fix: harden slack management ui migration

Author: osolmaz

integrations/slack-gateway/gateway_test.go

@@ -290,6 +290,28 @@ func TestOAuthCallbackRendersInstallTargetPickerWhenMultipleTargetsAvailable(t *
 	if strings.Contains(rec.Body.String(), "xoxb-installed") {
 		t.Fatalf("expected picker redirect to keep bot token encrypted, got %q", rec.Body.String())
 	}
+
+	selectionReq := httptest.NewRequest(
+		http.MethodGet,
+		"/api/slack/install/selection?state="+url.QueryEscape(redirectURL.Query().Get("state")),
+		nil,
+	)
+	selectionRec := httptest.NewRecorder()
+	gateway.routes().ServeHTTP(selectionRec, selectionReq)
+
+	if selectionRec.Code != http.StatusOK {
+		t.Fatalf("expected selection API response, got %d: %s", selectionRec.Code, selectionRec.Body.String())
+	}
+	if strings.Contains(selectionRec.Body.String(), "xoxb-installed") || strings.Contains(selectionRec.Body.String(), "botAccessToken") {
+		t.Fatalf("selection API leaked bot token material: %s", selectionRec.Body.String())
+	}
+	var selectionPayload map[string]any
+	if err := json.NewDecoder(selectionRec.Body).Decode(&selectionPayload); err != nil {
+		t.Fatalf("decode selection API payload: %v", err)
+	}
+	if _, ok := selectionPayload["installation"]; ok {
+		t.Fatalf("selection API should not expose pending installation payload: %#v", selectionPayload["installation"])
+	}
 }
 
 func TestWorkspaceManagementRequiresBrowserPrincipal(t *testing.T) {

integrations/slack-gateway/management_api.go

@@ -13,12 +13,11 @@ type slackGatewayErrorResponse struct {
 }
 
 type installSelectionResponse struct {
-	Status       string                 `json:"status"`
-	State        string                 `json:"state"`
-	RequestID    string                 `json:"requestId"`
-	TeamID       string                 `json:"teamId"`
-	Installation slackInstallation      `json:"installation"`
-	Targets      []backendInstallTarget `json:"targets"`
+	Status    string                 `json:"status"`
+	State     string                 `json:"state"`
+	RequestID string                 `json:"requestId"`
+	TeamID    string                 `json:"teamId"`
+	Targets   []backendInstallTarget `json:"targets"`
 }
 
 type installSelectionRequest struct {
@@ -102,12 +101,11 @@ func (g *slackGateway) handleInstallTargetSelectionAPIGet(w http.ResponseWriter,
 		return
 	}
 	writeJSON(w, http.StatusOK, installSelectionResponse{
-		Status:       "resolved",
-		State:        state,
-		RequestID:    pendingInstall.RequestID,
-		TeamID:       pendingInstall.Installation.TeamID,
-		Installation: pendingInstall.Installation,
-		Targets:      targets,
+		Status:    "resolved",
+		State:     state,
+		RequestID: pendingInstall.RequestID,
+		TeamID:    pendingInstall.Installation.TeamID,
+		Targets:   targets,
 	})
 }
 

ui/src/pages/settings.tsx

@@ -181,6 +181,16 @@ function teamID(installation: SlackManagedInstallation): string {
   return installation.route.externalTenantId;
 }
 
+function hasAllowedAction(installation: SlackManagedInstallation, action: string): boolean {
+  return (installation.allowedActions || []).some(
+    (candidate) => candidate.trim().toLowerCase() === action.trim().toLowerCase(),
+  );
+}
+
+function installationIsDisconnected(installation: SlackManagedInstallation): boolean {
+  return installation.state.trim().toLowerCase() === 'disconnected';
+}
+
 function WorkspaceListPage() {
   const { value, error, loading, reload } = useAsyncValue(
     () => slackGatewayRequest<InstallationListResponse>('/api/slack/workspaces'),
@@ -218,6 +228,8 @@ function WorkspaceListPage() {
         <div className="overflow-hidden rounded-[var(--radius-lg)] border border-border">
           {installations.map((installation) => {
             const connection = primaryConnection(installation);
+            const canDisconnect = hasAllowedAction(installation, 'disconnect');
+            const canTest = !installationIsDisconnected(installation);
             return (
               <div
                 key={installation.id || teamID(installation)}
@@ -249,17 +261,21 @@ function WorkspaceListPage() {
                   >
                     Target
                   </Link>
-                  <Link
-                    to={`/settings/slack/workspaces/test?teamId=${encodeURIComponent(teamID(installation))}`}
-                    className={buttonVariants({ variant: 'outline' })}
-                  >
-                    <SendIcon aria-hidden="true" />
-                    Test
-                  </Link>
-                  <Button variant="destructive" onClick={() => disconnect(installation)}>
-                    <Trash2Icon aria-hidden="true" />
-                    Disconnect
-                  </Button>
+                  {canTest && (
+                    <Link
+                      to={`/settings/slack/workspaces/test?teamId=${encodeURIComponent(teamID(installation))}`}
+                      className={buttonVariants({ variant: 'outline' })}
+                    >
+                      <SendIcon aria-hidden="true" />
+                      Test
+                    </Link>
+                  )}
+                  {canDisconnect && (
+                    <Button variant="destructive" onClick={() => disconnect(installation)}>
+                      <Trash2Icon aria-hidden="true" />
+                      Disconnect
+                    </Button>
+                  )}
                 </div>
               </div>
             );
@@ -368,6 +384,10 @@ function routeRequireMention(route: SlackManagedChannelRoute): boolean {
   return route.requireMention !== false;
 }
 
+function routeEnabled(route: SlackManagedChannelRoute): boolean {
+  return route.enabled !== false;
+}
+
 function ConnectionSettingsPage() {
   const { installationId = '', connectionId = '' } = useParams();
   const loadPath = `/api/settings/channels/installations/${encodeURIComponent(
@@ -385,7 +405,7 @@ function ConnectionSettingsPage() {
 
   useEffect(() => {
     if (value?.connection) {
-      setRoutes([...(value.connection.routes || [])]);
+      setRoutes([...(value.connection.routes || [])].filter(routeEnabled));
     }
   }, [value?.connection]);