-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fixed oauth custom expressReceiver bugs #503
Conversation
Thanks @marks for reporting these to me! |
&& this.receiver instanceof ExpressReceiver | ||
) { | ||
usingBuiltinOauth = true; | ||
let usingOauth = false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think this is a great idea! it might be helpful at some later point to document what the requirements are for a custom receiver that intends to offer installation support. right now, i think the expectation is "the receiver must have an InstallationProvider
instance at the property named .installer
", which is good. but it might be worth generalizing even more.
) { | ||
usingBuiltinOauth = true; | ||
let usingOauth = false; | ||
if ((this.receiver as ExpressReceiver).installer !== undefined |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just trying to play out a scenario in my head: let's say someone passes in a custom receiver that happens to have some property called installer
, which also has some property called authorize
that has nothing to do with installation support in the way that we describe, what happens?
are we intentionally leaving the implementation of those properties open to developers that bring their own custom receiver? or, do we expect those developers to use our specific InstallationProvider
class (which has no dependencies on any framework, since it only uses node's req
and res
)? if the latter is true, then could we settle for a more strict check, maybe typeof this.receiver.installer === 'InstallProvider'
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I was worried that people could 'fake' their way through these checks. Tying it to actually use InstallProvider
is a good way to ensure it is using the OAuth library and functions we expect under the hood.
I guess the question here is are we okay with folks implementing OAuth without our OAuth package?
I'm going to merge this in for now but I think it is worth discussing.
Summary
When declaring a custom
ExpressReceiver
, OAuth should still be handled correctly if it exists.This fixes two bugs:
Firstly, the following code was successfully getting through our if statement check to see if the Oauth installer exists on the receiver. Which in this case it would not as
clientID
,clientSecret
andstateSecret
aren't being passed toExpressReceiver
Second bug is that we weren't properly supporting an extended
ExpressReceiver
. The following code was failing in the same If statement. In this case, it was failing becauseclientId
,clientSecret
andstateSecret
were all undefined in App since they were passed directly toExpressReceiver
.This PR fixes both cases above and theoretically should allow any custom receivers to implement their own OAuth if they follow the OAuth interface exposed in
ExpressReceiver
.Requirements (place an
x
in each[ ]
)