feat: add Slack user authentication gating and login flow

Gate Slack event processing behind user mapping — unmapped Slack users
receive an ephemeral login link instead of triggering tool calls. Adds
auth info/complete endpoints and a browser-based SlackLogin page.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Author: qstearns

.speakeasy/workflow.lock

@@ -14,7 +14,7 @@ targets:
         sourceRevisionDigest: sha256:7859f0c4231beff392cc2708bf2a2671c0d64c7621d6c48503a6864072130736
         sourceBlobDigest: sha256:4e1326f50db729bca558f25ad4836238cf74f7488028f3fe4353ec22101892e9
         codeSamplesNamespace: gram-api-description-typescript-code-samples
-        codeSamplesRevisionDigest: sha256:051bf94cdc75c3d08a003d73c497d5fdec5d436ca0a79fdb981c810248b17d24
+        codeSamplesRevisionDigest: sha256:a1b85695335f0616063c0d5e7db6ccc2e8532aa4d12a71c41b90c8c8697e2b3b
 workflow:
     workflowVersion: 1.0.0
     speakeasyVersion: pinned

client/dashboard/src/pages/slackapp/SlackLogin.tsx

@@ -0,0 +1,200 @@
+import { Type } from "@/components/ui/type";
+import { getServerURL } from "@/lib/utils";
+import { Button, Icon, Stack } from "@speakeasy-api/moonshine";
+import { useCallback, useEffect, useState } from "react";
+import { useParams, useNavigate } from "react-router";
+
+type AuthInfo = {
+  appName: string;
+  toolsets: { name: string; slug: string }[];
+  token: string;
+};
+
+type PageState =
+  | "loading"
+  | "awaiting_login"
+  | "completing"
+  | "complete"
+  | "error";
+
+export default function SlackLogin() {
+  const { token } = useParams<{ token: string }>();
+  const navigate = useNavigate();
+  const [state, setState] = useState<PageState>("loading");
+  const [authInfo, setAuthInfo] = useState<AuthInfo | null>(null);
+  const [errorMessage, setErrorMessage] = useState("");
+
+  useEffect(() => {
+    if (!token) {
+      setState("error");
+      setErrorMessage("No token provided.");
+      return;
+    }
+
+    fetch(`${getServerURL()}/rpc/slack-apps/auth/${token}`, {
+      credentials: "include",
+    })
+      .then((res) => {
+        if (!res.ok) {
+          throw new Error("Link expired or invalid");
+        }
+        return res.json();
+      })
+      .then((data: AuthInfo) => {
+        setAuthInfo(data);
+        setState("awaiting_login");
+      })
+      .catch((err) => {
+        setState("error");
+        setErrorMessage(err.message || "Failed to load auth info");
+      });
+  }, [token]);
+
+  const completeAuth = useCallback(async () => {
+    if (!token) return;
+    setState("completing");
+
+    try {
+      const res = await fetch(
+        `${getServerURL()}/rpc/slack-apps/auth/${token}/complete`,
+        {
+          method: "POST",
+          credentials: "include",
+        },
+      );
+
+      if (res.status === 401) {
+        // Not logged in — redirect to login with redirect back here
+        navigate(`/login?redirect=/slack/login/${token}`);
+        return;
+      }
+
+      if (!res.ok) {
+        throw new Error("Failed to complete authentication");
+      }
+
+      setState("complete");
+    } catch (err) {
+      setState("error");
+      setErrorMessage(
+        err instanceof Error ? err.message : "Something went wrong",
+      );
+    }
+  }, [token, navigate]);
+
+  // Auto-attempt completion on mount if user might already be logged in
+  useEffect(() => {
+    if (state === "awaiting_login") {
+      // Try completing — if it fails with 401, we'll show the sign-in button
+      completeAuth();
+    }
+  }, [state === "awaiting_login"]); // eslint-disable-line react-hooks/exhaustive-deps
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-background p-4">
+      <div className="w-full max-w-md rounded-xl border bg-card p-8 shadow-sm">
+        <Stack gap={6} align="center">
+          <div className="flex h-12 w-12 items-center justify-center rounded-full bg-muted/50">
+            <Icon name="slack" className="h-6 w-6 text-muted-foreground" />
+          </div>
+
+          {state === "loading" && (
+            <Stack gap={2} align="center">
+              <Icon
+                name="loader-circle"
+                className="h-6 w-6 animate-spin text-muted-foreground"
+              />
+              <Type muted small>
+                Loading...
+              </Type>
+            </Stack>
+          )}
+
+          {state === "completing" && (
+            <Stack gap={2} align="center">
+              <Icon
+                name="loader-circle"
+                className="h-6 w-6 animate-spin text-muted-foreground"
+              />
+              <Type muted small>
+                Linking your account...
+              </Type>
+            </Stack>
+          )}
+
+          {state === "awaiting_login" && authInfo && (
+            <Stack gap={4} align="center" className="w-full">
+              <Stack gap={1} align="center">
+                <Type variant="subheading">Sign in to Gram</Type>
+                <Type muted small className="text-center">
+                  <strong>{authInfo.appName}</strong> needs to verify your
+                  identity to process your messages.
+                </Type>
+              </Stack>
+
+              {authInfo.toolsets.length > 0 && (
+                <div className="w-full rounded-lg border bg-muted/20 p-3">
+                  <Type muted small className="mb-2 block font-medium">
+                    MCP Servers
+                  </Type>
+                  <Stack gap={1}>
+                    {authInfo.toolsets.map((ts) => (
+                      <div
+                        key={ts.slug}
+                        className="flex items-center gap-2 rounded-md px-2 py-1"
+                      >
+                        <Icon
+                          name="network"
+                          className="h-3.5 w-3.5 text-muted-foreground"
+                        />
+                        <Type small>{ts.name}</Type>
+                      </div>
+                    ))}
+                  </Stack>
+                </div>
+              )}
+
+              <Button
+                className="w-full"
+                onClick={() =>
+                  navigate(`/login?redirect=/slack/login/${token}`)
+                }
+              >
+                <Button.Text>Sign in to Gram</Button.Text>
+              </Button>
+            </Stack>
+          )}
+
+          {state === "complete" && (
+            <Stack gap={3} align="center">
+              <div className="flex h-10 w-10 items-center justify-center rounded-full bg-primary/10">
+                <Icon name="check" className="h-5 w-5 text-primary" />
+              </div>
+              <Stack gap={1} align="center">
+                <Type variant="subheading">You're connected!</Type>
+                <Type muted small className="text-center">
+                  You can close this page and return to Slack.
+                </Type>
+              </Stack>
+            </Stack>
+          )}
+
+          {state === "error" && (
+            <Stack gap={3} align="center">
+              <div className="flex h-10 w-10 items-center justify-center rounded-full bg-destructive/10">
+                <Icon name="circle-x" className="h-5 w-5 text-destructive" />
+              </div>
+              <Stack gap={1} align="center">
+                <Type variant="subheading">Link expired</Type>
+                <Type muted small className="text-center">
+                  {errorMessage ||
+                    "This login link is no longer valid. Send another message in Slack to get a new one."}
+                </Type>
+              </Stack>
+            </Stack>
+          )}
+        </Stack>
+      </div>
+    </div>
+  );
+}

client/dashboard/src/routes.tsx

@@ -38,6 +38,7 @@ import SDK from "./pages/sdk/SDK";
 import Settings from "./pages/settings/Settings";
 import SlackAppsIndex, { SlackAppsRoot } from "./pages/slackapp/SlackApp";
 import SlackAppDetailPage from "./pages/slackapp/SlackAppDetail";
+import SlackLogin from "./pages/slackapp/SlackLogin";
 import SourceDetails from "./pages/sources/SourceDetails";
 import { SourcesPage, SourcesRoot } from "./pages/sources/Sources";
 import CustomTools, { CustomToolsRoot } from "./pages/toolBuilder/CustomTools";
@@ -118,6 +119,12 @@ const ROUTE_STRUCTURE = {
     component: Register,
     unauthenticated: true,
   },
+  slackLogin: {
+    title: "Slack Login",
+    url: "/slack/login/:token",
+    component: SlackLogin,
+    unauthenticated: true,
+  },
   onboarding: {
     title: "Onboarding",
     url: "onboarding",

client/sdk/.speakeasy/gen.lock

@@ -59,7 +59,7 @@ export function serverURLFromOptions(options: SDKOptions): URL | null {
 export const SDK_METADATA = {
   language: "typescript",
   openapiDocVersion: "0.0.1",
-  sdkVersion: "0.27.17",
+  sdkVersion: "0.27.18",
   genVersion: "2.801.2",
-  userAgent: "speakeasy-sdk/typescript 0.27.17 2.801.2 0.0.1 @gram/client",
+  userAgent: "speakeasy-sdk/typescript 0.27.18 2.801.2 0.0.1 @gram/client",
 } as const;