Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

token parameter in apps.event.authorizations.list method call results in invalid_auth error #1498

Closed
1 of 6 tasks
seratch opened this issue Jun 17, 2022 · 4 comments · Fixed by #1737
Closed
1 of 6 tasks

token parameter in apps.event.authorizations.list method call results in invalid_auth error #1498

seratch opened this issue Jun 17, 2022 · 4 comments · Fixed by #1737
Assignees
@filmaj
Labels
bug M-T: A confirmed bug report. Issues are confirmed when the reproduction steps are documented pkg:web-api applies to `@slack/web-api`
Milestone
[email protected]

Comments

@seratch
Copy link
Member

seratch commented Jun 17, 2022

If you pass an app-level token to WebClient's apps.event.authorizations.list method call, it results in invalid_auth error code. A workaround is to pass the token to WebClient constructor instead.

This fails with invalid_auth error:

const client = new WebClient();
const result = await web.apps.event.authorizations.list({
  token: 'xapp-xxx',
  event_context: 'xxx'
});

This following works:

const client = new WebClient(token);
const result = await web.apps.event.authorizations.list({
  event_context: 'xxx'
});

This behavior should be improved.

Packages:

Select all that apply:

  • @slack/web-api
  • @slack/rtm-api
  • @slack/webhooks
  • @slack/oauth
  • @slack/socket-mode
  • I don't know

Reproducible in:

The Slack SDK version

any

Node.js runtime version

any

OS info

any
@seratch seratch added bug M-T: A confirmed bug report. Issues are confirmed when the reproduction steps are documented pkg:web-api applies to `@slack/web-api` labels Jun 17, 2022
@seratch seratch added this to the [email protected] milestone Jun 17, 2022
@seratch seratch assigned seratch and unassigned seratch Jun 17, 2022
@filmaj
Copy link
Contributor

filmaj commented Jan 25, 2024

@seratch do you think this is still an issue? The token-overriding logic in web-api is so simple, I don't see how this is possible.

@seratch
Copy link
Member Author

seratch commented Jan 26, 2024

@filmaj I just checked the behavior again and it seems that it's still an issue. Not sure why this could happen only (perhaps only) for this endpoint.

@filmaj
Copy link
Contributor

filmaj commented Jan 26, 2024

Yes very weird I can reproduce this. Looking into it.

@filmaj
Copy link
Contributor

filmaj commented Jan 26, 2024

It seems like web-api sends the token both in the body and as a header (just based on the debug output):

[DEBUG]  web-api:WebClient:0 initialized
[DEBUG]  web-api:WebClient:0 apiCall('apps.event.authorizations.list') start
[DEBUG]  web-api:WebClient:0 http request url: https://slack.com/api/apps.event.authorizations.list
[DEBUG]  web-api:WebClient:0 http request body: {"token":"[[REDACTED]]","event_context":"4-eyJldCI6Im1lc3NhZ2UiLCJ0aWQiOiJUMDI5VjY0NjhSTCIsImFpZCI6IkEwNjAxUkVRTDkzIiwiY2lkIjoiQzAyOVlUNUtFTUIifQ"}
[DEBUG]  web-api:WebClient:0 http request headers: {"Authorization":"[[REDACTED]]"}

I wonder if the backend responds with an error due to this note in this section of this method's docs:

For this method, you will need to pass this token in the HTTP Authorization header of your request; passing it as a POST parameter will result in an error.

@filmaj filmaj self-assigned this Jan 26, 2024
@filmaj filmaj mentioned this issue Jan 26, 2024
Merged
filmaj added a commit that referenced this issue Jan 29, 2024
@filmaj
web-api: prevent apps.event.authorizations.list API from ever sending…
664db4e 
… token in the body; fixes #1498 (#1737)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@filmaj filmaj

Labels
bug M-T: A confirmed bug report. Issues are confirmed when the reproduction steps are documented pkg:web-api applies to `@slack/web-api`
Projects
None yet
Milestone
[email protected]
2 participants
@seratch @filmaj