Token rotation/refresh not working

[ccaruceru]

Hi, I made a user-driven app with Bolt for python which uses a custom InstallationStore and OAuthStateStore to support google cloud storage, and the Slack app has token rotation enabled. But after a while the requests to Slack servers stop working and getting a not_authed error. E.g.:

slack_sdk.errors.SlackApiError: The request to the Slack API failed. (url: https://www.slack.com/api/reactions.get)
The server responded with: {'ok': False, 'error': 'not_authed'}

If I understand correctly, the rotation of the token should be handled by the Bolt framework. If that's not the case, is there anything else that must be implemented to support the refresh/rotation?

Environment:

• slack_bolt version: 1.16.2
• Python runtime version: python 3.10
• OS info: Not sure. Running in Google App Engine. Assuming linux based.

Steps to reproduce:

Check the development setup guide here to get the repo running locally.

Expected result:

In the past the app was running w/o token rotation enabled on the Slack level and there were no authentication issues during the lifetime of the app when users interacted with it. But after activating it there are not_authed errors being thrown by the server after a period of time (w/ or w/o user inactivity in the app).

The workaround is to reinstall the app by visiting the /slack/install endpoint.

Actual result:

The Slack server communication works with no authentication issues.

[WilliamBergamin]

Hello @ccaruceru thanks for writing in 💯

The {'ok': False, 'error': 'not_authed'} payload indicates there was no token included in the request sent from your app to Slack. This suggests that somewhere in your implementation the token gets lost.

I took a quick look at your implementation (great job btw 🥇), I've been trying to compare it with our google_cloud_function.oauth implementation, this error may come from ignoring the is_enterprise_install field, omitting this field and deploying the app to an enterprise workspace may lead to some weird outcomes with the OAuth flow, I would suggest implementing it

Let me know if this helps resolves you're issue

[ccaruceru]

Hi @WilliamBergamin! Thanks for the quick reply. I'll have a look at how the is_enterprise_install is used in the GoogleDatastoreInstallationStore and see if I can come up with something this week 👀

Asked around and we're not using Slack Enterprise, only the Pro plan. The Slack app is installed on workspace level (not org-wide) so in theory is_enterprise_install should be False all the time 🤷🏻‍♂️

[ccaruceru]

Hey @WilliamBergamin!
I did some changes on this branch where I made use of is_enterprise_install, plus upgraded bolt to latest and didn't had any not_authed errors since I deployed the app 2 weeks ago. I also double checked the contents of the install file for a random user and I saw that over time the refresh tokens (bot and user) were always changed and expiring in the future (next 12 hours at most, as it should be).

So I guess this is a case closed 😄

[ccaruceru]

ps: Let me know know if you're interested in a PR to bolt-python repo with the specific InstallationStore and OAuthStateStore classes I made for Google Cloud Storage 🙂

[seratch]

Hi @ccaruceru, it's great to hear that you've resolved the issue!

As for the Google Cloud Storage implementation, if you're fine to spend more time on its unit tests with mock like we do for the Amazon S3 one, we are happy to maintain Google Cloud Storage implementation as one of the built-in modules!

Let me close this issue now 👋

[ccaruceru]

Hi again! Unfortunately I'm still encountering the same problem 😕

What I observed is that for some reason my user data fields in the installation become null, and that's why there's no valid token sent to Slack (and the not_authed error)

{ "user_token": null, "user_scopes": null, "user_refresh_token": null, "user_token_expires_at": null }

---

I also observed that there was an another error before the not_authed started happening:

slack_sdk.errors.SlackApiError: The request to the Slack API failed. (url: https://www.slack.com/api/reactions.add)
The server responded with: {'ok': False, 'error': 'too_many_reactions'}

Which basically means the user tried to add too many reactions to the same message.

Would this error affect in any way the generation of the user tokens? What would happen if the token is due to be refreshed and there's an API error?

[ccaruceru]

fyi, the app I deployed has been running all the time since the last time we spoke and haven't experienced the errors since then. My gut feeling is that the Slack servers were replying with the "wrong" response and were fixed during this time.