Unexpected team interaction?

[bobmazanec]

First off, thanks to all involved in both this fork and the original gem.

Love the team functionality...but I had some surprises using it. Would like to know if there's something wrong in my setup/usage and/or my fix(/workaround). Hope it's OK to ask here...

Setup

I have access to at least 2 Slack teams/workspaces. Let's call them TeamA and TeamB.
I also have at least 2 Slack identities:

• UserA has access to TeamA
• UserAB has access to both TeamA and TeamB

My Devise config picks up TeamA values

  config.omniauth :slack,
                  ENV['SLACK_APP_CLIENT_ID'],
                  ENV['SLACK_APP_CLIENT_SECRET'],
                  scope: 'identity.basic, identity.email',
                   team: ENV['SLACK_OAUTH_TEAM_ID'],
            team_domain: ENV['SLACK_OAUTH_TEAM_DOMAIN']  // 'teama'

When either user is signed into TeamA, things work as expected—Slack asks if I want TeamA to grant my app permission to access basic and email info.

Weird(?) behavior

The weird thing is when UserAB is signed into only TeamB.

When that is the case and I start the flow, I see

1. the address bar show https://teama.slack.com/oauth?... briefly
2. it change to https://teamb.slack.com/oauth?...
3. it asks permission against TeamB

If I grant permission, I get a token for UserAB in TeamB.

Expected? Unexpected?

Fix(/ Workaround?)

Double-check the Team ID in my callback controller and redirect back to the root page if there's a mismatch:

app/controllers/users/omniauth_callbacks.rb

module Users
  class OmniauthCallbacksController < Devise::OmniauthCallbacksController
    def slack
      access_token = request.env['omniauth.auth']
      if access_token.info['team_id'] != ENV['SLACK_OAUTH_TEAM_ID']
        flash[:error] = t 'slack.wrong_workspace', team_domain: ENV['SLACK_OAUTH_TEAM_DOMAIN']
        return redirect_to root_path
      end

      # proceed normally ...
    end

    # ...

Seem reasonable?

TIA!