slack_oauth_invalid_state for any new installations

[Gregoor]

Description

All of our installations have started returning slack_oauth_invalid_state. Now I suppose this originates from @slack/oauth but I thought I'd best post it here since we consume it through bolt.

I've looked at the actual jwt returns and the now field is set to 2022-04-04T12:02:32.918Z, even though the request was made at 2022-04-04T12:53:44.167Z. So with the default expiry of 600 seconds, that would explain it. Now why now is being set wrongly, I do not understand yet.

What type of issue is this? (place an x in one of the [ ])

• [x] bug
• [ ] enhancement (feature request)
• [ ] question
• [ ] documentation related
• [ ] example code related
• [ ] testing related
• [ ] discussion

Requirements (place an x in each of the [ ])

• [x] I've read and understood the Contributing guidelines and have done my best effort to follow them.
• [x] I've read and agree to the Code of Conduct.
• [x] I've searched for any related issues and avoided creating a duplicate issue.

---

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Reproducible in:

package version: 3.11.0

node version: 17.8.0

OS version(s): Mac OS 12.2.1

[Gregoor]

Okay looking at both these packages more I suppose @slack/oauth would have been a better place after all, so feel free to move.

But then looking at all the call-sites over there, I only see new Date() so I'm quite flabbergasted as to how this incorrect date could have even slipped in there.

Update: The now timestamp seems to always be 2022-04-04T12:02:32.918Z, no matter when I call it. Something is fishy here, but I don't quite understand what.

[Gregoor]

I think I got this all wrong, sorry for the noise. I was swalloing a Slack error telling me that The state parameter is not for this browser session. and the now-param always being the same was a misconfigured query cache on our side. Pardon moi!

[Gregoor]

Our issue seemed to be that we were not ready for non-legacyStateVerification and apparently one of the later updates made this the default. @seratch A note in the changelog about such potentially-breaking changes would be great, as I tend to scan them before updating. Or did I maybe just miss it?

[seratch]

@Gregoor Thanks for letting us know this. I've added the announcement section to the release note: https://github.com/slackapi/bolt-js/releases/tag/%40slack%2Fbolt%403.11.0