ginjo-omniauth-slack 2.4.1 → 2.5.0

data/lib/omniauth-slack/omniauth/auth_hash.rb

@@ -0,0 +1,10 @@
+require 'hashie'
+require 'omniauth/auth_hash'
+
+module OmniAuth
+  module Slack
+    class AuthHash < OmniAuth::AuthHash
+      include Hashie::Extensions::DeepFind
+    end
+  end
+end

data/lib/omniauth-slack/refinements.rb

@@ -0,0 +1,68 @@
+require 'hashie'
+require 'omniauth/strategies/oauth2'
+require 'omniauth/auth_hash'
+require 'oauth2'
+require 'omniauth-slack/omniauth/auth_hash'
+
+
+# Refinements will work as long as the call to the refined method is lexically scoped with the 'using'.
+
+module OmniAuth
+  module Slack
+        
+    module OAuth2Refinements
+      refine ::OAuth2::Response do
+        def to_auth_hash
+          #Module.const_get('::OmniAuth::Slack::AuthHash').new(parsed)
+          ::OmniAuth::Slack::AuthHash.new(parsed)
+        end
+      end
+    end
+
+    module ArrayRefinements
+      refine ::Array do
+        # Sort this array according to other-array's current order.
+        # See https://stackoverflow.com/questions/44536537/sort-the-array-with-reference-to-another-array
+        # This also handles items not in the reference_array.
+        # Pass :beginning or :ending as the 2nd arg to specify where to put unmatched source items.
+        # Pass a block to specify exactly which part of source value is being used for sort.
+        # Example: sources.sort_with(dependencies){|v| v.name.to_s}
+        def sort_with(reference_array, unmatched = :beginning)
+          ref_index = reference_array.to_a.each_with_index.to_h
+          unmatched_destination = case unmatched
+          when /begin/; -1
+          when /end/; 1
+          when Integer; unmatched
+          else -1
+          end
+          #puts "Sorting array #{self} with unmatched_destination '#{unmatched_destination}' and reference index #{ref_index}"
+          sort_by do |v|
+            val = block_given? ? yield(v) : v
+            [ref_index[val] || (unmatched_destination * reference_array.size), val]
+          end
+        end
+      end
+    end
+    
+    module StringRefinements
+      refine String do
+        def words
+          split(/[,\s]+/)
+        end
+      end
+    end
+
+    module CallerMethodName
+      def caller_method_name
+        #caller[0][/`([^']*)'/, 1] # This gets the method name only 1 level up.
+        caller[1][/`([^']*)'/, 1]  # This gets the method name 2 levels up.
+      end
+      
+      def self.included(other)
+        other.send(:extend, CallerMethodName)
+      end
+    end
+      
+  end # Slack
+end # OmniAuth
+

data/lib/omniauth-slack/slack.rb

@@ -0,0 +1,121 @@
+require 'uri'
+require 'omniauth-slack/refinements'
+require 'omniauth-slack/oauth2/client'
+require 'omniauth-slack/oauth2/access_token'
+
+require 'rack'
+require 'json'
+
+module OmniAuth
+  module Slack
+
+    # Build an access token from access-token-hash or from token-string.
+    def self.build_access_token(client_id, client_key, token_string_or_hash)
+      client = OmniAuth::Slack::OAuth2::Client.new(
+        client_id,
+        client_key,
+        OmniAuth::Strategies::Slack.default_options.client_options.to_h.map{|k,v| [k.to_sym, v]}.to_h
+      )
+
+      access_token = case
+        when token_string_or_hash.is_a?(String)
+          OmniAuth::Slack::OAuth2::AccessToken.new(client, token_string_or_hash)
+        when token_string_or_hash.is_a?(Hash)
+          OmniAuth::Slack::OAuth2::AccessToken.from_hash(client, token_string_or_hash)
+      end
+      
+      access_token
+    end
+    
+    
+    # Rack middleware to verify incoming slack request signature.
+    #
+    #   use OmniAuth::Slack::VerifySlackSignature
+    #
+    #   ENV ... TODO: Complete this section of required env variables.
+    #   or consider having accepting a config block in the 'use' call.
+    #
+    class VerifySlackSignature
+      include OmniAuth::Slack::Debug
+      
+      attr_accessor :app_id, :signing_secret
+
+      def initialize(app)
+        @app             = app
+        @app_id          = nil
+        @signing_secret  = nil
+        
+        middleware_instance = self
+        
+        if block_given?
+          # Can set app_id and signing_secret from here.
+          yield(middleware_instance)
+        end
+      end
+
+      def call(env)
+        @env = env
+        @logger = logger = OmniAuth.logger
+                
+        debug{"calling middleware"}
+
+        env['rack.input'].rewind
+        body_string = env['rack.input'].read
+        env['rack.input'].rewind
+        
+        debug{"VerifySlackSignature body_string: #{body_string}"}
+        
+        body_hash =
+          begin
+            body_string && JSON.load(body_string)
+          rescue
+            {}
+          end
+        
+        if body_hash.to_a.size == 0
+          debug{"not detecting JSON body"}
+          pass
+          
+        else
+          api_app_id      = body_hash['api_app_id']
+          slack_signature = env['HTTP_X_SLACK_SIGNATURE']
+          slack_timestamp = env['HTTP_X_SLACK_REQUEST_TIMESTAMP']
+          
+          if ! [api_app_id, slack_signature, slack_timestamp].all?
+            logger.debug("(slack) VerifySlackSignature not detecting incoming Slack request")
+            pass
+            
+          elsif signing_secret.to_s.empty?
+            logger.info("(slack) VerifySlackSignature missing signing_secret")
+            pass
+            
+          elsif app_id && app_id.to_s != api_app_id.to_s
+            logger.info("(slack) VerifySlackSignature app_id mismatch")
+            pass
+            
+          else
+            computed_signature = 'v0=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), signing_secret, "v0:#{slack_timestamp}:#{body_string}").to_s
+            rslt = (slack_signature == computed_signature)
+            
+            if rslt
+              logger.info("(slack) VerifySlackSignature: #{rslt}")
+            else
+              logger.info("(slack) VerifySlackSignature: #{rslt}  (slack: #{slack_signature}, computed: #{computed_signature})")
+            end
+            
+            pass rslt
+          end
+        end
+      end
+      
+      def pass(result = nil)
+        @env['omniauth.slack.verification'] = result
+        debug{"set env omniauth.slack.verification to: #{result}"}
+        @app.call(@env)
+      end
+      
+    end  # VerifySlackSignature
+    
+  end
+end
+

data/lib/omniauth-slack/version.rb

@@ -1,5 +1,5 @@
 module OmniAuth
   module Slack
-    VERSION = "2.4.1"
+    VERSION = "2.5.0"
   end
 end

data/lib/omniauth/strategies/slack.rb

@@ -1,411 +1,280 @@
+# :markup: tomdoc
+
 require 'omniauth/strategies/oauth2'
+require 'omniauth-slack/refinements'
+require 'omniauth-slack/slack'
+require 'omniauth-slack/omniauth/auth_hash'
 require 'thread'
 require 'uri'
 
 module OmniAuth
+  using Slack::OAuth2Refinements
+  
   module Strategies
-    
+  
+    # This is the OmniAuth strategy for Slack.
+    # It is used as Rack middleware.
+    #
+    #     use OmniAuth::Builder do
+    #       provider :slack, OAUTH_KEY, OAUTH_SECRET, options...
+    #     end
+    #
     class Slack < OmniAuth::Strategies::OAuth2
-      option :name, 'slack'
-
-      option :authorize_options, [:scope, :team, :team_domain, :redirect_uri]
+      include OmniAuth::Slack::Debug 
+      
+      
+      ###  Options  ###
 
+      # Master list of authorization options handled by omniauth-slack.
+      # See below for redirect_uri.
+      # 
+      AUTH_OPTIONS = %i(scope user_scope team team_domain)
+      
+      debug{"#{self} setting up default options"}
+      
+      # Default strategy name
+      option :name, 'slack'
+      
+      # Options that can be passed with provider authorization URL.
+      option :authorize_options, AUTH_OPTIONS - %i(team_domain)
+      
+      # OAuth2::Client options.
       option :client_options, {
         site: 'https://slack.com',
-        token_url: '/api/oauth.access',
-        auth_scheme: :basic_auth
+        authorize_url: '/oauth/v2/authorize',
+        token_url: '/api/oauth.v2.access',
+        auth_scheme: :basic_auth,
+        raise_errors: false, # MUST be false to allow Slack's get-token response from v2 API.
+        history: Array.new,
       }
       
+      # Authorization token-exchange API call options.
       option :auth_token_params, {
         mode: :query,
         param_name: 'token'
       }
+
+
+      ###  Omniauth Slack custom options  ###
       
-      option :preload_data_with_threads, 0
-      
-      option :include_data, []
-      
-      option :exclude_data, []
+      # redirect_uri does not need to be in authorize_options,
+      # since it inserted anyway by omniauth-oauth2 during both
+      # the request (authorization) phase and the callback (get-token) phase.
+      # The magic of redirect_uri actually happens in the callback_url method.
+      option :redirect_uri
       
-      option :additional_data, {}
+      # Options allowed to pass from omniauth /auth/<provider> URL
+      # to provider authorization URL.
+      option :pass_through_params, %i(team)
+    
+
+      ###  Data  ###
       
       # User ID is not guaranteed to be globally unique across all Slack users.
       # The combination of user ID and team ID, on the other hand, is guaranteed
       # to be globally unique.
-      uid { "#{user_id}-#{team_id}" }
-      
+      #
+      uid { access_token&.uid }
+
+
+      # Gathers access_token and awarded scopes for :credentials section of AuthHash.
+      #
       credentials do
         {
-          token: auth['token'],
-          scope: (is_app_token? ? all_scopes : auth['scope']),
-          expires: false
+          token_type: access_or_user_token&.token_type,
+          scope: access_or_user_token&.scope,
+          scopes: access_or_user_token&.all_scopes,
+          token: access_or_user_token&.token
         }
       end
 
+      # Gathers a myriad of possible data returned from omniauth-slack /api/oauth.access call,
+      # for `:info` section of AuthHash.
+      # :markup: markdown
+      #
+      # You an modify the info hash from your application.
+      # This example adds a users_info API request and response.
+      # Note that this will automatically store Client request history,
+      # if enabled. You do not need to link the auth-hash raw-info to
+      # the Client history array (See notes in OmniAuth::Slack::OAuth2::Client).
+      #
+      # Example:
+      #
+      #   class OmniAuth::Strategies::Slack
+      #     original_info = info.dup
+      #     info do
+      #       {
+      #         access_token: instance_exec(&original_info),
+      #         users_info: access_token.get('/api/users.info', params: {user: access_token.user_id}, headers: {'X-Slack-User' => (access_token.user_id)}).parsed
+      #       }
+      #     end
+      #   end
+      #
       info do
-      
-        unless skip_info?
-          define_additional_data
-          semaphore
-        end
-        
-        num_threads = options.preload_data_with_threads.to_i
-        
-        if num_threads > 0 && !skip_info?
-          preload_data_with_threads(num_threads)
-        end
-      
-        # Start with only what we can glean from the authorization response.
-        hash = { 
-          name: auth['user'].to_h['name'],
-          email: auth['user'].to_h['email'],
-          user_id: user_id,
-          team_name: auth['team_name'] || auth['team'].to_h['name'],
-          team_id: team_id,
-          image: auth['team'].to_h['image_48']
+        {
+          name: access_token.user_name
         }
-
-        # Now add everything else, using further calls to the api, if necessary.
-        unless skip_info?
-          %w(first_name last_name phone skype avatar_hash real_name real_name_normalized).each do |key|
-            hash[key.to_sym] = (
-              user_info['user'].to_h['profile'] ||
-              user_profile['profile']
-            ).to_h[key]
-          end
-
-          %w(deleted status color tz tz_label tz_offset is_admin is_owner is_primary_owner is_restricted is_ultra_restricted is_bot has_2fa).each do |key|
-            hash[key.to_sym] = user_info['user'].to_h[key]
-          end
-
-          more_info = {
-            image: (
-              hash[:image] ||
-              user_identity.to_h['image_48'] ||
-              user_info['user'].to_h['profile'].to_h['image_48'] ||
-              user_profile['profile'].to_h['image_48']
-              ),
-            name:(
-              hash[:name] ||
-              user_identity['name'] ||
-              user_info['user'].to_h['real_name'] ||
-              user_profile['profile'].to_h['real_name']
-              ),
-            email:(
-              hash[:email] ||
-              user_identity.to_h['email'] ||
-              user_info['user'].to_h['profile'].to_h['email'] ||
-              user_profile['profile'].to_h['email']
-              ),
-            team_name:(
-              hash[:team_name] ||
-              team_identity.to_h['name'] ||
-              team_info['team'].to_h['name']
-              ),
-            team_domain:(
-              auth['team'].to_h['domain'] ||
-              team_identity.to_h['domain'] ||
-              team_info['team'].to_h['domain']
-              ),
-            team_image:(
-              auth['team'].to_h['image_44'] ||
-              team_identity.to_h['image_44'] ||
-              team_info['team'].to_h['icon'].to_h['image_44']
-              ),
-            team_email_domain:(
-              team_info['team'].to_h['email_domain']
-              ),
-            nickname:(
-              user_info.to_h['user'].to_h['name'] ||
-              auth['user'].to_h['name'] ||
-              user_identity.to_h['name']
-              ),
-          }
-          
-          hash.merge!(more_info)
-        end
-        hash
+        .merge access_token.to_hash
       end
 
+      # Defines a section for all additional data to be
+      # included with the AuthHash instance.
+      #
+      # for :extra section of AuthHash.
+      #
       extra do
         {
-          scopes_requested: (env['omniauth.params'] && env['omniauth.params']['scope']) || \
-            (env['omniauth.strategy'] && env['omniauth.strategy'].options && env['omniauth.strategy'].options.scope),
-          web_hook_info: web_hook_info,
-          bot_info: auth['bot'] || bot_info['bot'],
-          auth: auth,
-          identity: identity,
-          user_info: user_info,
-          user_profile: user_profile,
-          team_info: team_info,
-          apps_permissions_users_list: apps_permissions_users_list,
-          additional_data: get_additional_data,
-          raw_info: @raw_info
+          scopes_requested: scopes_requested,
+          raw_info: raw_info
         }
       end
 
-      
-      # Pass on certain authorize_params to the Slack authorization GET request.
+
+      ###  Instance Methods  ###
+
+      # Wraps OmniAuth::Oauth2#authorize_params so that specified params
+      # can be passed on to Slack authorization GET request.
       # See https://github.com/omniauth/omniauth/issues/390
+      #
       def authorize_params
-        super.tap do |params|
-          %w(scope team redirect_uri).each do |v|
-            if !request.params[v].to_s.empty?
-              params[v.to_sym] = request.params[v]
-            end
-          end
-          log(:debug, "Authorize_params #{params.to_h}")
+        super.tap do |prms|
+          params_digest = prms.hash
+          debug{"Using omniauth authorize_params #{prms}"}
+          debug{"Considering request.params #{request.params}"}
+          debug{"Considering pass_through_params #{pass_through_params}"}
+          filtered_ptp = pass_through_params.reject{|o| o.to_s == 'team_domain'}
+          filtered_rp  = request.params.reject{|k,v| !filtered_ptp.any?{|ptp| ptp.to_s == k.to_s}}
+          debug{"Filtered request params #{filtered_rp}"}
+          prms.merge! filtered_rp
+          log(:debug, "Using modified authorize_params #{prms}") if prms.hash != params_digest
+          session['omniauth.authorize_params'] = prms
         end
       end
       
-      # Get a new OAuth2::Client and define custom behavior.
-      # * overrides previous omniauth-strategies-oauth2 :client definition.
+      # Pre-sets env vars for super.
       #
-      # * Log API requests with OmniAuth.logger
-      # * Add API responses to @raw_info hash
-      # * Set auth site uri with custom subdomain (if provided).
+      # OmniAuth callback phase to extract session var for
+      # omniauth.authorize_params into env (this is how omniauth does this).
       #
-      def client
-        new_client = super
-        
-        team_domain = request.params['team_domain'] || options[:team_domain]
-        if !team_domain.to_s.empty?
-          site_uri = URI.parse(options[:client_options]['site'])
-          site_uri.host = "#{team_domain}.slack.com"
-          new_client.site = site_uri.to_s
-          log(:debug, "Oauth site uri with custom team_domain #{site_uri}")
-        end
-        
-        st_raw_info = raw_info
-        new_client.define_singleton_method(:request) do |*args|
-          OmniAuth.logger.send(:debug, "(slack) API request #{args[0..1]}; in thread #{Thread.current.object_id}.")
-          request_output = super(*args)
-          uri = args[1].to_s.gsub(/^.*\/([^\/]+)/, '\1') # use single-quote or double-back-slash for replacement.
-          st_raw_info[uri.to_s]= request_output
-          request_output
-        end
-        
-        new_client
-      end
-      
-      # Dropping query_string from callback_url prevents some errors in call to /api/oauth.access.
-      def callback_url
-        full_host + script_name + callback_path
-      end
-
-      def identity
-        return {} unless !skip_info? && has_scope?(identity: ['identity.basic','identity:read:user']) && is_not_excluded?
-        semaphore.synchronize {
-          @identity_raw ||= access_token.get('/api/users.identity', headers: {'X-Slack-User' => user_id})
-          @identity ||= @identity_raw.parsed
-        }
-      end
-      
-      
-      private
-      
-      def initialize(*args)
+      def callback_phase #(*args)
+        # This technique copied from OmniAuth::Strategy,
+        # (this is how they do it for other omniauth objects).
+        env['omniauth.authorize_params'] = session.delete('omniauth.authorize_params')
         super
-        @main_semaphore = Mutex.new
-        @semaphores = {}
       end
       
-      # Get a mutex specific to the calling method.
-      # This operation is synchronized with its own mutex.
-      def semaphore(method_name = caller[0][/`([^']*)'/, 1])
-        @main_semaphore.synchronize {
-          @semaphores[method_name] ||= Mutex.new
-        }
+      # Returns OmniAuth::Slack::AuthHash
+      #
+      # Super result is converted to plain hash first,
+      # so AuthHash can do its recursive build magic.
+      #
+      def auth_hash
+        OmniAuth::Slack::AuthHash.new super.to_hash
       end
       
-      def active_methods
-        @active_methods ||= (
-          includes = [options.include_data].flatten.compact
-          excludes = [options.exclude_data].flatten.compact unless includes.size > 0
-          method_list = %w(apps_permissions_users_list identity user_info user_profile team_info bot_info)  #.concat(options[:additional_data].keys)
-          if includes.size > 0
-            method_list.keep_if {|m| includes.include?(m.to_s) || includes.include?(m.to_s.to_sym)}
-          elsif excludes.size > 0
-            method_list.delete_if {|m| excludes.include?(m.to_s) || excludes.include?(m.to_s.to_sym)}
-          end
-          log :debug, "Activated API calls: #{method_list}."
-          log :debug, "Activated additional_data calls: #{options.additional_data.keys}."
-          method_list
+      # Uses `OmniAuth::Slack::OAuth2::Client` to handle Slack-specific features.
+      #
+      # * Logs API requests with OmniAuth.logger.
+      # * Allows passthrough of Slack team_domain.
+      # * Enables/disables Client instance history.
+      # * Allows use of OmniAuth::Slack::OAuth2::AccessToken.
+      #
+      # Returns instance of OmniAuth::Slack::OAuth2::Client.
+      #
+      def client
+        @client ||= (
+          team_domain = (pass_through_params.include?('team_domain') && request.params['team_domain']) ? request.params['team_domain'] : options.team_domain
+          new_client = OmniAuth::Slack::OAuth2::Client.new(options.client_id, options.client_secret, deep_symbolize(options.client_options.merge({subdomain:team_domain})))
+  
+          debug{"Strategy #{self} using Client #{new_client} with callback_url #{callback_url}"}
+          
+          new_client
         )
       end
-      
-      def is_not_excluded?(method_name = caller[0][/`([^']*)'/, 1])
-        active_methods.include?(method_name.to_s) || active_methods.include?(method_name.to_s.to_sym)
-      end
-      
-      # Preload additional api calls with a pool of threads.
-      def preload_data_with_threads(num_threads)
-        return unless num_threads > 0
-        preload_methods = active_methods.concat(options[:additional_data].keys)
-        log :info, "Preloading (#{preload_methods.size}) data requests using (#{num_threads}) threads."
-        work_q = Queue.new
-        preload_methods.each{|x| work_q.push x }
-        workers = num_threads.to_i.times.map do
-          Thread.new do
-            begin
-              while x = work_q.pop(true)
-                log :debug, "Preloading #{x}."
-                send x
-              end
-            rescue ThreadError
-            end
-          end
-        end
-        workers.map(&:join); "ok"
-      end
-      
-      # Define methods for addional data from :additional_data option
-      def define_additional_data
-        hash = options[:additional_data]
-        if !hash.to_h.empty?
-          hash.each do |k,v|
-            define_singleton_method(k) do
-              instance_variable_get(:"@#{k}") || 
-              instance_variable_set(:"@#{k}", v.respond_to?(:call) ? v.call(env) : v)
-            end
-          end
-        end
-      end
-      
-      def get_additional_data
-        if skip_info?
-          {}
-        else
-          options[:additional_data].inject({}) do |hash,tupple|
-            hash[tupple[0].to_s] = send(tupple[0].to_s)
-            hash
-          end
-        end
-      end
-      
-      # Parsed data returned from /slack/oauth.access api call.
-      def auth
-        @auth ||= access_token.params.to_h.merge({'token' => access_token.token})
-      end
 
-      def user_identity
-        @user_identity ||= identity['user'].to_h
-      end
-
-      def team_identity
-        @team_identity ||= identity['team'].to_h
-      end
-
-      def user_info
-        return {} unless !skip_info? && has_scope?(identity: 'users:read', team: 'users:read') && is_not_excluded?
-        semaphore.synchronize {
-          @user_info_raw ||= access_token.get('/api/users.info', params: {user: user_id}, headers: {'X-Slack-User' => user_id})
-          @user_info ||= @user_info_raw.parsed
-        }
+      # Dropping query_string from the default OmniAuth callback_url prevents
+      # some errors in call to /api/oauth.[v2.]access.
+      #
+      def callback_url
+        options.redirect_uri || full_host + script_name + callback_path
       end
       
-      def user_profile
-        return {} unless !skip_info? && has_scope?(identity: 'users.profile:read', team: 'users.profile:read') && is_not_excluded?
-        semaphore.synchronize {
-          @user_profile_raw ||= access_token.get('/api/users.profile.get', params: {user: user_id}, headers: {'X-Slack-User' => user_id})
-          @user_profile ||= @user_profile_raw.parsed
-        }
+      ### Possibly obsolete
+      #
+      #   def user_id
+      #     # access_token['user_id'] || access_token['user'].to_h['id'] || access_token['authorizing_user'].to_h['user_id']
+      #     access_or_user_token&.user_id
+      #   end
+      # 
+      #   def team_id
+      #     access_token&.team_id
+      #   end
+      
+      # Gets and decodes :pass_through_params option.
+      #
+      def pass_through_params
+        ptp = [options.pass_through_params].flatten.compact
+        case
+          when ptp[0].to_s == 'all'
+            options.pass_through_params = AUTH_OPTIONS
+          when ptp[0].to_s == 'none'
+            []
+          else
+            ptp
+        end
       end
 
-      def team_info
-        return {} unless !skip_info? && has_scope?(identity: 'team:read', team: 'team:read') && is_not_excluded?
-        semaphore.synchronize {
-          @team_info_raw ||= access_token.get('/api/team.info')
-          @team_info ||= @team_info_raw.parsed
-        }
-      end
+      # Parsed data returned from /slack/oauth.[v2.]access api call.
+      #
+      # Where does this actually go? Where is it used?
+      #
+      # Simplifying this to just 'access_token.to_hash' does not appear to
+      # have any noticeable negative effect.
+      #
+      # Possibly obsolete
+      #
+      #   def auth
+      #     @auth ||= access_token.to_hash
+      #   end
 
-      def web_hook_info
-        return {} unless auth.key? 'incoming_webhook'
-        auth['incoming_webhook']
-      end
-      
-      def bot_info
-        return {} unless !skip_info? && has_scope?(identity: 'users:read') && is_not_excluded?
-        semaphore.synchronize {
-          @bot_info_raw ||= access_token.get('/api/bots.info')
-          @bot_info ||= @bot_info_raw.parsed
-        }
-      end
-      
-      def user_id
-        auth['user_id'] || auth['user'].to_h['id'] || auth['authorizing_user'].to_h['user_id']
-      end
-      
-      def team_id
-        auth['team_id'] || auth['team'].to_h['id']
-      end
-      
-      # API call to get user permissions for workspace token.
-      # This is needed because workspace token 'sign-in-with-slack' is missing scopes
-      # in the :scope field (acknowledged issue in developer preview).
+      # Points to client @history, which is filled with API response objects.
       #
-      # Returns [<id>: <resource>]
-      def apps_permissions_users_list
-        return {} unless !skip_info? && is_app_token? && is_not_excluded?
-        semaphore.synchronize {
-          @apps_permissions_users_list_raw ||= access_token.get('/api/apps.permissions.users.list')
-          @apps_permissions_users_list ||= @apps_permissions_users_list_raw.parsed['resources'].inject({}){|h,i| h[i['id']] = i; h}
-        }
-      end
-      
       def raw_info
-        @raw_info ||= {}
-      end
-      
-      # Is this a workspace app token?
-      def is_app_token?
-        auth['token_type'].to_s == 'app'
+        @raw_info ||= access_token.client.history
+        debug{"Retrieved raw_info (size #{@raw_info.size}) (object_id #{@raw_info.object_id})"}
+        @raw_info
       end
       
-      # Scopes come from at least 3 different places now.
-      # * The classic :scope field (string)
-      # * New workshop token :scopes field (hash)
-      # * Separate call to apps.permissions.users.list (array)
+      # Gets 'authed_user' sub-token from main access token.
       #
-      # This returns hash of workspace scopes, with classic & new identity scopes in :identity.
-      # Lists of scopes are in array form.
-      def all_scopes
-        @all_scopes ||=
-        {'identity' => (auth['scope'] || apps_permissions_users_list[user_id].to_h['scopes'].to_a.join(',')).to_s.split(',')}
-        .merge(auth['scopes'].to_h)
+      def user_token
+        access_token&.user_token
       end
       
-      # Determine if given scopes exist in current authorization.
-      # Scopes is hash where
-      #   key == scope type <identity|app_hope|team|channel|group|mpim|im>
-      #   val == array or string of individual scopes.
-      def has_scope?(**scopes_hash)
-        scopes_hash.detect do |section, scopes|
-          test_scopes = case
-            when scopes.is_a?(String); scopes.split(',')
-            when scopes.is_a?(Array); scopes
-            else raise "Scope must be a string or array"
-          end
-          test_scopes.detect do |scope|
-            all_scopes[section.to_s].to_a.include?(scope.to_s)
-          end
+      # Gets main access_token, if valid, otherwise gets user_token, if valid.
+      # Handles Slack v1 and v2 API (v2 is non-conformant with OAUTH2 spec).
+      def access_or_user_token
+        if access_token&.token
+          access_token
+        elsif user_token
+          user_token
+        else
+          access_token
         end
       end
       
-      def self.ad_hoc_client(client_id, client_key, token)
-        puts default_options['client_options'].to_yaml
-        ::OAuth2::AccessToken.new(
-          ::OAuth2::Client.new(
-            client_id,
-            client_key,
-            default_options['client_options'].map{|k,v| [k.to_sym, v]}.to_h
-          ),
-          token
-        )
+      def scopes_requested
+        # omniauth.authorize_params is an enhancement to omniauth functionality for omniauth-slack.
+        out = {
+          scope: env['omniauth.authorize_params'].to_h['scope'],
+          user_scope: env['omniauth.authorize_params'].to_h['user_scope']
+        }
+        
+        debug{"scopes_requested: #{out}"}
+        return out
       end
-      
-    end
-  end
-end
+
+    end # Slack
+  end # Strategies
+end # OmniAuth