agent-messenger 2.23.5 → 2.24.0

package/src/platforms/slack/commands/auth.ts

@@ -9,6 +9,7 @@ import { debug } from '@/shared/utils/stderr'
 import { SlackClient, SlackError } from '../client'
 import { CredentialManager } from '../credential-manager'
 import { refreshCookie, tryWebTokenRefresh } from '../ensure-auth'
+import { loginWithQr } from '../qr-http-login'
 import { type ExtractedWorkspace, TokenExtractor } from '../token-extractor'
 
 export function formatCredentialDebug(ws: ExtractedWorkspace, showSecrets?: boolean): string {
@@ -230,6 +231,70 @@ async function statusAction(options: { pretty?: boolean }): Promise<void> {
   }
 }
 
+async function qrAction(imageArg: string | undefined, options: { pretty?: boolean; debug?: boolean }): Promise<void> {
+  try {
+    const dataUrl = imageArg ?? (await readStdin())
+    if (!dataUrl) {
+      console.log(
+        formatOutput(
+          {
+            error: 'No QR image provided. Pass the copied QR image data URL as an argument, or pipe it via stdin.',
+            hint: 'In Slack: your name (top-left) → "Sign in on mobile" → right-click the QR → Copy Image Address.',
+          },
+          options.pretty,
+        ),
+      )
+      process.exit(1)
+    }
+
+    const debugLog = options.debug ? (msg: string) => debug(`[debug] ${msg}`) : undefined
+    const session = await loginWithQr(dataUrl, { debug: debugLog })
+
+    const client = await new SlackClient().login({ token: session.token, cookie: session.cookie })
+    const authInfo = await client.testAuth()
+
+    const credManager = new CredentialManager()
+    const workspace: ExtractedWorkspace = {
+      workspace_id: authInfo.team_id,
+      workspace_name: authInfo.team || session.workspace,
+      token: session.token,
+      cookie: session.cookie,
+    }
+    await credManager.setWorkspace(workspace)
+
+    const config = await credManager.load()
+    if (!config.current_workspace) {
+      await credManager.setCurrentWorkspace(workspace.workspace_id)
+    }
+
+    console.log(
+      formatOutput(
+        {
+          workspace: `${workspace.workspace_id}/${workspace.workspace_name}`,
+          user: authInfo.user,
+          current: (await credManager.load()).current_workspace,
+        },
+        options.pretty,
+      ),
+    )
+  } catch (error) {
+    handleError(error as Error)
+  }
+}
+
+function readStdin(): Promise<string> {
+  if (process.stdin.isTTY) return Promise.resolve('')
+  return new Promise((resolve) => {
+    let data = ''
+    process.stdin.setEncoding('utf8')
+    process.stdin.on('data', (chunk) => {
+      data += chunk
+    })
+    process.stdin.on('end', () => resolve(data))
+    process.stdin.on('error', () => resolve(data))
+  })
+}
+
 export function getExtractionErrorMessage(failureReasons: string[]): string {
   if (failureReasons.includes('missing_cookie')) {
     return 'Cookie extraction failed. Grant Keychain access when prompted, and make sure you are signed into Slack in the desktop app or a supported Chromium browser.'
@@ -260,6 +325,14 @@ export const authCommand = new Command('auth')
       .option('--unsafely-show-secrets', 'Show full token and cookie values in debug output')
       .action((options: BrowserProfileOption & Parameters<typeof extractAction>[0]) => extractAction(options)),
   )
+  .addCommand(
+    new Command('qr')
+      .description('Sign in by pasting a QR code from Slack\u2019s "Sign in on mobile" screen')
+      .argument('[image]', 'QR image data URL (data:image/png;base64,...); read from stdin if omitted')
+      .option('--pretty', 'Pretty print JSON output')
+      .option('--debug', 'Show debug output for troubleshooting')
+      .action(qrAction),
+  )
   .addCommand(
     new Command('logout')
       .description('Logout from workspace')

package/src/platforms/slack/ensure-auth.ts

@@ -145,9 +145,13 @@ async function refreshAndVerify(cookie: string, domain: string, fallbackName: st
 
 const TOKEN_REGEX = /"api_token":"(xoxc-[a-zA-Z0-9-]+)"/
 
-export async function refreshTokenFromWeb(domain: string, cookie: string): Promise<string | null> {
+export async function refreshTokenFromWeb(
+  domain: string,
+  cookie: string,
+  fetchImpl: typeof fetch = fetch,
+): Promise<string | null> {
   try {
-    const response = await fetch(`https://${domain}.slack.com/ssb/redirect`, {
+    const response = await fetchImpl(`https://${domain}.slack.com/ssb/redirect`, {
       headers: { Cookie: `d=${cookie}` },
       redirect: 'follow',
     })

package/src/platforms/slack/index.test.ts

@@ -12,6 +12,8 @@ import {
   SlackUserSchema,
   WorkspaceCredentialsSchema,
   ConfigSchema,
+  decodeSlackQr,
+  loginWithQr,
 } from '@/platforms/slack/index'
 
 it('SlackClient is exported from barrel', () => {
@@ -57,3 +59,11 @@ it('WorkspaceCredentialsSchema is exported from barrel', () => {
 it('ConfigSchema is exported from barrel', () => {
   expect(typeof ConfigSchema.parse).toBe('function')
 })
+
+it('loginWithQr is exported from barrel', () => {
+  expect(typeof loginWithQr).toBe('function')
+})
+
+it('decodeSlackQr is exported from barrel', () => {
+  expect(typeof decodeSlackQr).toBe('function')
+})

package/src/platforms/slack/index.ts

@@ -1,6 +1,10 @@
 export { SlackClient, SlackError } from './client'
 export { SlackCredentialManager, CredentialManager } from './credential-manager'
 export { SlackListener } from './listener'
+export { loginWithQr } from './qr-http-login'
+export type { QrLoginOptions, QrSession } from './qr-http-login'
+export { decodeSlackQr } from './qr-login'
+export type { SlackQrLogin } from './qr-login'
 export type {
   SlackBookmark,
   SlackChannel,

package/src/platforms/slack/qr-http-login.test.ts

@@ -0,0 +1,157 @@
+import { afterEach, describe, expect, it } from 'bun:test'
+
+import QRCode from 'qrcode'
+
+import { SlackError } from '@/platforms/slack/client'
+import { isSlackHost, loginWithQr, parseDCookie } from '@/platforms/slack/qr-http-login'
+
+const WORKSPACE = 'acme'
+const ZAPP_URL = `https://app.slack.com/t/${WORKSPACE}/login/z-app-1-2-abcdef?src=qr_code&user_id=U1&team_id=T1`
+const D_COOKIE = 'xoxd-abc%2Bdef123'
+const TOKEN = `xoxc-1-2-3-${'a'.repeat(64)}`
+
+async function qrDataUrl(text: string): Promise<string> {
+  return QRCode.toDataURL(text, { margin: 2, width: 256 })
+}
+
+function redirect(location: string, setCookie?: string): Response {
+  const headers = new Headers({ location })
+  if (setCookie) headers.append('set-cookie', setCookie)
+  return new Response(null, { status: 302, headers })
+}
+
+const originalFetch = globalThis.fetch
+
+afterEach(() => {
+  globalThis.fetch = originalFetch
+})
+
+describe('parseDCookie', () => {
+  it('extracts the d cookie value from a Set-Cookie header', () => {
+    expect(parseDCookie(`d=${D_COOKIE}; Path=/; HttpOnly; Secure`)).toBe(D_COOKIE)
+  })
+
+  it('ignores a non-d cookie', () => {
+    expect(parseDCookie('x=somevalue; Path=/')).toBeNull()
+  })
+
+  it('ignores a d cookie that is not an xoxd value', () => {
+    expect(parseDCookie('d=plainvalue; Path=/')).toBeNull()
+  })
+})
+
+describe('isSlackHost', () => {
+  it('accepts slack.com and its subdomains over https', () => {
+    expect(isSlackHost('https://slack.com/checkcookie')).toBe(true)
+    expect(isSlackHost('https://app.slack.com/t/acme/login/z-app-1')).toBe(true)
+    expect(isSlackHost('https://acme.slack.com/ssb/redirect')).toBe(true)
+  })
+
+  it('rejects non-Slack hosts, http, and lookalikes', () => {
+    expect(isSlackHost('https://idp.example.com/saml')).toBe(false)
+    expect(isSlackHost('http://app.slack.com/x')).toBe(false)
+    expect(isSlackHost('https://slack.com.evil.com/x')).toBe(false)
+    expect(isSlackHost('not a url')).toBe(false)
+  })
+})
+
+describe('loginWithQr', () => {
+  it('captures cookie and mints a token through a single injected fetch', async () => {
+    // Given a QR encoding the z-app login URL
+    const dataUrl = await qrDataUrl(ZAPP_URL)
+
+    // And a single fetchImpl serving both the redirect chain and the token page
+    // (no globalThis.fetch monkeypatching)
+    const fetchImpl = (async (input: string | URL) => {
+      const url = typeof input === 'string' ? input : input.toString()
+      if (url.startsWith('https://app.slack.com/t/')) {
+        return redirect(`https://${WORKSPACE}.slack.com/app-redir/login/x`)
+      }
+      if (url.includes('/app-redir/login/')) {
+        return redirect(`https://${WORKSPACE}.slack.com/z-app-secret`, `d=${D_COOKIE}; HttpOnly`)
+      }
+      if (url.includes('/z-app-secret')) {
+        return redirect('https://slack.com/checkcookie?redir=x')
+      }
+      if (url.includes('/checkcookie')) {
+        return new Response(null, { status: 200 })
+      }
+      if (url.includes('/ssb/redirect')) {
+        return new Response(`<script>var boot_data={"api_token":"${TOKEN}"}</script>`, { status: 200 })
+      }
+      throw new Error(`unexpected fetch: ${url}`)
+    }) as typeof fetch
+
+    // When logging in with only fetchImpl
+    const session = await loginWithQr(dataUrl, { fetchImpl })
+
+    // Then the cookie, token, and workspace are returned
+    expect(session.cookie).toBe(D_COOKIE)
+    expect(session.token).toBe(TOKEN)
+    expect(session.workspace).toBe(WORKSPACE)
+  })
+
+  it('never sends the d cookie to a non-Slack redirect target', async () => {
+    // Given a chain that sets the d cookie, then redirects off-domain to an IdP
+    const dataUrl = await qrDataUrl(ZAPP_URL)
+    const requests: Array<{ url: string; cookie: string | null }> = []
+
+    const fetchImpl = (async (input: string | URL, init?: RequestInit) => {
+      const url = typeof input === 'string' ? input : input.toString()
+      const headers = new Headers(init?.headers)
+      requests.push({ url, cookie: headers.get('cookie') })
+
+      if (url.startsWith('https://app.slack.com/t/')) {
+        return redirect(`https://${WORKSPACE}.slack.com/z-app-secret`, `d=${D_COOKIE}; HttpOnly`)
+      }
+      if (url.includes('/z-app-secret')) {
+        return redirect('https://idp.example.com/saml/login')
+      }
+      throw new Error(`d cookie leaked to non-Slack host: ${url}`)
+    }) as typeof fetch
+
+    // When logging in, the off-domain redirect is refused (so no token is minted)
+    await expect(loginWithQr(dataUrl, { fetchImpl })).rejects.toThrow(/expired|client token/)
+
+    // Then the IdP host was never requested at all
+    expect(requests.some((r) => r.url.includes('idp.example.com'))).toBe(false)
+    // And no request ever carried the d session cookie to a non-Slack host
+    for (const r of requests) {
+      if (r.cookie?.includes('xoxd-')) {
+        expect(isSlackHost(r.url)).toBe(true)
+      }
+    }
+  })
+
+  it('fails with qr_session_failed when no d cookie is set', async () => {
+    const dataUrl = await qrDataUrl(ZAPP_URL)
+    const stepAFetch = (async () => new Response(null, { status: 200 })) as typeof fetch
+
+    const promise = loginWithQr(dataUrl, { fetchImpl: stepAFetch })
+    await expect(promise).rejects.toThrow(SlackError)
+    await expect(promise).rejects.toThrow(/expired/)
+  })
+
+  it('fails with qr_token_failed when the token cannot be retrieved', async () => {
+    const dataUrl = await qrDataUrl(ZAPP_URL)
+
+    globalThis.fetch = (async () => new Response('<html>no token here</html>', { status: 200 })) as typeof fetch
+    const stepAFetch = (async (input: string | URL) => {
+      const url = typeof input === 'string' ? input : input.toString()
+      if (url.startsWith('https://app.slack.com/t/')) {
+        return redirect(`https://${WORKSPACE}.slack.com/end`, `d=${D_COOKIE}; HttpOnly`)
+      }
+      return new Response(null, { status: 200 })
+    }) as typeof fetch
+
+    const promise = loginWithQr(dataUrl, { fetchImpl: stepAFetch })
+    await expect(promise).rejects.toThrow(/client token could not be retrieved/)
+  })
+
+  it('rejects a QR that is not a Slack login link', async () => {
+    const dataUrl = await qrDataUrl('https://example.com/not-slack')
+    await expect(loginWithQr(dataUrl, { fetchImpl: (async () => new Response()) as typeof fetch })).rejects.toThrow(
+      SlackError,
+    )
+  })
+})

package/src/platforms/slack/qr-http-login.ts

@@ -0,0 +1,120 @@
+import { SlackError } from './client'
+import { refreshTokenFromWeb } from './ensure-auth'
+import { decodeSlackQr } from './qr-login'
+
+export interface QrSession {
+  token: string
+  cookie: string
+  workspace: string
+}
+
+export interface QrLoginOptions {
+  fetchImpl?: typeof fetch
+  maxRedirects?: number
+  debug?: (message: string) => void
+}
+
+const BROWSER_USER_AGENT =
+  'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36'
+const DEFAULT_MAX_REDIRECTS = 10
+
+export async function loginWithQr(dataUrl: string, options: QrLoginOptions = {}): Promise<QrSession> {
+  const login = decodeSlackQr(dataUrl.trim())
+  const debug = options.debug
+  debug?.(`Decoded QR for workspace ${login.workspace}`)
+
+  const cookie = await captureDCookie(login.url, options)
+  if (!cookie) {
+    throw new SlackError(
+      'Could not establish a Slack session from the QR code. The link may have expired — generate a new QR code and try again.',
+      'qr_session_failed',
+    )
+  }
+  debug?.('Captured session cookie')
+
+  const token = await refreshTokenFromWeb(login.workspace, cookie, options.fetchImpl ?? fetch)
+  if (!token) {
+    throw new SlackError(
+      'Slack session was established but the client token could not be retrieved.',
+      'qr_token_failed',
+    )
+  }
+  debug?.('Retrieved client token')
+
+  return { token, cookie, workspace: login.workspace }
+}
+
+async function captureDCookie(startUrl: string, options: QrLoginOptions): Promise<string | null> {
+  const doFetch = options.fetchImpl ?? fetch
+  const maxRedirects = options.maxRedirects ?? DEFAULT_MAX_REDIRECTS
+  const debug = options.debug
+
+  let url = startUrl
+  let dCookie: string | null = null
+  const cookieJar: string[] = []
+
+  for (let hop = 0; hop < maxRedirects; hop++) {
+    // Only ever send captured cookies (including the d session cookie) to Slack
+    // hosts. A redirect to an off-domain host (e.g. an SSO IdP) must never
+    // receive the d=xoxd- session cookie.
+    if (!isSlackHost(url)) {
+      debug?.(`hop ${hop}: refusing non-Slack host`)
+      break
+    }
+
+    const response = await doFetch(url, {
+      redirect: 'manual',
+      headers: {
+        'User-Agent': BROWSER_USER_AGENT,
+        Accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+        'Accept-Language': 'en-US,en;q=0.9',
+        ...(cookieJar.length ? { Cookie: cookieJar.join('; ') } : {}),
+      },
+    })
+
+    for (const setCookie of getSetCookies(response)) {
+      const value = parseDCookie(setCookie)
+      if (value) dCookie = value
+      const pair = setCookie.split(';')[0]?.trim()
+      if (pair) cookieJar.push(pair)
+    }
+
+    debug?.(`hop ${hop}: ${response.status}`)
+
+    const location = response.status >= 300 && response.status < 400 ? response.headers.get('location') : null
+    if (!location) break
+
+    const next = new URL(location, url).toString()
+    if (!isSlackHost(next)) {
+      debug?.(`hop ${hop}: redirect target is not a Slack host, stopping`)
+      break
+    }
+    url = next
+  }
+
+  return dCookie
+}
+
+export function isSlackHost(rawUrl: string): boolean {
+  try {
+    const { protocol, hostname } = new URL(rawUrl)
+    if (protocol !== 'https:') return false
+    return hostname === 'slack.com' || hostname.endsWith('.slack.com')
+  } catch {
+    return false
+  }
+}
+
+export function parseDCookie(setCookieHeader: string): string | null {
+  const match = setCookieHeader.match(/(?:^|,\s*)d=(xoxd-[^;]+)/)
+  return match ? match[1] : null
+}
+
+function getSetCookies(response: Response): string[] {
+  const withGetter = response.headers as Headers & { getSetCookie?: () => string[] }
+  if (typeof withGetter.getSetCookie === 'function') {
+    return withGetter.getSetCookie()
+  }
+  const single = response.headers.get('set-cookie')
+  return single ? [single] : []
+}

package/src/platforms/slack/qr-login.test.ts

@@ -0,0 +1,103 @@
+import { describe, expect, it } from 'bun:test'
+
+import QRCode from 'qrcode'
+
+import { SlackError } from '@/platforms/slack/client'
+import { decodeQrImage, decodeSlackQr, parseSlackQrUrl } from '@/platforms/slack/qr-login'
+
+const VALID_QR_URL =
+  'https://app.slack.com/t/acme/login/z-app-1234567890-1234567890-abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcd?src=qr_code&user_id=U0123456789&team_id=T0123456789'
+
+async function qrDataUrl(text: string): Promise<string> {
+  return QRCode.toDataURL(text, { margin: 2, width: 256 })
+}
+
+describe('parseSlackQrUrl', () => {
+  it('extracts workspace, team_id, and user_id from a valid Slack QR URL', () => {
+    // Given a real-shaped Slack mobile sign-in URL
+    // When parsed
+    const result = parseSlackQrUrl(VALID_QR_URL)
+
+    // Then the identifying fields are extracted
+    expect(result.workspace).toBe('acme')
+    expect(result.teamId).toBe('T0123456789')
+    expect(result.userId).toBe('U0123456789')
+    expect(result.url).toBe(VALID_QR_URL)
+  })
+
+  it('allows missing optional query params', () => {
+    const url = 'https://app.slack.com/t/acme/login/z-app-1-2-abc'
+    const result = parseSlackQrUrl(url)
+
+    expect(result.workspace).toBe('acme')
+    expect(result.teamId).toBeNull()
+    expect(result.userId).toBeNull()
+  })
+
+  it('rejects a non-URL string', () => {
+    expect(() => parseSlackQrUrl('not a url')).toThrow(SlackError)
+  })
+
+  it('rejects a non-Slack host', () => {
+    expect(() => parseSlackQrUrl('https://evil.example.com/t/x/login/z-app-1')).toThrow(/not a Slack sign-in link/)
+  })
+
+  it('rejects http (non-https) URLs', () => {
+    expect(() => parseSlackQrUrl('http://app.slack.com/t/x/login/z-app-1')).toThrow(SlackError)
+  })
+
+  it('rejects a Slack URL that is not a mobile sign-in link', () => {
+    expect(() => parseSlackQrUrl('https://app.slack.com/client/T0123456789/C123')).toThrow(
+      /not a Slack mobile sign-in link/,
+    )
+  })
+
+  it('rejects a sign-in link with an unparseable workspace', () => {
+    expect(() => parseSlackQrUrl('https://app.slack.com/login/z-app-1')).toThrow(/determine the workspace/)
+  })
+})
+
+describe('decodeQrImage', () => {
+  it('reads the encoded URL back from a generated QR PNG', async () => {
+    // Given a QR PNG encoding the Slack URL
+    const dataUrl = await qrDataUrl(VALID_QR_URL)
+
+    // When decoded
+    const decoded = decodeQrImage(dataUrl)
+
+    // Then the original URL is recovered
+    expect(decoded).toBe(VALID_QR_URL)
+  })
+
+  it('rejects a data URL without the PNG header', () => {
+    expect(() => decodeQrImage('data:image/jpeg;base64,AAAA')).toThrow(/PNG data URL/)
+  })
+
+  it('rejects a PNG header with no data', () => {
+    expect(() => decodeQrImage('data:image/png;base64,')).toThrow(/no image data/)
+  })
+
+  it('rejects a PNG header with non-PNG payload', () => {
+    expect(() => decodeQrImage('data:image/png;base64,Zm9vYmFy')).toThrow(/valid PNG/)
+  })
+})
+
+describe('decodeSlackQr', () => {
+  it('decodes a QR PNG and parses the Slack login URL end to end', async () => {
+    // Given a QR PNG encoding a valid Slack sign-in URL
+    const dataUrl = await qrDataUrl(VALID_QR_URL)
+
+    // When decoded end to end
+    const result = decodeSlackQr(dataUrl)
+
+    // Then both decode and parse succeed
+    expect(result.workspace).toBe('acme')
+    expect(result.teamId).toBe('T0123456789')
+  })
+
+  it('decodes the QR but rejects a non-Slack URL', async () => {
+    const dataUrl = await qrDataUrl('https://example.com/whatever')
+
+    expect(() => decodeSlackQr(dataUrl)).toThrow(SlackError)
+  })
+})

package/src/platforms/slack/qr-login.ts

@@ -0,0 +1,90 @@
+import jsQR from 'jsqr'
+import { PNG } from 'pngjs'
+
+import { SlackError } from './client'
+
+const PNG_DATA_URL_PREFIX = 'data:image/png;base64,'
+
+// Slack's "Sign in on Mobile" QR encodes a login URL of the form:
+//   https://app.slack.com/t/<workspace>/login/z-app-<app_id>-<secret>?src=qr_code&user_id=...&team_id=...
+// The `z-app-` segment is the single-use cross-device auth secret; `src=qr_code` marks the source.
+const SLACK_QR_HOST = 'app.slack.com'
+const SLACK_QR_PATH_SEGMENT = '/login/z-app-'
+
+export interface SlackQrLogin {
+  url: string
+  workspace: string
+  teamId: string | null
+  userId: string | null
+}
+
+export function decodeQrImage(dataUrl: string): string {
+  const png = decodePngDataUrl(dataUrl)
+  const result = jsQR(new Uint8ClampedArray(png.data), png.width, png.height)
+  if (!result) {
+    throw new SlackError('Could not read a QR code from the image.', 'qr_unreadable')
+  }
+  return result.data
+}
+
+export function parseSlackQrUrl(raw: string): SlackQrLogin {
+  let parsed: URL
+  try {
+    parsed = new URL(raw)
+  } catch {
+    throw new SlackError('QR code does not contain a valid URL.', 'qr_invalid_url')
+  }
+
+  if (parsed.protocol !== 'https:' || parsed.hostname !== SLACK_QR_HOST) {
+    throw new SlackError(`QR code is not a Slack sign-in link (expected https://${SLACK_QR_HOST}).`, 'qr_not_slack')
+  }
+
+  if (!parsed.pathname.includes(SLACK_QR_PATH_SEGMENT)) {
+    throw new SlackError('QR code is not a Slack mobile sign-in link.', 'qr_not_signin')
+  }
+
+  const workspace = extractWorkspace(parsed.pathname)
+  if (!workspace) {
+    throw new SlackError('Could not determine the workspace from the QR code.', 'qr_no_workspace')
+  }
+
+  return {
+    url: parsed.toString(),
+    workspace,
+    teamId: parsed.searchParams.get('team_id'),
+    userId: parsed.searchParams.get('user_id'),
+  }
+}
+
+export function decodeSlackQr(dataUrl: string): SlackQrLogin {
+  return parseSlackQrUrl(decodeQrImage(dataUrl))
+}
+
+function extractWorkspace(pathname: string): string | null {
+  const match = pathname.match(/^\/t\/([^/]+)\/login\/z-app-/)
+  return match ? match[1] : null
+}
+
+function decodePngDataUrl(dataUrl: string): PNG {
+  if (!dataUrl.startsWith(PNG_DATA_URL_PREFIX)) {
+    throw new SlackError(`Expected a PNG data URL starting with "${PNG_DATA_URL_PREFIX}".`, 'qr_invalid_header')
+  }
+
+  const base64 = dataUrl.slice(PNG_DATA_URL_PREFIX.length)
+  if (!base64) {
+    throw new SlackError('QR data URL contains no image data.', 'qr_no_data')
+  }
+
+  let buffer: Buffer
+  try {
+    buffer = Buffer.from(base64, 'base64')
+  } catch {
+    throw new SlackError('QR data URL is not valid base64.', 'qr_invalid_base64')
+  }
+
+  try {
+    return PNG.sync.read(buffer)
+  } catch {
+    throw new SlackError('QR data URL is not a valid PNG image.', 'qr_invalid_png')
+  }
+}