installerOptions.stateStore.verifyStateParam not called when state parameter is empty

[dzhk]

Description

Error message: "Redirect url is missing the state query parameter. If this is intentional, see options for disabling default state verification."

To reproduce this error, you need to set stateVerification to true and try installing the app from the app page. (url wil be like
that ..&state=&....
installerOptions.stateStore.verifyStateParam not called when state parameter is empty

I think the check described below is not needed, because I can validate it myself in installerOptions.stateStore.verifyStateParam.

@slack/oauth/dist/index.js, line 379

if (this.stateVerification && !state) {
    throw new errors_1.MissingStateError('Redirect url is missing the state query parameter. If this is intentional, see options for disabling default state verification.')
}

What type of issue is this? (place an x in one of the [ ])

• bug
• enhancement (feature request)
• question
• documentation related
• example code related
• testing related
• discussion

Requirements (place an x in each of the [ ])

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

---

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Reproducible in:

package version:
"@slack/bolt": "^3.9.0",
"@slack/oauth": "^2.4.0",
"@slack/web-api": "^6.6.0",
node version:

OS version(s):

Steps to reproduce:

1. set stateVerification to true
2. Try installing the app from the app page. (url wil be like
   that ..&state=&....
3. after redirect your app will send error "Redirect url is missing the state query parameter. If this is intentional, see options for disabling default state verification."

Expected result:

Function verifyStateParam call

What you expected to happen
Function verifyStateParam call

Actual result:

error "Redirect url is missing the state query parameter. If this is intentional, see options for disabling default state verification."
What actually happened
@slack/oauth/dist/index.js, line 379

if (this.stateVerification && !state) {
    throw new errors_1.MissingStateError('Redirect url is missing the state query parameter. If this is intentional, see options for disabling default state verification.')
}

Attachments:

Logs, screenshots, screencast, sample project, funny gif, etc.

[mwbrooks]

Hey @dzhk,

Thanks for submitting the issue! I agree that your expected result makes sense. I've labelled this as needs info so that we can discuss whether to change the functionality and whether this would introduce breaking changes for existing developers who assuming that an error will be thrown.

[dzhk]

Hey @mwbrooks!
Perhaps you should create a default state setting in your application's manifest. This will solve my problem

[dzhk]

As a temporary solution, you can do this:

const tmp  = require('@slack/oauth') ;
tmp.InstallProvider.originalExtractSearchParams = tmp.InstallProvider.extractSearchParams;
tmp.InstallProvider.extractSearchParams = function(){
    const resultOriginal = this.originalExtractSearchParams.apply(this, arguments);
    if ( resultOriginal.get('state') === '' ) {
        resultOriginal.set('state', 'your_default_state');
    }
    return resultOriginal;
}

[mwbrooks]

Hey @dzhk, thanks a lot for the temporary solution code sample. 🙇🏻 That may help others who want to apply the same workaround.

Another alternative is to use the installerOptions.callbackOptions.failure callback to handle an empty state gracefully. This would be safer in-case the private method InstallProvider. extractSearchParams is changed during a minor or patch release.

---

I had an internal discussion with some of the maintainers of Bolt JS. There's agreement that this is a legit change, but it would require a major version update to not break functionality of existing developers. So, I'm going to assign it to the 4.x Milestone. Thanks for helping us find this improvement!

[dzhk]

Thank you!