emphemeral messages

Author: chpy04

src/backend/index.ts

@@ -25,6 +25,7 @@ import statisticsRouter from './src/routes/statistics.routes';
 import retrospectiveRouter from './src/routes/retrospective.routes';
 import partsRouter from './src/routes/parts.routes';
 import financeRouter from './src/routes/finance.routes';
+import './src/routes/slack.routes';
 
 const app = express();
 

src/backend/src/controllers/slack.controllers.ts

@@ -1,6 +1,6 @@
-import { getWorkspaceId } from '../integrations/slack';
+import { getWorkspaceId, replyToMessageInThread } from '../integrations/slack';
 import OrganizationsService from '../services/organizations.services';
-import SlackServices from '../services/slack.services';
+import SlackServices, { SlackBlockActionBody, SaboSubmissionActionValue } from '../services/slack.services';
 
 export default class SlackController {
   static async processMessageEvent(event: any) {
@@ -16,40 +16,70 @@ export default class SlackController {
     }
   }
 
-  static async handleSaboSubmittedAction(body: any) {
+  /**
+   * Handles the Slack block action for SABO submission confirmation.
+   * Performs action-specific validation and extracts relevant fields from the Slack action body.
+   * If validation fails, replies to the user in Slack with an error message.
+   *
+   * @param body The validated Slack block action body (general structure validated in routes)
+   */
+  static async handleSaboSubmittedAction(body: SlackBlockActionBody) {
+    const { user, container, actions } = body;
+    const channelId = container.channel_id;
+    const threadTs = container.thread_ts || container.message_ts;
+    const [firstAction] = actions;
+
     try {
-      // Extract action details from Bolt's BlockAction payload
-      const [action] = body.actions;
+      // Action-specific validation: verify action_id
+      if (firstAction.action_id !== 'sabo_submitted_confirmation') {
+        console.error('Unexpected action_id:', firstAction.action_id);
+        await replyToMessageInThread(
+          channelId,
+          threadTs,
+          `❌ An error occurred: Unexpected action type "${firstAction.action_id}". Please contact the software team.`
+        );
+        return;
+      }
+
+      // Action-specific validation: verify value format
+      let actionValue: SaboSubmissionActionValue;
+      try {
+        actionValue = JSON.parse(firstAction.value);
+      } catch (parseError) {
+        const parseErrorMsg = parseError instanceof Error ? parseError.message : 'Unknown parse error';
+        await replyToMessageInThread(
+          channelId,
+          threadTs,
+          `❌ An error occurred: Invalid action data format.\n\n*Error:* ${parseErrorMsg}\n*Value:* \`${firstAction.value}\`\n\nPlease contact the software team.`
+        );
+        return;
+      }
 
-      if (action.type !== 'button') {
-        // ignore non-button actions for sab submission confirmation
+      // Validate that reimbursementRequestId exists in the parsed value
+      if (!actionValue.reimbursementRequestId || typeof actionValue.reimbursementRequestId !== 'string') {
+        const actionValueStr = JSON.stringify(actionValue, null, 2);
+        await replyToMessageInThread(
+          channelId,
+          threadTs,
+          `❌ An error occurred: Missing or invalid reimbursement request ID.\n\n*Parsed value:*\n\`\`\`${actionValueStr}\`\`\`\n\nPlease contact the software team.`
+        );
         return;
       }
 
-      const payload = {
-        type: body.type,
-        user: {
-          id: body.user.id,
-          username: body.user.username,
-          name: body.user.name
-        },
-        actions: [
-          {
-            action_id: action.action_id,
-            value: action.value || '',
-            type: action.type
-          }
-        ],
-        response_url: body.response_url
-      };
+      // Extract validated fields
+      const userSlackId = user.id;
+      const { reimbursementRequestId } = actionValue;
 
-      // Handle the action using existing service
-      await SlackServices.handleSaboSubmittedAction(payload);
+      // Pass the extracted fields to the service layer for business logic
+      await SlackServices.handleSaboSubmittedAction(userSlackId, reimbursementRequestId);
     } catch (error: unknown) {
-      console.error('Error handling Slack interactive action:', error);
       const errorMessage = error instanceof Error ? error.message : 'Unknown error';
-      console.error('Error details:', errorMessage);
-      throw error; // Re-throw to be handled by Bolt's error handler
+      await replyToMessageInThread(
+        channelId,
+        threadTs,
+        `❌ An unexpected error occurred while processing your request.\n\n*Error message:* ${errorMessage}\n\nPlease contact the software team and provide them with this information.`
+      );
+      throw error;
     }
   }
 }

src/backend/src/routes/slack.routes.ts

@@ -11,15 +11,103 @@ slackApp.message(async ({ message, logger }: any) => {
   }
 });
 
+/**
+ * Validates the general structure of a Slack block action payload.
+ * This validation is action-agnostic and only checks that the required fields exist.
+ * Action-specific validation (like action_id and value format) happens in the controller.
+ *
+ * @param body The Slack action body to validate
+ * @returns true if valid, false otherwise
+ */
+function validateSlackActionBody(body: any): boolean {
+  // Check required top-level fields
+  if (!body || typeof body !== 'object') {
+    console.error('Invalid body: not an object');
+    return false;
+  }
+
+  if (body.type !== 'block_actions') {
+    console.error('Invalid body type:', body.type);
+    return false;
+  }
+
+  // Validate user object
+  if (!body.user || typeof body.user !== 'object') {
+    console.error('Invalid or missing user object');
+    return false;
+  }
+
+  if (!body.user.id || typeof body.user.id !== 'string') {
+    console.error('Invalid or missing user.id');
+    return false;
+  }
+
+  if (!body.user.team_id || typeof body.user.team_id !== 'string') {
+    console.error('Invalid or missing user.team_id');
+    return false;
+  }
+
+  // Validate actions array exists and has at least one action
+  if (!Array.isArray(body.actions) || body.actions.length === 0) {
+    console.error('Invalid or empty actions array');
+    return false;
+  }
+
+  const [action] = body.actions;
+  if (!action.action_id || typeof action.action_id !== 'string') {
+    console.error('Invalid or missing action_id');
+    return false;
+  }
+
+  if (!action.value || typeof action.value !== 'string') {
+    console.error('Invalid or missing action value');
+    return false;
+  }
+
+  // Validate container object (for message timestamp and channel)
+  if (!body.container || typeof body.container !== 'object') {
+    console.error('Invalid or missing container object');
+    return false;
+  }
+
+  if (!body.container.message_ts || typeof body.container.message_ts !== 'string') {
+    console.error('Invalid or missing container.message_ts');
+    return false;
+  }
+
+  if (!body.container.channel_id || typeof body.container.channel_id !== 'string') {
+    console.error('Invalid or missing container.channel_id');
+    return false;
+  }
+
+  // Validate thread_ts if it exists (optional but if present should be string)
+  if (body.container.thread_ts && typeof body.container.thread_ts !== 'string') {
+    console.error('Invalid container.thread_ts type');
+    return false;
+  }
+
+  return true;
+}
+
 // Register interactive action handler for SABO submission confirmation
-slackApp.action('sabo_submitted_confirmation', async ({ ack, body, logger }: any) => {
+slackApp.action('sabo_submitted_confirmation', async ({ ack, body, logger, respond }: any) => {
   await ack();
 
   try {
+
+    // Validate the incoming action body structure
+    if (!validateSlackActionBody(body)) {
+      logger.error('Invalid Slack action body structure');
+      return;
+    }
+
     await SlackController.handleSaboSubmittedAction(body);
+
+    // If no error, delete the original message
+    await respond({ delete_original: true });
   } catch (error) {
+    // Can't pass to normal middleware because not normal request
     logger.error('Error handling sabo_submitted_confirmation action:', error);
-    console.error(error);
   }
 });
 

src/backend/src/services/slack.services.ts

@@ -1,9 +1,10 @@
 import { getChannelName, getUserName } from '../integrations/slack';
 import AnnouncementService from './announcement.services';
-import { Announcement } from 'shared';
+import { Announcement, ReimbursementStatusType } from 'shared';
 import prisma from '../prisma/prisma';
 import { blockToMentionedUsers, blockToString } from '../utils/slack.utils';
-import { NotFoundException } from '../utils/errors.utils';
+import { InvalidOrganizationException, NotFoundException } from '../utils/errors.utils';
+import ReimbursementRequestService from './reimbursement-requests.services';
 
 /**
  * Represents a slack event for a message in a channel.
@@ -67,73 +68,128 @@ export interface SlackRichTextBlock {
 }
 
 /**
- * Represents a Slack interactive payload from a button click
+ * Represents a Slack block action body structure.
+ * The general structure is validated in routes, while action-specific fields
+ * (action_id and value format) are validated in controllers.
  */
-export interface SlackInteractivePayload {
-  type: string;
+export interface SlackBlockActionBody {
+  type: 'block_actions';
   user: {
     id: string;
     username: string;
     name: string;
+    team_id: string;
   };
+  api_app_id: string;
+  token: string;
+  container: {
+    type: string;
+    message_ts: string;
+    channel_id: string;
+    is_ephemeral: boolean;
+    thread_ts?: string; // Optional - if present, the message is in a thread
+  };
+  trigger_id: string;
+  team: {
+    id: string;
+    domain: string;
+  };
+  enterprise: null | {
+    id: string;
+    name: string;
+  };
+  is_enterprise_install: boolean;
+  channel: {
+    id: string;
+    name: string;
+  };
+  state: {
+    values: Record<string, any>;
+  };
+  response_url: string;
   actions: Array<{
-    action_id: string;
-    value: string;
+    action_id: string; // Validated in controller, not routes
+    block_id: string;
+    text?: any;
+    value: string; // Validated for format in controller, not routes
+    style?: string;
     type: string;
+    action_ts: string;
   }>;
-  response_url: string;
+}
+
+/**
+ * Represents the parsed value from a SABO submission action
+ */
+export interface SaboSubmissionActionValue {
+  reimbursementRequestId: string;
 }
 
 export default class SlackServices {
   /**
-   * Handles the Slack button click for marking a reimbursement request as SABO submitted
-   * @param payload the Slack interactive payload
-   * @param organizationId the organization ID
+   * Handles the Slack button click for marking a reimbursement request as SABO submitted.
+   * This performs the business logic for processing the SABO submission confirmation.
+   *
+   * @param userSlackId The Slack user ID of the user who clicked the button
+   * @param teamSlackId The Slack team ID (workspace ID) where the action occurred
+   * @param reimbursementRequestId The ID of the reimbursement request to mark as submitted
+   * @param interactiveMessageTs The timestamp of the interactive message (to delete after processing)
    */
-  static async handleSaboSubmittedAction(payload: SlackInteractivePayload): Promise<void> {
-    const [action] = payload.actions;
-    if (action.action_id !== 'sabo_submitted_confirmation') {
-      console.log('Ignoring action with id:', action.action_id);
-      return;
-    }
-
-    console.log('Processing sabo_submitted_confirmation action');
-    const { reimbursementRequestId } = JSON.parse(action.value);
-    const slackUserId = payload.user.id;
-
-    console.log('Looking up user with slack ID:', slackUserId);
-    console.log('Reimbursement Request ID:', reimbursementRequestId);
-
+  static async handleSaboSubmittedAction(userSlackId: string, reimbursementRequestId: string): Promise<void> {
     // Find the user by their slack ID
     const user = await prisma.user.findFirst({
       where: {
         userSettings: {
-          slackId: slackUserId
+          slackId: userSlackId
         }
       }
     });
 
     if (!user) {
-      console.error('User not found for slack ID:', slackUserId);
-      throw new NotFoundException('User', slackUserId);
+      console.error('User not found for slack ID:', userSlackId);
+      throw new NotFoundException('User', userSlackId);
     }
 
+    // Find the reimbursement request
     const reimbursementRequest = await prisma.reimbursement_Request.findUnique({
       where: {
         reimbursementRequestId
       },
       include: {
-        organization: true
+        organization: true,
+        reimbursementStatuses: true,
+        notificationSlackThreads: true
       }
     });
 
     if (!reimbursementRequest) {
       throw new NotFoundException('Reimbursement Request', reimbursementRequestId);
     }
 
+    // Verify that the user's organization matches the reimbursement request's organization
+    const userOrganization = await prisma.user.findFirst({
+      where: {
+        userId: user.userId
+      },
+      include: {
+        organizations: true
+      }
+    });
+
+    const hasAccess = userOrganization?.organizations.some(
+      (org) => org.organizationId === reimbursementRequest.organizationId
+    );
 
-    // Import the service dynamically to avoid circular dependencies
-    const ReimbursementRequestService = (await import('./reimbursement-requests.services')).default;
+    if (!hasAccess) {
+      throw new InvalidOrganizationException('Reimbursement Request');
+    }
+
+    // If the reimbursement request has already been submitted to SABO, just return (message will be deleted by route)
+    if (
+      reimbursementRequest.reimbursementStatuses.some((status) => status.type === ReimbursementStatusType.SABO_SUBMITTED)
+    ) {
+      return;
+    }
 
     // Call the service function to mark as SABO submitted
     await ReimbursementRequestService.markReimbursementRequestAsSaboSubmitted(