1

I am building an app for Slack with an attached web interface/team dashboard. Built in node, I'm struggling getting Slack auth and Client auth into one fluid motion.

I'm using passport.js for auth, with Slack Strategy to authenticate users for using the app within Slack (using a Sign in with Slack button). This Slack auth's callback contains all of the user information I'd need, so I want to use this to also authenticate the user to access their team's dashboard in the web client. This is where JWT comes into play.

It's my first time working with JWT auth but theoretically, it makes sense that there would be a way to use passport's JWT strategy to authenticate for the client.

Here is the code for the passport Slack strategy that works fine: 

passport.use(
  new SlackStrategy(
    {
      clientID: process.env.SLACK_CLIENT_ID,
      clientSecret: process.env.SLACK_CLIENT_SECRET,
      scope: [
        'identity.basic',
        'identity.avatar',
        'identity.email',
        'identity.team',
        'users.list',
        'chat:write:bot',
      ],
      skipUserProfile: false,
    },
    (accessToken, scopes, team, extra, profiles, done) => {
      if (extra.bot != null) {
        Team.postTeamOnInstall(team, extra.bot.accessToken)
      } else {
        User.postUser(accessToken, profiles)
      }
      done(null, {})
    }
  )
)

app.get(
  '/auth/slack',
  passport.authenticate('slack', {
    scope: ['bot'],
  })
)

app.get(
  '/auth/slack/callback',
  passport.authenticate('slack', { session: false }),
  (req, res) => {
    // what if called JWT authentication here? that then redirects to the team dashboard
    res.redirect(`http://${process.env.BASE_URL}`)
  },
  (err, erq, res, next) => {
    res
      .status(500)
      .send(`<p>Think Fish failed to install</p> <pre>${err}</pre>`)
  }
)

Now I've followed a basic tutorial for the JWT strategy. So my code on that side of things looks identical to that. I really just want to know:

1) Has anybody done this or something similar? Am I thinking about this the right way? Is this possible?

2) If so, how do Slack Strategy and the JWT Strategy be talk to each other to get a user authenticated for Slack and client in one fluid motion (Sign in with Slack button)?

I could also be over-engineering this, and instead just need some sort of way for a secure route to check if the user is logged into Slack already?

Eli Johnston
  • 21
  • 3
  • 1
    I'm not clear what you mean "authenticated for Slack and client in one fluid motion". What it sounds like you want to do is login with Slack Oauth and then use the JWT to maintain session, am I reading you right? – Paul Oct 02 '18 at 10:13
  • Afaik Slack does not support JWT directly, so as Paul suggested you need to first handle the sign-in to Slack with standard Oauth and then based on the result you can create your JWT to maintain the session. – Erik Kalkoken Oct 02 '18 at 10:35
  • @ErikKalkoken - yup that's exactly what I'm trying to do! Just unsure how to do it, I know it's going to involve JWT to maintain session and some routing. At the moment, a user can see all objects on the dashboard (from all teams), what I need is for the user to only see the info related to their user's specific team. But also was thinking whether I'd need to go with sessions or whether it can all be RESTful? – Eli Johnston Oct 04 '18 at 06:31
  • The classic approach is to maintain the user authentication after login in a server session. You can do that with node.js too. As I understand JWT is an alternative approach that allows you to maintain the user authentication without needing server sessions. However, as this answer points out there is no real advantage of using JWT over sessions: https://stackoverflow.com/questions/43452896/authentication-jwt-usage-vs-session So you might be better off by just using a classic server session. – Erik Kalkoken Oct 04 '18 at 09:00

0 Answers0