Skip to content

slack DM: warn reviewers about IAP roundtrip dropping the action URL#10

Merged
phosphore merged 1 commit into
masterfrom
lorenzo/slack-dm-iap-roundtrip-tip
May 8, 2026
Merged

slack DM: warn reviewers about IAP roundtrip dropping the action URL#10
phosphore merged 1 commit into
masterfrom
lorenzo/slack-dm-iap-roundtrip-tip

Conversation

@phosphore
Copy link
Copy Markdown
Member

@phosphore phosphore commented May 8, 2026

Summary

Reported by a reviewer (Nico, post-merge of #9):

Small UX thing about the links to be aware of: when I clicked on the link, I was first asked to sign-in with google; once signed-in, I was on the pam homepage. So I went back to this message to click the link again to get the runin-prod-ro permission.

Root cause: IAP's OAuth roundtrip during the first sign-in in a fresh browser session occasionally strips the action URL's query string (which is where the proposal token lives — ?f=/environments/.../proposal/{token}). The reviewer lands on pam.wavemm.net/ (homepage) instead of the proposal-acceptance view. Clicking the Slack button again works because the IAP cookie is now fresh.

We don't directly control the IAP redirect contract, so the cheapest fix is to tell reviewers inline what to do. Adding a one-liner to the existing ContextBlock under the "Approve in JIT" button.

Diff

The new line appended to the existing context message:

ℹ️ First click after a long break may land you on the JIT homepage instead of the approval page (IAP login). If so, just click "Approve in JIT" again from this message — your IAP cookie is now fresh.

Future improvements (out of scope)

  • Frontend detection: if view.js sees the page loaded without a ?f= param but the Referer is accounts.google.com, render an explicit banner. More work.
  • Server-side: pass the original URL as state in the OAuth roundtrip. Would require IAP/load-balancer config we don't fully own.

Test plan

  • Visual smoke-test on rev URL after deploy: submit an MPA elevation, verify the reviewer DM contains the new line in the context block.
  • No new unit tests — the existing tests don't assert on the literal context-block prose, so the change is invisible to the test suite (intentional: the prose is presentation-layer).

🤖 Generated with Claude Code

@phosphore
slack DM: warn reviewers about IAP roundtrip dropping the action URL
0047e0f 
Reported by a reviewer (Nico): clicking "Approve in JIT" the first
time in a fresh browser session lands on the JIT homepage instead of
the proposal-acceptance view. Cause: IAP's OAuth roundtrip during
sign-in occasionally strips the URL's query string (where we encode
the proposal token via `?f=/environments/.../proposal/{token}`).
Clicking the Slack button a second time replays the URL with a fresh
IAP cookie and works.

Until Google preserves query strings reliably across the IAP OAuth
roundtrip — or we add frontend detection of "homepage but came from
accounts.google.com" — the cheapest fix is to tell reviewers
inline in the DM what to do. Adding a one-liner to the existing
ContextBlock; the rest of the message is unchanged.

Bump to 2.3.0-wavemm.7.
@phosphore phosphore merged commit 1e89fb8 into master May 8, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@abo-abo abo-abo

Labels

review:pending

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@phosphore @abo-abo @acanizares