agent-messenger 2.14.1 → 2.15.1

package/src/platforms/slack/ensure-auth.test.ts

@@ -10,10 +10,12 @@ let extractSpy: ReturnType<typeof spyOn>
 let extractCookieSpy: ReturnType<typeof spyOn>
 let getWorkspaceDomainsSpy: ReturnType<typeof spyOn>
 let testAuthSpy: ReturnType<typeof spyOn>
+let loginSpy: ReturnType<typeof spyOn>
 let setWorkspaceSpy: ReturnType<typeof spyOn>
 let loadSpy: ReturnType<typeof spyOn>
 let setCurrentWorkspaceSpy: ReturnType<typeof spyOn>
 let fetchSpy: ReturnType<typeof spyOn>
+let activeToken: string | null = null
 
 beforeEach(() => {
   getWorkspaceSpy = spyOn(CredentialManager.prototype, 'getWorkspace').mockResolvedValue(null)
@@ -31,6 +33,15 @@ beforeEach(() => {
 
   getWorkspaceDomainsSpy = spyOn(TokenExtractor.prototype, 'getWorkspaceDomains').mockReturnValue({})
 
+  activeToken = null
+  loginSpy = spyOn(SlackClient.prototype, 'login').mockImplementation(function (
+    this: SlackClient,
+    credentials?: { token: string; cookie: string },
+  ) {
+    activeToken = credentials?.token ?? null
+    return Promise.resolve(this)
+  })
+
   testAuthSpy = spyOn(SlackClient.prototype, 'testAuth').mockResolvedValue({
     user_id: 'U123',
     team_id: 'T123',
@@ -55,6 +66,7 @@ afterEach(() => {
   extractSpy?.mockRestore()
   extractCookieSpy?.mockRestore()
   getWorkspaceDomainsSpy?.mockRestore()
+  loginSpy?.mockRestore()
   testAuthSpy?.mockRestore()
   setWorkspaceSpy?.mockRestore()
   loadSpy?.mockRestore()
@@ -62,6 +74,16 @@ afterEach(() => {
   fetchSpy?.mockRestore()
 })
 
+function authResponseByToken(map: Record<string, { team_id: string; team?: string } | Error>) {
+  testAuthSpy.mockImplementation(() => {
+    const token = activeToken ?? '<no-token>'
+    const result = map[token]
+    if (!result) throw new Error('invalid_auth')
+    if (result instanceof Error) throw result
+    return Promise.resolve({ user_id: 'U1', user: 'user', team: result.team, team_id: result.team_id })
+  })
+}
+
 describe('ensureSlackAuth', () => {
   it('skips extraction when stored credentials are valid', async () => {
     // given
@@ -278,7 +300,7 @@ describe('ensureSlackAuth', () => {
     )
   })
 
-  it('skips web refresh when no domain is known for workspace', async () => {
+  it('skips web refresh when domain map is empty', async () => {
     // given — domain mapping is empty
     extractSpy.mockResolvedValue([
       { workspace_id: 'T-stale', workspace_name: 'stale-ws', token: 'xoxc-stale', cookie: 'xoxd-valid' },
@@ -294,6 +316,206 @@ describe('ensureSlackAuth', () => {
     expect(setWorkspaceSpy).not.toHaveBeenCalled()
   })
 
+  it('falls back to other known domains when workspace_id has no domain mapping', async () => {
+    // given — workspace_id 'unknown' (extractor couldn't resolve team id); cookie is valid
+    // for the second candidate domain in root-state.json
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale', cookie: 'xoxd-valid' },
+    ])
+    getWorkspaceDomainsSpy.mockReturnValue({
+      T_OTHER_A: 'other-a',
+      T_OTHER_B: 'other-b',
+    })
+
+    fetchSpy.mockImplementation((url: string) => {
+      if (url.startsWith('https://other-a.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-a"</html>', { status: 200 }))
+      }
+      if (url.startsWith('https://other-b.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-b"</html>', { status: 200 }))
+      }
+      return Promise.resolve(new Response('', { status: 500 }))
+    })
+
+    authResponseByToken({
+      'xoxc-fresh-b': { team_id: 'T_OTHER_B', team: 'Other B' },
+    })
+
+    // when
+    await ensureSlackAuth()
+
+    // then — both candidate domains were tried; the workspace saves with the resolved team_id
+    expect(fetchSpy).toHaveBeenCalledWith(
+      'https://other-a.slack.com/ssb/redirect',
+      expect.objectContaining({ headers: { Cookie: 'd=xoxd-valid' } }),
+    )
+    expect(fetchSpy).toHaveBeenCalledWith(
+      'https://other-b.slack.com/ssb/redirect',
+      expect.objectContaining({ headers: { Cookie: 'd=xoxd-valid' } }),
+    )
+    expect(setWorkspaceSpy).toHaveBeenCalledWith(
+      expect.objectContaining({ workspace_id: 'T_OTHER_B', token: 'xoxc-fresh-b', workspace_name: 'Other B' }),
+    )
+  })
+
+  it('stops trying domains once a refresh+verify succeeds', async () => {
+    // given — exact-match domain succeeds on first attempt; the fallback domain must not be fetched
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'T_TARGET', workspace_name: 'target', token: 'xoxc-stale', cookie: 'xoxd-valid' },
+    ])
+    getWorkspaceDomainsSpy.mockReturnValue({
+      T_TARGET: 'target-domain',
+      T_OTHER: 'other-domain',
+    })
+
+    fetchSpy.mockResolvedValue(new Response('<html>"api_token":"xoxc-fresh"</html>', { status: 200 }))
+
+    authResponseByToken({
+      'xoxc-fresh': { team_id: 'T_TARGET', team: 'Target' },
+    })
+
+    // when
+    await ensureSlackAuth()
+
+    // then — the exact-match domain is tried, fallback domain is not
+    expect(fetchSpy).toHaveBeenCalledWith(
+      'https://target-domain.slack.com/ssb/redirect',
+      expect.objectContaining({ headers: { Cookie: 'd=xoxd-valid' } }),
+    )
+    expect(fetchSpy).not.toHaveBeenCalledWith('https://other-domain.slack.com/ssb/redirect', expect.anything())
+  })
+
+  it('returns failure when no known domain validates the cookie', async () => {
+    // given — none of the domains in the map produce a valid token+cookie pair
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale', cookie: 'xoxd-valid' },
+    ])
+    getWorkspaceDomainsSpy.mockReturnValue({
+      T_A: 'a',
+      T_B: 'b',
+    })
+
+    fetchSpy.mockResolvedValue(new Response('<html>"api_token":"xoxc-fresh"</html>', { status: 200 }))
+    testAuthSpy.mockRejectedValue(new Error('invalid_auth'))
+
+    // when
+    await ensureSlackAuth()
+
+    // then — every candidate is tried, none save
+    expect(fetchSpy).toHaveBeenCalledWith('https://a.slack.com/ssb/redirect', expect.anything())
+    expect(fetchSpy).toHaveBeenCalledWith('https://b.slack.com/ssb/redirect', expect.anything())
+    expect(setWorkspaceSpy).not.toHaveBeenCalled()
+  })
+
+  it('skips domains with non-subdomain characters', async () => {
+    // given — a tampered root-state.json with a domain that contains a dot/slash/colon
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale', cookie: 'xoxd-valid' },
+    ])
+    getWorkspaceDomainsSpy.mockReturnValue({
+      T_EVIL: 'attacker.com#',
+      T_GOOD: 'good',
+    })
+
+    fetchSpy.mockResolvedValue(new Response('<html>"api_token":"xoxc-fresh"</html>', { status: 200 }))
+    authResponseByToken({ 'xoxc-fresh': { team_id: 'T_GOOD', team: 'Good' } })
+
+    // when
+    await ensureSlackAuth()
+
+    // then — the bad domain is never fetched; the good domain succeeds
+    expect(fetchSpy).not.toHaveBeenCalledWith(expect.stringContaining('attacker.com'), expect.anything())
+    expect(fetchSpy).toHaveBeenCalledWith('https://good.slack.com/ssb/redirect', expect.anything())
+    expect(setWorkspaceSpy).toHaveBeenCalledWith(expect.objectContaining({ workspace_id: 'T_GOOD' }))
+  })
+
+  it('rejects refresh result when testAuth returns empty team_id', async () => {
+    // given — the fresh token verifies but Slack returns no team_id
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale', cookie: 'xoxd-valid' },
+    ])
+    getWorkspaceDomainsSpy.mockReturnValue({ T_A: 'a' })
+    fetchSpy.mockResolvedValue(new Response('<html>"api_token":"xoxc-fresh"</html>', { status: 200 }))
+    testAuthSpy.mockResolvedValue({ user_id: 'U1', team_id: '', user: 'user', team: undefined })
+
+    // when
+    await ensureSlackAuth()
+
+    // then — nothing is saved despite successful refresh+login
+    expect(setWorkspaceSpy).not.toHaveBeenCalled()
+  })
+
+  it('does not resolve multiple unknown workspaces to the same team', async () => {
+    // given — two unknown tokens share a cookie that validates against the first candidate domain.
+    // Naive iteration would resolve both to T_A; the resolved-team-id tracker must prevent the
+    // second unknown from claiming an already-saved team.
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale-1', cookie: 'xoxd-valid' },
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale-2', cookie: 'xoxd-valid' },
+    ])
+    getWorkspaceDomainsSpy.mockReturnValue({ T_A: 'a', T_B: 'b' })
+
+    fetchSpy.mockImplementation((url: string) => {
+      if (url.startsWith('https://a.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-a"</html>', { status: 200 }))
+      }
+      if (url.startsWith('https://b.slack.com/')) {
+        return Promise.resolve(new Response('<html>"api_token":"xoxc-fresh-b"</html>', { status: 200 }))
+      }
+      return Promise.resolve(new Response('', { status: 500 }))
+    })
+    authResponseByToken({
+      'xoxc-fresh-a': { team_id: 'T_A', team: 'A' },
+      'xoxc-fresh-b': { team_id: 'T_B', team: 'B' },
+    })
+
+    // when
+    await ensureSlackAuth()
+
+    // then — T_A and T_B each saved exactly once
+    const savedIds = setWorkspaceSpy.mock.calls.map((c) => (c[0] as { workspace_id: string }).workspace_id)
+    expect(savedIds.sort()).toEqual(['T_A', 'T_B'])
+  })
+
+  it('caches refresh attempts per (cookie, domain) within one extraction', async () => {
+    // given — two unknown tokens with the same cookie; both will iterate the same domains
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale-1', cookie: 'xoxd-valid' },
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale-2', cookie: 'xoxd-valid' },
+    ])
+    getWorkspaceDomainsSpy.mockReturnValue({ T_A: 'a', T_B: 'b' })
+
+    fetchSpy.mockResolvedValue(new Response('', { status: 500 }))
+    testAuthSpy.mockRejectedValue(new Error('invalid_auth'))
+
+    // when
+    await ensureSlackAuth()
+
+    // then — each domain fetched at most once across both workspaces (2 total, not 4)
+    const refreshCalls = fetchSpy.mock.calls.filter((c) => String(c[0]).includes('/ssb/redirect'))
+    expect(refreshCalls.length).toBe(2)
+  })
+
+  it('caps domain attempts at MAX_DOMAIN_ATTEMPTS', async () => {
+    // given — 20 candidate domains; only the first 16 should be attempted
+    extractSpy.mockResolvedValue([
+      { workspace_id: 'unknown', workspace_name: 'unknown', token: 'xoxc-stale', cookie: 'xoxd-valid' },
+    ])
+    const manyDomains: Record<string, string> = {}
+    for (let i = 0; i < 20; i++) manyDomains[`T_${i}`] = `dom${i}`
+    getWorkspaceDomainsSpy.mockReturnValue(manyDomains)
+
+    fetchSpy.mockResolvedValue(new Response('', { status: 500 }))
+    testAuthSpy.mockRejectedValue(new Error('invalid_auth'))
+
+    // when
+    await ensureSlackAuth()
+
+    // then — exactly 16 refresh attempts
+    const refreshCalls = fetchSpy.mock.calls.filter((c) => String(c[0]).includes('/ssb/redirect'))
+    expect(refreshCalls.length).toBe(16)
+  })
+
   it('skips web refresh when workspace has no cookie', async () => {
     // given — cookie is empty
     extractSpy.mockResolvedValue([

package/src/platforms/slack/ensure-auth.ts

@@ -21,20 +21,29 @@ export async function ensureSlackAuth(): Promise<void> {
     const workspaces = await extractor.extract()
     const workspaceDomains = extractor.getWorkspaceDomains()
 
-    const validWorkspaces = []
+    const validWorkspaces: ExtractedWorkspace[] = []
+    const resolvedTeamIds = new Set<string>()
+    const refreshCache = new Map<string, RefreshResult | null>()
+
     for (const ws of workspaces) {
       try {
         const client = await new SlackClient().login({ token: ws.token, cookie: ws.cookie })
         const authInfo = await client.testAuth()
+        if (!authInfo.team_id) throw new Error('testAuth returned empty team_id')
         ws.workspace_id = authInfo.team_id
         ws.workspace_name = authInfo.team || ws.workspace_name
-        await credManager.setWorkspace(ws)
-        validWorkspaces.push(ws)
+        if (!resolvedTeamIds.has(ws.workspace_id)) {
+          resolvedTeamIds.add(ws.workspace_id)
+          await credManager.setWorkspace(ws)
+          validWorkspaces.push(ws)
+        }
       } catch {
-        const refreshed = await tryWebTokenRefresh(ws, workspaceDomains)
-        if (refreshed) {
+        const refreshed = await tryWebTokenRefresh(ws, workspaceDomains, { resolvedTeamIds, refreshCache })
+        if (refreshed && !resolvedTeamIds.has(refreshed.workspace_id)) {
           ws.token = refreshed.token
+          ws.workspace_id = refreshed.workspace_id
           ws.workspace_name = refreshed.workspace_name
+          resolvedTeamIds.add(ws.workspace_id)
           await credManager.setWorkspace(ws)
           validWorkspaces.push(ws)
         }
@@ -54,21 +63,81 @@ export async function ensureSlackAuth(): Promise<void> {
   }
 }
 
+// Bound worst-case HTTP traffic for users with very large root-state.json workspace lists.
+const MAX_DOMAIN_ATTEMPTS = 16
+
+// Slack workspace subdomains match `^[a-z][a-z0-9-]*$` per signup rules; validating here
+// prevents a tampered root-state.json from steering the cookie-bearing fetch to a non-Slack
+// host (e.g. a domain value containing `.`, `/`, `:`, `@`, `#`, or `?`).
+const SLACK_DOMAIN_REGEX = /^[a-zA-Z0-9][a-zA-Z0-9-]*$/
+
+export type RefreshResult = { token: string; workspace_id: string; workspace_name: string }
+
+export type RefreshContext = {
+  resolvedTeamIds?: Set<string>
+  refreshCache?: Map<string, RefreshResult | null>
+}
+
 export async function tryWebTokenRefresh(
   ws: ExtractedWorkspace,
   workspaceDomains: Record<string, string>,
-): Promise<{ token: string; workspace_name: string } | null> {
+  context: RefreshContext = {},
+): Promise<RefreshResult | null> {
   if (!ws.cookie) return null
-  const domain = workspaceDomains[ws.workspace_id]
-  if (!domain) return null
 
+  // Try the domain that maps to this workspace_id first (when known), then fall back to
+  // every other known domain. Slack tokens extracted from LevelDB blobs sometimes carry
+  // workspace_id="unknown" because the regex window around the xoxc- bytes does not
+  // contain the T... team id; in that case the cookie may still be valid for one of the
+  // other workspaces the user is signed into.
+  const candidates = orderCandidateDomains(ws.workspace_id, workspaceDomains)
+  if (candidates.length === 0) return null
+
+  for (const { domain } of candidates) {
+    if (!SLACK_DOMAIN_REGEX.test(domain)) continue
+
+    const cacheKey = `${ws.cookie}\u0000${domain}`
+    const cached = context.refreshCache?.get(cacheKey)
+    let result: RefreshResult | null
+    if (cached !== undefined) {
+      result = cached
+    } else {
+      result = await refreshAndVerify(ws.cookie, domain, ws.workspace_name)
+      context.refreshCache?.set(cacheKey, result)
+    }
+    if (!result) continue
+    if (context.resolvedTeamIds?.has(result.workspace_id)) continue
+    return result
+  }
+  return null
+}
+
+function orderCandidateDomains(
+  workspaceId: string,
+  workspaceDomains: Record<string, string>,
+): Array<{ workspace_id: string; domain: string }> {
+  const entries = Object.entries(workspaceDomains).map(([workspace_id, domain]) => ({ workspace_id, domain }))
+  const exact = entries.findIndex((e) => e.workspace_id === workspaceId)
+  if (exact > 0) {
+    const [match] = entries.splice(exact, 1)
+    entries.unshift(match)
+  }
+  return entries.slice(0, MAX_DOMAIN_ATTEMPTS)
+}
+
+async function refreshAndVerify(cookie: string, domain: string, fallbackName: string): Promise<RefreshResult | null> {
   try {
-    const freshToken = await refreshTokenFromWeb(domain, ws.cookie)
+    const freshToken = await refreshTokenFromWeb(domain, cookie)
     if (!freshToken) return null
 
-    const client = await new SlackClient().login({ token: freshToken, cookie: ws.cookie })
+    const client = await new SlackClient().login({ token: freshToken, cookie })
     const authInfo = await client.testAuth()
-    return { token: freshToken, workspace_name: authInfo.team || ws.workspace_name }
+    if (!authInfo.team_id) return null
+    return {
+      token: freshToken,
+      workspace_id: authInfo.team_id,
+      workspace_name: authInfo.team || fallbackName,
+    }
   } catch {
     return null
   }