Fix /slack register not working after API change

Slack now disallows # in OAuth redirect uris, so we can't use it to
prevent GitHub Pages from seeing the OAuth code anymore.

Since the OAuth code is only valid once and expire after 10 minutes, I
don't think it's a problem that they are exposed to GitHub Pages, so
this is the new default so the same registration process can be kept.
However, for people worried about this, there's a new -nothirdparty
option to /slack register which can be used which doesn't expose the
code.

Fixes #766

4 files changed, 47 insertions, 16 deletions

diff --git a/README.md b/README.md
index f2d36e3..fc136d3 100644
--- a/README.md
+++ b/README.md
@@ -124,6 +124,10 @@ wee-slack script.
 /python reload slack
 ```
 
+Note that by default GitHub Pages will see a temporary code used to create your
+token (but not the token itself). If you're worried about this, you can use the
+`-nothirdparty` option, though the process will be a bit less user friendly.
+
 The tokens you add will be stored in the option
 `plugins.var.python.slack.slack_api_token`. If you don't want to store your API
 token in plaintext you can use the secure features of WeeChat:
diff --git a/docs/Commands.md b/docs/Commands.md
index ce5240e..8ba5dc3 100644
--- a/docs/Commands.md
+++ b/docs/Commands.md
@@ -95,13 +95,17 @@ Hide or unhide all channels marked as distracting.
 ### register
 
 ```
-/slack register [code/token]
+/slack register [-nothirdparty] [code/token]
 ```
 
 Register a Slack team in wee-slack. Call this without any arguments and
 follow the instructions to register a new team. If you already have a token
 for a team, you can call this with that token to add it.
 
+By default GitHub Pages will see a temporary code used to create your token
+(but not the token itself). If you're worried about this, you can use the
+-nothirdparty option, though the process will be a bit less user friendly.
+
 ### rehistory
 
 ```
diff --git a/docs/oauth.html b/docs/oauth.html
index 7ef4d99..3490bbb 100644
--- a/docs/oauth.html
+++ b/docs/oauth.html
@@ -16,15 +16,15 @@
     </style>
     <script type="text/javascript">
       document.addEventListener('DOMContentLoaded', function() {
-        var locationsHash = location.hash
-          .replace(/^#\?/, '')
+        var locationsSearch = location.search
+          .replace(/^\?/, '')
           .split('&')
           .reduce((obj, query) => {
             split = query.split('=');
             obj[split[0]] = split[1];
             return obj}, {}
           )
-        var code = locationsHash['code'];
+        var code = locationsSearch['code'];
         if (code) {
           document.getElementById('with-code').style.display = 'block';
         } else {
diff --git a/wee_slack.py b/wee_slack.py
index 77a9895..d6b5763 100644
--- a/wee_slack.py
+++ b/wee_slack.py
@@ -42,9 +42,9 @@ except NameError:  # Python 3
     basestring = unicode = str
 
 try:
-    from urllib.parse import urlencode
+    from urllib.parse import quote, urlencode
 except ImportError:
-    from urllib import urlencode
+    from urllib import quote, urlencode
 
 try:
     from json import JSONDecodeError
@@ -3924,38 +3924,61 @@ def me_command_cb(data, current_buffer, args):
 @utf8_decode
 def command_register(data, current_buffer, args):
     """
-    /slack register [code/token]
+    /slack register [-nothirdparty] [code/token]
     Register a Slack team in wee-slack. Call this without any arguments and
     follow the instructions to register a new team. If you already have a token
     for a team, you can call this with that token to add it.
+
+    By default GitHub Pages will see a temporary code used to create your token
+    (but not the token itself). If you're worried about this, you can use the
+    -nothirdparty option, though the process will be a bit less user friendly.
     """
     CLIENT_ID = "2468770254.51917335286"
     CLIENT_SECRET = "dcb7fe380a000cba0cca3169a5fe8d70"  # Not really a secret.
-    REDIRECT_URI = "https%3A%2F%2Fwee-slack.github.io%2Fwee-slack%2Foauth%23"
-    if not args:
+    REDIRECT_URI_GITHUB = "https://wee-slack.github.io/wee-slack/oauth"
+    REDIRECT_URI_NOTHIRDPARTY = "http://not.a.realhost/"
+
+    args = args.strip()
+    if " " in args:
+        nothirdparty_arg, _, code = args.partition(" ")
+        nothirdparty = nothirdparty_arg == "-nothirdparty"
+    else:
+        nothirdparty = args == "-nothirdparty"
+        code = "" if nothirdparty else args
+    redirect_uri = quote(REDIRECT_URI_NOTHIRDPARTY if nothirdparty else REDIRECT_URI_GITHUB, safe='')
+
+    if not code:
+        if nothirdparty:
+            nothirdparty_note = ""
+            last_step = "You will see a message that the site can't be reached, this is expected. The URL for the page will have a code in it of the form `?code=<code>`. Copy the code after the equals sign, return to weechat and run `/slack register -nothirdparty <code>`."
+        else:
+            nothirdparty_note = "\nNote that by default GitHub Pages will see a temporary code used to create your token (but not the token itself). If you're worried about this, you can use the -nothirdparty option, though the process will be a bit less user friendly."
+            last_step = "The web page will show a command in the form `/slack register <code>`. Run this command in weechat."
         message = textwrap.dedent("""
-            ### Connecting to a Slack team with OAuth ###
+            ### Connecting to a Slack team with OAuth ###{}
             1) Paste this link into a browser: https://slack.com/oauth/authorize?client_id={}&scope=client&redirect_uri={}
             2) Select the team you wish to access from wee-slack in your browser. If you want to add multiple teams, you will have to repeat this whole process for each team.
             3) Click "Authorize" in the browser.
                If you get a message saying you are not authorized to install wee-slack, the team has restricted Slack app installation and you will have to request it from an admin. To do that, go to https://my.slack.com/apps/A1HSZ9V8E-wee-slack and click "Request to Install".
-            4) The web page will show a command in the form `/slack register <code>`. Run this command in weechat.
-        """).strip().format(CLIENT_ID, REDIRECT_URI)
-        w.prnt("", message)
+            4) {}
+        """).strip().format(nothirdparty_note, CLIENT_ID, redirect_uri, last_step)
+        w.prnt("", "\n" + message)
         return w.WEECHAT_RC_OK_EAT
-    elif args.startswith('xox'):
-        add_token(args)
+    elif code.startswith('xox'):
+        add_token(code)
         return w.WEECHAT_RC_OK_EAT
 
     uri = (
         "https://slack.com/api/oauth.access?"
         "client_id={}&client_secret={}&redirect_uri={}&code={}"
-    ).format(CLIENT_ID, CLIENT_SECRET, REDIRECT_URI, args)
+    ).format(CLIENT_ID, CLIENT_SECRET, redirect_uri, code)
     params = {'useragent': 'wee_slack {}'.format(SCRIPT_VERSION)}
     w.hook_process_hashtable('url:', params, config.slack_timeout, "", "")
     w.hook_process_hashtable("url:{}".format(uri), params, config.slack_timeout, "register_callback", "")
     return w.WEECHAT_RC_OK_EAT
 
+command_register.completion = '-nothirdparty %-'
+
 
 @utf8_decode
 def register_callback(data, command, return_code, out, err):