 			Code:      classifyInstallUpsertError(err),
@@ -156,7 +157,7 @@ func (g *slackGateway) handleInstallTargetSelectionAPIPost(w http.ResponseWriter
 		})
 		return
 	}
-	g.clearPendingInstallCookie(w, r)
+	g.clearPendingInstallCookie(w, r, requestID)
 	writeAPIJSON(w, http.StatusOK, map[string]any{
 		"status":    "installed",
 		"requestId": requestID,
@@ -469,13 +470,12 @@ func (g *slackGateway) handleChannelSettingsAPI(w http.ResponseWriter, r *http.R
 		return
 	}
 
-	installation, connection, found := g.matchChannelSettingsConnectionPath(
-		w,
-		r,
+	installation, connection, found := matchManagedChannelSettingsConnection(
 		installations,
 		relativePath,
 	)
 	if !found {
+		writeAPIError(w, http.StatusNotFound, "connection not found")
 		return
 	}
 	switch r.Method {

integrations/slack-gateway/pending_install_cookie.go

@@ -8,6 +8,26 @@ import (
 
 const pendingInstallCookieName = "spritz_slack_pending_install"
 
+func pendingInstallCookieNameForRequest(requestID string) string {
+	requestID = strings.TrimSpace(requestID)
+	if requestID == "" {
+		return pendingInstallCookieName
+	}
+	var suffix strings.Builder
+	for _, char := range requestID {
+		if char >= 'a' && char <= 'z' ||
+			char >= 'A' && char <= 'Z' ||
+			char >= '0' && char <= '9' ||
+			char == '-' || char == '_' {
+			suffix.WriteRune(char)
+		}
+	}
+	if suffix.Len() == 0 {
+		return pendingInstallCookieName
+	}
+	return pendingInstallCookieName + "_" + suffix.String()
+}
+
 func (g *slackGateway) pendingInstallCookiePath() string {
 	return g.publicPathPrefix() + "/api/slack/install/selection"
 }
@@ -24,9 +44,9 @@ func (g *slackGateway) pendingInstallCookieSecure(r *http.Request) bool {
 	return strings.HasPrefix(strings.ToLower(strings.TrimSpace(g.cfg.PublicURL)), "https://")
 }
 
-func (g *slackGateway) setPendingInstallCookie(w http.ResponseWriter, r *http.Request, state string) {
+func (g *slackGateway) setPendingInstallCookie(w http.ResponseWriter, r *http.Request, requestID, state string) {
 	http.SetCookie(w, &http.Cookie{
-		Name:     pendingInstallCookieName,
+		Name:     pendingInstallCookieNameForRequest(requestID),
 		Value:    strings.TrimSpace(state),
 		Path:     g.pendingInstallCookiePath(),
 		Expires:  time.Now().UTC().Add(g.state.ttl),
@@ -37,9 +57,9 @@ func (g *slackGateway) setPendingInstallCookie(w http.ResponseWriter, r *http.Re
 	})
 }
 
-func (g *slackGateway) clearPendingInstallCookie(w http.ResponseWriter, r *http.Request) {
+func (g *slackGateway) clearPendingInstallCookie(w http.ResponseWriter, r *http.Request, requestID string) {
 	http.SetCookie(w, &http.Cookie{
-		Name:     pendingInstallCookieName,
+		Name:     pendingInstallCookieNameForRequest(requestID),
 		Value:    "",
 		Path:     g.pendingInstallCookiePath(),
 		Expires:  time.Unix(0, 0).UTC(),
@@ -50,14 +70,14 @@ func (g *slackGateway) clearPendingInstallCookie(w http.ResponseWriter, r *http.
 	})
 }
 
-func (g *slackGateway) pendingInstallStateFromRequest(r *http.Request, explicitState string) string {
+func (g *slackGateway) pendingInstallStateFromRequest(r *http.Request, requestID, explicitState string) string {
 	if state := strings.TrimSpace(explicitState); state != "" {
 		return state
 	}
 	if r == nil {
 		return ""
 	}
-	cookie, err := r.Cookie(pendingInstallCookieName)
+	cookie, err := r.Cookie(pendingInstallCookieNameForRequest(requestID))
 	if err != nil {
 		return ""
 	}

integrations/slack-gateway/react_routes.go

@@ -10,8 +10,14 @@ func reactSlackInstallResultPath() string {
 	return "/settings/slack/install/result"
 }
 
-func reactSlackInstallSelectPath() string {
-	return "/settings/slack/install/select"
+func reactSlackInstallSelectPath(requestID string) string {
+	target := url.URL{Path: "/settings/slack/install/select"}
+	if requestID := strings.TrimSpace(requestID); requestID != "" {
+		query := target.Query()
+		query.Set("requestId", requestID)
+		target.RawQuery = query.Encode()
+	}
+	return target.String()
 }
 
 func reactSlackWorkspacesPath(query url.Values) string {