feat: add Slack user authentication gating and login flow

Gate Slack event processing behind user mapping — unmapped Slack users
receive an ephemeral login link instead of triggering tool calls. Adds
auth info/complete endpoints and a browser-based SlackLogin page.

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Author: qstearns

.speakeasy/out.openapi.yaml

@@ -2,19 +2,19 @@ speakeasyVersion: 1.700.2
 sources:
     Gram-Internal:
         sourceNamespace: gram-api-description
-        sourceRevisionDigest: sha256:18b4401c56501c36bc65024d3f124153259b4f521fb27df6214848057ec3da2a
-        sourceBlobDigest: sha256:5c9698f4cef7d019ea542d1a5ea311cae25f6cdc4b891becc0edc56f2b153a77
+        sourceRevisionDigest: sha256:10dec133cae52f0e44a2fd93f739380f316c35f0a5f6d686fac13d2f10895fab
+        sourceBlobDigest: sha256:78aae5dc79134bcc44fa139accc9af18b27c0acd17688f7f0092474b49bbaf4f
         tags:
             - latest
             - 0.0.1
 targets:
     gram-internal:
         source: Gram-Internal
         sourceNamespace: gram-api-description
-        sourceRevisionDigest: sha256:18b4401c56501c36bc65024d3f124153259b4f521fb27df6214848057ec3da2a
-        sourceBlobDigest: sha256:5c9698f4cef7d019ea542d1a5ea311cae25f6cdc4b891becc0edc56f2b153a77
+        sourceRevisionDigest: sha256:10dec133cae52f0e44a2fd93f739380f316c35f0a5f6d686fac13d2f10895fab
+        sourceBlobDigest: sha256:78aae5dc79134bcc44fa139accc9af18b27c0acd17688f7f0092474b49bbaf4f
         codeSamplesNamespace: gram-api-description-typescript-code-samples
-        codeSamplesRevisionDigest: sha256:68f704bdf8ef8132bf3f1380927f943b8de07ea66f9bd466759a598b72d0a05d
+        codeSamplesRevisionDigest: sha256:fe49a9b04aafb9ecd59414ef2c012af53e21b7b1397b0fc29c94910d52446e45
 workflow:
     workflowVersion: 1.0.0
     speakeasyVersion: pinned

.speakeasy/workflow.lock

@@ -0,0 +1,200 @@
+import { Type } from "@/components/ui/type";
+import { getServerURL } from "@/lib/utils";
+import { Button, Icon, Stack } from "@speakeasy-api/moonshine";
+import { useCallback, useEffect, useState } from "react";
+import { useParams, useNavigate } from "react-router";
+
+type AuthInfo = {
+  appName: string;
+  toolsets: { name: string; slug: string }[];
+  token: string;
+};
+
+type PageState =
+  | "loading"
+  | "awaiting_login"
+  | "completing"
+  | "complete"
+  | "error";
+
+export default function SlackLogin() {
+  const { token } = useParams<{ token: string }>();
+  const navigate = useNavigate();
+  const [state, setState] = useState<PageState>("loading");
+  const [authInfo, setAuthInfo] = useState<AuthInfo | null>(null);
+  const [errorMessage, setErrorMessage] = useState("");
+
+  useEffect(() => {
+    if (!token) {
+      setState("error");
+      setErrorMessage("No token provided.");
+      return;
+    }
+
+    fetch(`${getServerURL()}/rpc/slack-apps/auth/${token}`, {
+      credentials: "include",
+    })
+      .then((res) => {
+        if (!res.ok) {
+          throw new Error("Link expired or invalid");
+        }
+        return res.json();
+      })
+      .then((data: AuthInfo) => {
+        setAuthInfo(data);
+        setState("awaiting_login");
+      })
+      .catch((err) => {
+        setState("error");
+        setErrorMessage(err.message || "Failed to load auth info");
+      });
+  }, [token]);
+
+  const completeAuth = useCallback(async () => {
+    if (!token) return;
+    setState("completing");
+
+    try {
+      const res = await fetch(
+        `${getServerURL()}/rpc/slack-apps/auth/${token}/complete`,
+        {
+          method: "POST",
+          credentials: "include",
+        },
+      );
+
+      if (res.status === 401) {
+        // Not logged in — redirect to login with redirect back here
+        navigate(`/login?redirect=/slack/login/${token}`);
+        return;
+      }
+
+      if (!res.ok) {
+        throw new Error("Failed to complete authentication");
+      }
+
+      setState("complete");
+    } catch (err) {
+      setState("error");
+      setErrorMessage(
+        err instanceof Error ? err.message : "Something went wrong",
+      );
+    }
+  }, [token, navigate]);
+
+  // Auto-attempt completion on mount if user might already be logged in
+  useEffect(() => {
+    if (state === "awaiting_login") {
+      // Try completing — if it fails with 401, we'll show the sign-in button
+      completeAuth();
+    }
+  }, [state === "awaiting_login"]); // eslint-disable-line react-hooks/exhaustive-deps
+
+  return (
+    <div className="flex min-h-screen items-center justify-center bg-background p-4">
+      <div className="w-full max-w-md rounded-xl border bg-card p-8 shadow-sm">
+        <Stack gap={6} align="center">
+          <div className="flex h-12 w-12 items-center justify-center rounded-full bg-muted/50">
+            <Icon name="slack" className="h-6 w-6 text-muted-foreground" />
+          </div>
+
+          {state === "loading" && (
+            <Stack gap={2} align="center">
+              <Icon
+                name="loader-circle"
+                className="h-6 w-6 animate-spin text-muted-foreground"
+              />
+              <Type muted small>
+                Loading...
+              </Type>
+            </Stack>
+          )}
+
+          {state === "completing" && (
+            <Stack gap={2} align="center">
+              <Icon
+                name="loader-circle"
+                className="h-6 w-6 animate-spin text-muted-foreground"
+              />
+              <Type muted small>
+                Linking your account...
+              </Type>
+            </Stack>
+          )}
+
+          {state === "awaiting_login" && authInfo && (
+            <Stack gap={4} align="center" className="w-full">
+              <Stack gap={1} align="center">
+                <Type variant="subheading">Sign in to Gram</Type>
+                <Type muted small className="text-center">
+                  <strong>{authInfo.appName}</strong> needs to verify your
+                  identity to process your messages.
+                </Type>
+              </Stack>
+
+              {authInfo.toolsets.length > 0 && (
+                <div className="w-full rounded-lg border bg-muted/20 p-3">
+                  <Type muted small className="mb-2 block font-medium">
+                    MCP Servers
+                  </Type>
+                  <Stack gap={1}>
+                    {authInfo.toolsets.map((ts) => (
+                      <div
+                        key={ts.slug}
+                        className="flex items-center gap-2 rounded-md px-2 py-1"
+                      >
+                        <Icon
+                          name="network"
+                          className="h-3.5 w-3.5 text-muted-foreground"
+                        />
+                        <Type small>{ts.name}</Type>
+                      </div>
+                    ))}
+                  </Stack>
+                </div>
+              )}
+
+              <Button
+                className="w-full"
+                onClick={() =>
+                  navigate(`/login?redirect=/slack/login/${token}`)
+                }
+              >
+                <Button.Text>Sign in to Gram</Button.Text>
+              </Button>
+            </Stack>
+          )}
+
+          {state === "complete" && (
+            <Stack gap={3} align="center">
+              <div className="flex h-10 w-10 items-center justify-center rounded-full bg-primary/10">
+                <Icon name="check" className="h-5 w-5 text-primary" />
+              </div>
+              <Stack gap={1} align="center">
+                <Type variant="subheading">You're connected!</Type>
+                <Type muted small className="text-center">
+                  You can close this page and return to Slack.
+                </Type>
+              </Stack>
+            </Stack>
+          )}
+
+          {state === "error" && (
+            <Stack gap={3} align="center">
+              <div className="flex h-10 w-10 items-center justify-center rounded-full bg-destructive/10">
+                <Icon name="circle-x" className="h-5 w-5 text-destructive" />
+              </div>
+              <Stack gap={1} align="center">
+                <Type variant="subheading">Link expired</Type>
+                <Type muted small className="text-center">
+                  {errorMessage ||
+                    "This login link is no longer valid. Send another message in Slack to get a new one."}
+                </Type>
+              </Stack>
+            </Stack>
+          )}
+        </Stack>
+      </div>
+    </div>
+  );
+}

client/dashboard/src/pages/slackapp/SlackLogin.tsx

@@ -37,6 +37,7 @@ import SDK from "./pages/sdk/SDK";
 import Settings from "./pages/settings/Settings";
 import SlackAppsIndex, { SlackAppsRoot } from "./pages/slackapp/SlackApp";
 import SlackAppDetailPage from "./pages/slackapp/SlackAppDetail";
+import SlackLogin from "./pages/slackapp/SlackLogin";
 import SourceDetails from "./pages/sources/SourceDetails";
 import { SourcesPage, SourcesRoot } from "./pages/sources/Sources";
 import CustomTools, { CustomToolsRoot } from "./pages/toolBuilder/CustomTools";
@@ -117,6 +118,12 @@ const ROUTE_STRUCTURE = {
     component: Register,
     unauthenticated: true,
   },
+  slackLogin: {
+    title: "Slack Login",
+    url: "/slack/login/:token",
+    component: SlackLogin,
+    unauthenticated: true,
+  },
   onboarding: {
     title: "Onboarding",
     url: "onboarding",