Skip to content
em sa em sa

Slack Oauth Authorize Post

POST
/api/auth/slack/authorize
 
curl --request POST \
  --url https://example.com/api/auth/slack/authorize \
  --header 'Content-Type: application/json' \
  --data '{ "returnTo": "example" }'

Initiate Slack OAuth without leaking returnTo into URLs.

The client POSTs {"returnTo": "/some/path"}. We validate it, stash it in a short-lived HttpOnly cookie (memosa_oauth_return_to), and return the Slack authorize URL. The client then navigates to that URL. When the callback lands, it reads the cookie, not a URL param.

This is the preferred endpoint — the GET variant is retained for backward compatibility with cached frontend bundles during deploy.

Request Body

Section titled “Request Body ”
Media type application/json
SlackAuthorizeBody

Request body for the Slack OAuth POST initiator.

The only field is returnTo, a same-origin relative path the browser should land on after the OAuth round-trip. Stored in a short-lived HttpOnly cookie; _validate_safe_relative_path is the deep guard against open-redirect / protocol-relative payloads.

object
returnTo
Any of:
string
Example generated
{
  "returnTo": "example"
}

Responses

Section titled “ Responses ”

200

Section titled “200 ”

Successful Response

Media type application/json
SlackAuthorizeUrlResponse

Response from POST /auth/slack/authorize (the redirect-URL form).

object
redirect_url
required
Redirect Url
string
Example generated
{
  "redirect_url": "example"
}

422

Section titled “422 ”

Validation Error

Media type application/json
HTTPValidationError
object
detail
Detail
Array<object>
ValidationError
object
loc
required
Location
Array
msg
required
Message
string
type
required
Error Type
string
input
Input
ctx
Context
object
Example generated
{
  "detail": [
    {
      "loc": [
        "example"
      ],
      "msg": "example",
      "type": "example",
      "input": "example",
      "ctx": {}
    }
  ]
}