search

pvzig / SlackKit

Build Slack apps, in Swift
MIT License
1.02k stars 139 forks source link

Slack API expects token passed in Authorization header instead of a GET parameter? #204

Closed katzenbaer closed 2 years ago

katzenbaer commented 2 years ago

The code I'm running to run is simple:

let bot = SlackKit()
bot.addWebAPIAccessWithToken(token)
bot.webAPI?.conversationsList(success: { channels, nextCursor in
    print(channels)
}, failure: { error in
    print(error.localizedDescription)
})

I traced the URLRequest being sent and it seems like the url is: https://slack.com/api/conversations.list?token=xoxb-SLACK-BOT-TOKEN

I tried sending this same request with Postman and got this response:

{
    "ok": false,
    "error": "invalid_auth"
}

But when I send a request to https://slack.com/api/conversations.list with the following header:

Authorization: Bearer xoxb-SLACK-BOT-TOKEN

it returns the expected response:

{
    "ok": true,
    "channels": [
        {
...

So I'm not sure why I'm the only one having the issue, but maybe it's because I created my app on the Slack Api portal yesterday and it uses this new header auth style?

If that's the case, then it looks this library needs to be updated to pass the token in the Authorization header for new Slack Apps.

Edit: Here's the changelog where they deprecated querystring authentication: https://api.slack.com/changelog/2020-11-no-more-tokens-in-querystrings-for-newly-created-apps

katzenbaer commented 2 years ago

Okay, I just created a bot through https://my.slack.com/services/new/bot instead of through https://api.slack.com/apps and I can confirm that bots created the legacy way are able to pass the token as a GET parameter instead of through the Authorization header.

katzenbaer commented 2 years ago

And even though I created my legacy bot user today, it looks like bot.addRTMBotWithAPIToken(token) also always fails now because https://slack.com/api/rtm.start has been obsoleted for new bots (even if created through the legacy creation portal):

{
    "ok": false,
    "error": "method_deprecated"
}

According to this document:

Beginning November 30, 2021, newly created Slack apps will no longer be able to make API calls to rtm.start.

I took a look and SKRTMAPI does have a branch that calls WebAPI.rtmConnect(...) but it only executes when SKRTMAPI.connect(withInfo:) is called with withInfo: true, which never happens because all calls to SKRTMAPI.connect(withInfo:) use the SKRTMAPI.connect() variation with default args (so I'm not exactly sure why this branch exists in the first place).

katzenbaer commented 2 years ago

I'm down to take a stab at these issues, but I'm worried there's more methods I haven't tried to use yet that have been deprecated and even more confusion on what's needed for new legacy bots vs. new Slack Apps.

It seems like updating everything to be fully functional for new legacy bots and Slack Apps will probably be multiple iterations of work, so I'm not sure whether you would prefer we merge fixes to master as I'm able to help work on them or if it's better to start a WIP branch and hold off merging it to master until everything's fixed.

katzenbaer commented 2 years ago

RIP. I just noticed that a lot of these issues are being fixed on master already.

pvzig commented 2 years ago

Hey, thanks for the great issue! I believe the RTM issue and the token issue should be fixed on the main branch like you said. If you come across any other bugs or areas for improvement, issues and PRs are always welcome!