![]() That's why our SDKs enable the verification by default.Īs long as you are aware of the risk with the lack of state parameter, you can go ahead with disabling it. So, verifying the state through the end-to-end OAuth flow is a highly recommended security measure for apps providing OAuth flows. Proper use of state parameter for the OAuth CSRF protection node-slack-sdk#1435Īs mentioned in the above resources, when an attacker navigates your end user to a redirect URL with the attacker's auth code parameter and a valid state, your end user may complete their OAuth flow with an unexpected association. ![]() It is a general CSRF attack risk for your end users who install your app. The security risk is not specific to Slack's OAuth flow. With that being said, if you think the risk is acceptable for your app after going through this reply, it's your decision. Generally speaking, I don't recommend disabling it. Logs, screenshots, screencast, sample project, funny gif, the state verification solved the problem.įirst off, the ideal solution is identifying the cause of your situation with Firebase and keeping the state verification on. OAuth:InstallProvider:0 Error: The state parameter is not for this browser session. Installation flow fails with slack_oauth_invalid_state and a debug log Please try again or contact the app owner (reason: slack_oauth_invalid_state) Expected result: ![]() deploy the same app to Firebase using Firebase Hosting.If you use the browser version of Slack, click this link instead. Build a bolt app like so but use Firebase as installation store.OS version(s): Google Firebase Steps to reproduce: I've searched for any related issues and avoided creating a duplicate issue.įilling out the following details about bugs will help us solve your issue sooner.I've read and agree to the Code of Conduct.I've read and understood the Contributing guidelines and have done my best effort to follow them.Requirements (place an x in each of the ) What type of issue is this? (place an x in one of the ) My code is pretty much like this by but using Firestore as database (again, everything works perfectly fine with ngrok).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |