wee-slack: Session tokens no longer working

I’d be happy to chip in on a bounty for this one. I don’t have the time nor knowledge of the codebase nor slack protocol to contribute directly, but I’ll happily support anyone who does. Anyone with me? Using slack without wee-slack is severely slowing me down @ dayjob.

To get proper read status on threads, I moved to session tokens and just found that it’s a broken feature. While that’s the case, it’s probably best to remove the session tokens from documentation to avoid new users running into the issue.

Support for this has now been added in PR #857 (not merged yet). Please test it out and report any issues.

Hi all… Any workarounds we can use for now even if it’s complicated?

It’s a work around but not quite the workaround I think most of us need. I’m sure the biggest reason most of us here has to use the tokens is because we can’t get the slack org to install anything. Token access is usually the workaround for not being able to install apps. Which we can’t do to workaround the failing token auth.

Sorry I’ve been absent lately. I’ve now registered wee-slack on IssueHunt as requested above. I’ve also started working some work on this (can’t give any time frame though).

Is there a current work around with the Oauth token instead of the session token?

@Enqueued: If you can add the wee-slack app in your Slack team, you can use OAuth tokens as normal, they’re not affected by this. However, you can’t use OAuth tokens if you can’t add the app.

I’d be happy to chip in on a bounty for this one. I don’t have the time nor knowledge of the codebase nor slack protocol to contribute directly, but I’ll happily support anyone who does. Anyone with me? Using slack without wee-slack is severely slowing me down @ dayjob.

Count me in as contributing to a bounty for this!

@megalithic can you set the project up on IssueHunt or a similar site so I can get this ball rolling?

I tested a bit, and saw that the rtm.start API can’t be used with xoxc-tokens. So we need to rewrite to use other API endpoints to get the data we use from rtm.start. Currently rtm.start is used to populate much of the initial info, i.e. the profile, users, bots, user groups, preferences (muted channels and highlight words) and list of channels and direct messages. So this might be a rather large task, which requires calling multiple other endpoints. The biggest issue is probably that wee-slack currently expects to be aware of all the users and channels on the team (which rtm.start does return), while the new API endpoints only return a limited amount and are paginated to get more.

After that is done, we can add support for specifying the d cookie in addition to the token, which should be pretty easy. Though the current slack_api_token is already a bit inconvenient, and would be even worse with a cookie as well, so we should probably change the config to have a section per team, like in the irc config.

Fine with just d cookie? https://github.com/yuya373/emacs-slack/issues/553 https://github.com/yuya373/emacs-slack/pull/552/commits

Finding a slack token & cookie: https://github.com/jackellenberger/emojme#finding-a-slack-token

Slack’s position on xoxc tokens: https://stackoverflow.com/a/62777057

I tried to look at the request from the Slack web interface, and attempted to create a minimum request that connects to a websocket. It looked like this:

URL: wss://wss-primary.slack.com/?token=xoxc-xxxxxx&gateway_server=<workspace_id> Cookie: d=ynd9q%2FWq...

It would fail if any of the token, gateway_server or d in Cookie is missing. The d cookie’s expiry is 10 years.

If we don’t fix this bug soon, it’s only going to get worse. I’ve now accepted that I can’t add any new workspaces to wee-slack, but my existing ones still work. But for how long? Every day that goes by, the risk increases that another workflow I rely on will go away.

https://cancel.fm/ripcord has a working authentication flow so it should be possible to use that cookie in conjunction with the xoxc token to authenticate again. It’ll probably require a PR to work with the new flow.

So apparently, the customize page now has a token starting with xoxc instead of xoxs. These are two different types of tokens. After they changed to xoxc in the main app interface a long time ago, I feared they would change it on the customize page at some point too 😦

Tokens starting with xoxc can’t currently be used by wee-slack. I’m not sure how to get them to work, or if it is even possible for us to use them, but I guess I’ll have to look into it.