fix(slack): prevent duplicate workspace installs (#2989)

* fix(slack): prevent duplicate workspace installs

* fix(slack): show suspended integration state

* fix(slack): suspend detached duplicate installs

* fix(slack): allow disconnecting suspended installs

* fix(slack): preserve existing duplicate lookup order

Author: RSO

apps/web/src/app/api/integrations/slack/callback/route.ts

@@ -4,7 +4,10 @@ import { getUserFromAuth } from '@/lib/user.server';
 import { ensureOrganizationAccess } from '@/routers/organizations/utils';
 import type { Owner } from '@/lib/integrations/core/types';
 import { captureException, captureMessage } from '@sentry/nextjs';
-import { upsertSlackInstallation } from '@/lib/integrations/slack-service';
+import {
+  SlackWorkspaceAlreadyConnectedError,
+  upsertSlackInstallation,
+} from '@/lib/integrations/slack-service';
 import { verifyOAuthState } from '@/lib/integrations/oauth-state';
 import { APP_URL } from '@/lib/constants';
 import { bot } from '@/lib/bot';
@@ -128,7 +131,17 @@ export async function GET(request: NextRequest) {
     const { teamId, installation } = await slackAdapter.handleOAuthCallback(patchedRequest);
 
     // 8. Store installation in database
-    await upsertSlackInstallation({ owner, teamId, installation });
+    try {
+      await upsertSlackInstallation({ owner, teamId, installation });
+    } catch (error) {
+      if (error instanceof SlackWorkspaceAlreadyConnectedError) {
+        return NextResponse.redirect(
+          new URL(buildSlackRedirectPath(state, 'error=workspace_already_connected'), APP_URL)
+        );
+      }
+
+      throw error;
+    }
 
     // 9. Redirect to success page
     const successPath =

apps/web/src/components/integrations/SlackIntegrationDetails.tsx

@@ -26,6 +26,25 @@ type SlackIntegrationDetailsProps = {
   error?: string;
 };
 
+const slackConnectionErrorMessages: Record<string, string> = {
+  workspace_already_connected:
+    'This Slack workspace is already connected to another Kilo account or organization. Disconnect it there before connecting it here.',
+};
+
+const duplicateSlackWorkspaceMigration = 'duplicate_slack_workspace_migration';
+
+function getSlackConnectionErrorMessage(error: string): string {
+  return slackConnectionErrorMessages[error] ?? `Connection failed: ${error}`;
+}
+
+function getSuspendedSlackIntegrationMessage(suspendedBy: string | null): string {
+  if (suspendedBy === duplicateSlackWorkspaceMigration) {
+    return 'This Slack integration was suspended because the workspace was also connected to another Kilo account or organization. It will not receive Slack messages. Disconnect the other Kilo connection for this Slack workspace, then re-install Slack here.';
+  }
+
+  return 'This Slack integration is suspended and will not receive Slack messages. Re-install Slack to restore the connection.';
+}
+
 export function SlackIntegrationDetails({
   organizationId,
   success,
@@ -127,7 +146,7 @@ export function SlackIntegrationDetails({
       toast.success('Slack connected successfully!');
     }
     if (error) {
-      toast.error(`Connection failed: ${error}`);
+      toast.error(getSlackConnectionErrorMessage(error));
     }
   }, [success, error]);
 
@@ -239,10 +258,19 @@ export function SlackIntegrationDetails({
 
   const isInstalled = installationData?.installed;
   const installation = installationData?.installation;
+  const isSuspended = installation?.status === 'suspended';
   const missingScopes = installation?.missingScopes ?? [];
 
   return (
     <div className="space-y-6">
+      {error && (
+        <Alert variant="destructive">
+          <XCircle className="h-4 w-4" />
+          <AlertTitle>Could not connect Slack</AlertTitle>
+          <AlertDescription>{getSlackConnectionErrorMessage(error)}</AlertDescription>
+        </Alert>
+      )}
+
       {isInstalled && missingScopes.length > 0 && (
         <Alert variant="warning">
           <AlertTriangle className="h-4 w-4" />
@@ -264,6 +292,24 @@ export function SlackIntegrationDetails({
         </Alert>
       )}
 
+      {installation && isSuspended && (
+        <Alert variant="warning">
+          <AlertTriangle className="h-4 w-4" />
+          <AlertTitle>Slack integration suspended</AlertTitle>
+          <AlertDescription className="gap-3">
+            <p>{getSuspendedSlackIntegrationMessage(installation.suspendedBy)}</p>
+            <Button
+              onClick={handleInstall}
+              disabled={isStartingSlackConnection || isFetchingOAuthUrl}
+              className="bg-yellow-400 text-yellow-950 hover:bg-yellow-300"
+            >
+              <RefreshCw className="mr-2 h-4 w-4" />
+              {isStartingSlackConnection || isFetchingOAuthUrl ? 'Loading...' : 'Re-install Slack'}
+            </Button>
+          </AlertDescription>
+        </Alert>
+      )}
+
       {/* Installation Status Card */}
       <Card>
         <CardHeader>
@@ -277,7 +323,12 @@ export function SlackIntegrationDetails({
                 Create PRs, debug code, ask questions about your repos, etc. directly from Slack
               </CardDescription>
             </div>
-            {isInstalled ? (
+            {isSuspended ? (
+              <Badge variant="destructive" className="flex items-center gap-1">
+                <AlertTriangle className="h-3 w-3" />
+                Suspended
+              </Badge>
+            ) : isInstalled ? (
               <Badge variant="default" className="flex items-center gap-1">
                 <CheckCircle2 className="h-3 w-3" />
                 Connected
@@ -291,7 +342,7 @@ export function SlackIntegrationDetails({
           </div>
         </CardHeader>
         <CardContent className="space-y-4">
-          {isInstalled && installation ? (
+          {installation ? (
             <>
               {/* Installation Details */}
               <div className="space-y-3 rounded-lg border p-4">
@@ -319,6 +370,16 @@ export function SlackIntegrationDetails({
                       : 'Unknown'}
                   </span>
                 </div>
+                {isSuspended && (
+                  <div className="flex items-center justify-between">
+                    <span className="text-sm font-medium">Suspended:</span>
+                    <span className="text-sm">
+                      {installation.suspendedAt
+                        ? new Date(installation.suspendedAt).toLocaleDateString()
+                        : 'Unknown'}
+                    </span>
+                  </div>
+                )}
               </div>
 
               {/* Model Selection */}
@@ -345,11 +406,13 @@ export function SlackIntegrationDetails({
                     <RefreshCw className="mr-2 h-4 w-4" />
                     {isStartingSlackConnection || isFetchingOAuthUrl ? 'Loading...' : 'Re-install'}
                   </Button>
-                  <TestConnectionButton
-                    isPending={testConnection.isPending}
-                    state={connectionCheck}
-                    onClick={handleTestConnection}
-                  />
+                  {!isSuspended && (
+                    <TestConnectionButton
+                      isPending={testConnection.isPending}
+                      state={connectionCheck}
+                      onClick={handleTestConnection}
+                    />
+                  )}
                   <Button
                     variant="destructive"
                     onClick={handleUninstall}

apps/web/src/lib/integrations/slack-service.test.ts

@@ -6,6 +6,8 @@ const mockUpdateSet = jest.fn();
 const mockUpdateWhere = jest.fn();
 const mockUpdateReturning = jest.fn();
 const mockDeleteWhere = jest.fn();
+const mockInsertValues = jest.fn();
+const mockInsertReturning = jest.fn();
 const mockAuthRevoke = jest.fn();
 const mockAuthTest = jest.fn();
 
@@ -24,6 +26,9 @@ jest.mock('@/lib/drizzle', () => ({
     update: jest.fn(() => ({
       set: mockUpdateSet,
     })),
+    insert: jest.fn(() => ({
+      values: mockInsertValues,
+    })),
   },
 }));
 
@@ -41,6 +46,7 @@ import type { SlackInstallation } from '@chat-adapter/slack';
 import {
   deleteInstallationByTeamId,
   getMissingSlackScopes,
+  SlackWorkspaceAlreadyConnectedError,
   SLACK_SCOPES,
   testConnection,
   uninstallApp,
@@ -56,6 +62,8 @@ function buildSlackIntegration(overrides: Record<string, unknown> = {}) {
     metadata: { access_token: 'xoxb-token' },
     platform_installation_id: 'T123',
     platform_account_id: 'T123',
+    owned_by_user_id: owner.id,
+    owned_by_organization_id: null,
     ...overrides,
   };
 }
@@ -136,6 +144,27 @@ describe('slack-service uninstallApp', () => {
     expect(deleteChatSdkInstallation).toHaveBeenCalledWith('T456');
     expect(mockDeleteWhere).toHaveBeenCalledTimes(1);
   });
+
+  it('disconnects suspended integrations without deleting shared Slack installation state', async () => {
+    mockLimit.mockResolvedValue([
+      buildSlackIntegration({
+        integration_status: 'suspended',
+        platform_installation_id: null,
+        platform_account_id: 'T456',
+      }),
+    ]);
+    const deleteChatSdkInstallation = jest.fn(async (_teamId: string): Promise<void> => {});
+    const deleteChatSdkIdentityCache = jest.fn(async (_teamId: string): Promise<void> => {});
+
+    await expect(
+      uninstallApp(owner, { deleteChatSdkInstallation, deleteChatSdkIdentityCache })
+    ).resolves.toEqual({ success: true });
+
+    expect(mockAuthRevoke).not.toHaveBeenCalled();
+    expect(deleteChatSdkInstallation).not.toHaveBeenCalled();
+    expect(deleteChatSdkIdentityCache).not.toHaveBeenCalled();
+    expect(mockDeleteWhere).toHaveBeenCalledTimes(1);
+  });
 });
 
 describe('slack-service deleteInstallationByTeamId', () => {
@@ -233,6 +262,10 @@ describe('upsertSlackInstallation', () => {
     mockUpdateSet.mockReturnValue({ where: mockUpdateWhere });
     mockUpdateWhere.mockReturnValue({ returning: mockUpdateReturning });
     mockUpdateReturning.mockResolvedValue([buildSlackIntegration()]);
+    mockInsertValues.mockReset();
+    mockInsertReturning.mockReset();
+    mockInsertValues.mockReturnValue({ returning: mockInsertReturning });
+    mockInsertReturning.mockResolvedValue([buildSlackIntegration()]);
   });
 
   it('preserves the selected model when refreshing an existing installation', async () => {
@@ -263,7 +296,44 @@ describe('upsertSlackInstallation', () => {
           incoming_webhook: { channel: '#general', channelId: 'C123', url: 'https://example.com' },
           model_slug: 'anthropic/claude-sonnet-4.5',
         }),
+        platform_installation_id: 'T123',
       })
     );
   });
+
+  it('rejects installing a Slack workspace connected to another owner', async () => {
+    mockLimit
+      .mockResolvedValueOnce([])
+      .mockResolvedValueOnce([buildSlackIntegration({ owned_by_user_id: 'user-2' })]);
+
+    const installation = {
+      botToken: 'xoxb-new-token',
+      botUserId: 'U_NEW_BOT',
+      teamName: 'Kilo Team',
+    } satisfies SlackInstallation;
+
+    await expect(upsertSlackInstallation({ owner, teamId: 'T123', installation })).rejects.toThrow(
+      SlackWorkspaceAlreadyConnectedError
+    );
+
+    expect(mockInsertValues).not.toHaveBeenCalled();
+    expect(mockUpdateSet).not.toHaveBeenCalled();
+  });
+
+  it('maps Slack workspace unique violations to a helpful install error', async () => {
+    mockLimit.mockResolvedValueOnce([]).mockResolvedValueOnce([]);
+    mockInsertReturning.mockRejectedValue({
+      constraint: 'UQ_platform_integrations_slack_platform_inst',
+    });
+
+    const installation = {
+      botToken: 'xoxb-new-token',
+      botUserId: 'U_NEW_BOT',
+      teamName: 'Kilo Team',
+    } satisfies SlackInstallation;
+
+    await expect(upsertSlackInstallation({ owner, teamId: 'T123', installation })).rejects.toThrow(
+      'Kilo Team is already connected to another Kilo account or organization'
+    );
+  });
 });