Add user-owned IM channel connections

backend/app/channels/providers/slack_connect.py

@@ -0,0 +1,110 @@
+"""Slack OAuth and Events helpers for user-owned channel connections."""
+
+from __future__ import annotations
+
+import hashlib
+import hmac
+import time
+from dataclasses import dataclass
+from typing import Any
+
+import httpx
+
+SLACK_OAUTH_ACCESS_URL = "https://slack.com/api/oauth.v2.access"
+SLACK_SIGNATURE_VERSION = "v0"
+SLACK_SIGNATURE_TOLERANCE_SECONDS = 60 * 5
+
+
+class SlackConnectError(RuntimeError):
+    """Raised when Slack OAuth or request verification fails."""
+
+
+@dataclass(frozen=True)
+class SlackInstall:
+    team_id: str
+    team_name: str | None
+    authed_user_id: str
+    bot_user_id: str | None
+    bot_access_token: str
+    scopes: list[str]
+    raw: dict[str, Any]
+
+
+def verify_slack_signature(
+    *,
+    signing_secret: str,
+    timestamp: str | None,
+    body: bytes,
+    signature: str | None,
+    now: int | None = None,
+) -> bool:
+    if not signing_secret or not timestamp or not signature:
+        return False
+
+    try:
+        timestamp_int = int(timestamp)
+    except (TypeError, ValueError):
+        return False
+
+    current_time = int(time.time()) if now is None else now
+    if abs(current_time - timestamp_int) > SLACK_SIGNATURE_TOLERANCE_SECONDS:
+        return False
+
+    base = f"{SLACK_SIGNATURE_VERSION}:{timestamp}:".encode() + body
+    digest = hmac.new(signing_secret.encode("utf-8"), base, hashlib.sha256).hexdigest()
+    expected = f"{SLACK_SIGNATURE_VERSION}={digest}"
+    return hmac.compare_digest(expected, signature)
+
+
+def _split_scopes(value: str | None) -> list[str]:
+    if not value:
+        return []
+    return [scope.strip() for scope in value.split(",") if scope.strip()]
+
+
+async def exchange_slack_oauth_code(
+    *,
+    client_id: str,
+    client_secret: str,
+    code: str,
+    redirect_uri: str,
+    http_client: httpx.AsyncClient | None = None,
+) -> SlackInstall:
+    async def _post(client: httpx.AsyncClient) -> dict[str, Any]:
+        response = await client.post(
+            SLACK_OAUTH_ACCESS_URL,
+            data={
+                "client_id": client_id,
+                "client_secret": client_secret,
+                "code": code,
+                "redirect_uri": redirect_uri,
+            },
+            timeout=10,
+        )
+        response.raise_for_status()
+        return response.json()
+
+    if http_client is None:
+        async with httpx.AsyncClient() as client:
+            payload = await _post(client)
+    else:
+        payload = await _post(http_client)
+
+    if not payload.get("ok"):
+        raise SlackConnectError(str(payload.get("error") or "Slack OAuth exchange failed"))
+
+    access_token = payload.get("access_token")
+    team = payload.get("team") or {}
+    authed_user = payload.get("authed_user") or {}
+    if not access_token or not team.get("id") or not authed_user.get("id"):
+        raise SlackConnectError("Slack OAuth response did not include required installation fields")
+
+    return SlackInstall(
+        team_id=str(team["id"]),
+        team_name=team.get("name"),
+        authed_user_id=str(authed_user["id"]),
+        bot_user_id=payload.get("bot_user_id"),
+        bot_access_token=str(access_token),
+        scopes=_split_scopes(payload.get("scope")),
+        raw=payload,
+    )