feat: add CSRF nonce to Slack OAuth state parameter

[thomaswhyyou]

Description

A customer reported that Slack's app review process requires a nonce in the OAuth state parameter: https://knocklabs.slack.com/archives/C06FHSQ18G4/p1775582016010559

In this PR we now generate a random nonce via crypto.randomUUID and include in the state param when building the auth URL, store it in sessionStorage, and verify it against the nonce echoed back in the postMessage payload.

Note, the postMessage listener accepts both the legacy raw string ("authComplete") and a new structured format ({ type, nonce }) for backward compatibility with older API versions that haven't been updated yet.

There is a corresponding PR in switchboard that echoes back the provided nonce: https://github.com/knocklabs/switchboard/pull/6104

[linear]

KNO-12535 [SlackKit] Add automatic CSRF nonce support to Slack OAuth flow

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
javascript-ms-teams-connect-example	Ready	Preview, Comment	Apr 10, 2026 11:33pm
javascript-nextjs-example	Ready	Preview, Comment	Apr 10, 2026 11:33pm
javascript-slack-connect-example	Ready	Preview, Comment	Apr 10, 2026 11:33pm
javascript-slack-kit-example	Ready	Preview, Comment	Apr 10, 2026 11:33pm

[changeset-bot]

🦋 Changeset detected

Latest commit: 22f5bd0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages

Name	Type
@knocklabs/react-core	Patch
@knocklabs/react	Patch
@knocklabs/expo	Patch
@knocklabs/react-native	Patch
guide-example	Patch
ms-teams-connect-example	Patch
nextjs-app-dir-example	Patch
nextjs-example	Patch
slack-connect-example	Patch
slack-kit-example	Patch
@knocklabs/expo-example	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[thomaswhyyou]

• feat: add CSRF nonce to Slack OAuth state parameter  #946 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[thomaswhyyou]

@cursor review

[thomaswhyyou]

@cursor review

[thomaswhyyou]

@cursor review

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 9d524a1. Configure here.}

[cursor]

Polling path bypasses CSRF nonce verification entirely

Medium Severity

useAuthPolling runs concurrently alongside useAuthPostMessageListener in SlackAuthButton and can detect auth success via server-side polling, setting the connection status to "connected" and calling onAuthenticationComplete without any CSRF nonce verification. This provides an alternative success path that completely bypasses the nonce check this PR adds. The stored nonce in sessionStorage is also never cleaned up when polling detects success.

Additional Locations (1)

• packages/react-core/src/modules/core/hooks/useAuthPostMessageListener.ts#L88-L105

 

^{Reviewed by Cursor Bugbot for commit 9d524a1. Configure here.}

[thomaswhyyou]

Noted and discussed here: https://knocklabs.slack.com/archives/C06FHSQ18G4/p1775855122551969?thread_ts=1775582016.010559&cid=C06FHSQ18G4

No action at this time.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.04%. Comparing base (463f85b) to head (22f5bd0).
⚠️ Report is 3 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #946      +/-   ##
==========================================
+ Coverage   63.85%   64.04%   +0.19%     
==========================================
  Files         209      209              
  Lines       10007    10060      +53     
  Branches     1281     1297      +16     
==========================================
+ Hits         6390     6443      +53     
  Misses       3592     3592              
  Partials       25       25              

Files with missing lines	Coverage Δ
packages/react-core/src/index.ts	100.00% <ø> (ø)
...c/modules/core/hooks/useAuthPostMessageListener.ts	100.00% <100.00%> (ø)
...ckages/react-core/src/modules/slack/hooks/index.ts	100.00% <100.00%> (ø)
...react-core/src/modules/slack/hooks/useSlackAuth.ts	97.05% <100.00%> (+0.42%)	⬆️
packages/react-core/src/modules/slack/index.ts	100.00% <ø> (ø)
...ack/components/SlackAuthButton/SlackAuthButton.tsx	76.72% <100.00%> (+0.83%)	⬆️