Remove user token from installation object returned by fetchInstallat…

…ion() when query.userId is not specified or corresponding installation object is not found
komiya-atsushi · Jan 18, 2024 · 2c79a87 · 2c79a87
1 parent 5f961b9
commit 2c79a87
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 2 deletions.
diff --git a/packages/bolt-s3/src/S3InstallationStore.ts b/packages/bolt-s3/src/S3InstallationStore.ts
@@ -174,6 +174,13 @@ export class S3InstallationStore implements InstallationStore {
     await Promise.all(keys.map(key => s3Client.store(key, data, logger)));
   }
 
+  /**
+   * Fetches the installation based on the given query parameters from S3 bucket.
+   *
+   * If query.userId is not specified, the returned installation will not include a user token.
+   * Likewise, if no S3 object of installation matching query.userId is found,
+   * the returned installation will also not include a user token.
+   */
   async fetchInstallation(
     query: InstallationQuery<boolean>,
     logger?: Logger
@@ -197,6 +204,11 @@ export class S3InstallationStore implements InstallationStore {
     if (app !== undefined) {
       if (user !== undefined) {
         app.user = user.user;
+      } else {
+        delete app.user.token;
+        delete app.user.refreshToken;
+        delete app.user.expiresAt;
+        delete app.user.scopes;
       }
       return app;
     }

diff --git a/packages/bolt-s3/test/S3InstallationStore.test.ts b/packages/bolt-s3/test/S3InstallationStore.test.ts
@@ -153,7 +153,7 @@ describe('S3InstallationStore', () => {
     });
 
     describe('fetchInstallation()', () => {
-      test('can fetch installer-latest', async () => {
+      test('can fetch installation which only contains bot token if userId is not specified', async () => {
         await sut.storeInstallation(installation, logger);
 
         const fetched = await sut.fetchInstallation(
@@ -165,7 +165,27 @@ describe('S3InstallationStore', () => {
           logger
         );
 
-        expect(fetched).toEqual(installation);
+        const {user: _ignore1, ...fetchedWithoutUser} = fetched;
+        const {user: _ignore2, ...expectedWithoutUser} = installation;
+
+        expect(fetchedWithoutUser).toEqual(expectedWithoutUser);
+      });
+
+      test('can fetch installation which only contains bot token if installation object is not found for the user', async () => {
+        await sut.storeInstallation(installation, logger);
+
+        const fetched = await sut.fetchInstallation({
+          enterpriseId: undefined,
+          teamId,
+          userId: anotherUserId,
+          isEnterpriseInstall: false,
+        });
+
+        expect(fetched).not.toEqual(installation);
+        expect(fetched.bot).toEqual(installation.bot);
+        expect(fetched.user).toStrictEqual({
+          id: installation.user.id,
+        });
       });
 
       test('can fetch installer-USERID-latest', async () => {