Token refresh documentation #622
Conversation
Codecov Report
@@ Coverage Diff @@
## master #622 +/- ##
=======================================
Coverage 92.01% 92.01%
=======================================
Files 7 7
Lines 426 426
Branches 78 78
=======================================
Hits 392 392
Misses 19 19
Partials 15 15Continue to review full report at Codecov.
|
|
@shanedewael can you target this PR at the |
|
whoa i didn't even know you could do that without closing the PR and opening a new one! 🎉 |
README.md
Outdated
| @@ -51,6 +51,8 @@ through building your first Slack app using Node.js. | |||
| that explains and compares the options. If you're still not sure, | |||
| [reach out for help](#getting-help) and our community can guide you. | |||
|
|
|||
| **Building a workspace app?** Token rotation is required for distributed workspace apps and recommended for non-distrubted. The `WebClient` takes care of this automagically when you pass in a refresh token. Take a look at [the `WebClient` documentation](https://slackapi.github.io/node-slack-sdk/web_api#using-refresh-tokens) to see a working example. | |||
There was a problem hiding this comment.
spelling (non-distribted -> non-distributed).
but actually, i think we don't have to be that specific here, maybe:
The
WebClientcan automatically handle token rotation for your app. Learn more about why you should enable token expiration (hint: its required for App Directory distribution).
docs/_pages/getting_started.md
Outdated
| a later step, you'll be asked to use this URL in your code. | ||
| website. You have the option to build a user-token app or a workspace app. Give your app a fun name and choose a Development Slack Workspace. We recommend using a workspace where you aren't going to disrupt real work getting done -- you can create a new workspace for free. | ||
|
|
||
| > ⚠️ For this guide, we'll assume you're building a [workspace app](https://api.slack.com/workspace-apps-preview). Workspace apps support Slack's latest-and-greatest platform features and will be required for distributed apps in the (near) future. However, most steps are the same for user-token apps. |
There was a problem hiding this comment.
Workspace apps support Slack's latest-and-greatest platform features and will be required for distributed apps in the (near) future.
spicy. is this true? it's likely, but i don't think we can state this for sure yet.
There was a problem hiding this comment.
oops I was thinking of refresh tokens when I wrote this 😓
docs/_pages/getting_started.md
Outdated
| of data, while others are very specific and let your app touch just a tiny sliver. Your users (and | ||
| their IT admins) will have opinions about which data your app should access, so we recommend finding | ||
| the scope(s) with the least amount of privilege for your app's needs. In this guide we will use the | ||
| Web API to perform a search for messages. The scope required for this is called `search:read`. Use | ||
| the dropdown or start typing its name to select and add the scope, then click "Save Changes". | ||
| Web API to post a message. The scope required for this is called `chat:write` (or `chat:write:user` for user-token apps). Use the dropdown or start typing its name to select and add the scope, then click "Save Changes". | ||
|
|
||
| Our app has described which scope it desires in the workspace, but a user hasn't authorized those | ||
| scopes for the development workspace yet. Scroll up and click "Install (or Reinstall) App". You'll |
There was a problem hiding this comment.
Install (or Reinstall) App -> Install App
docs/_pages/getting_started.md
Outdated
| of data, while others are very specific and let your app touch just a tiny sliver. Your users (and | ||
| their IT admins) will have opinions about which data your app should access, so we recommend finding | ||
| the scope(s) with the least amount of privilege for your app's needs. In this guide we will use the | ||
| Web API to perform a search for messages. The scope required for this is called `search:read`. Use | ||
| the dropdown or start typing its name to select and add the scope, then click "Save Changes". | ||
| Web API to post a message. The scope required for this is called `chat:write` (or `chat:write:user` for user-token apps). Use the dropdown or start typing its name to select and add the scope, then click "Save Changes". | ||
|
|
||
| Our app has described which scope it desires in the workspace, but a user hasn't authorized those | ||
| scopes for the development workspace yet. Scroll up and click "Install (or Reinstall) App". You'll | ||
| be back at the page asking you for permission, but this time with an additional entry corresponding |
There was a problem hiding this comment.
be taken to your app installation page. This page is asking you for permission to install the app in your development workspace with specific capabilities. That's right, the development workspace is like every other workspace -- apps must be authorized by a user each time it asks for more permissions. Go ahead and click "Continue". The next page asks you for which conversations the app should have access to create messages within. In this case, choose "No channels", which still allows the app to directly message users who install the App -- which means you.
Resume from "When you..."
docs/_pages/getting_started.md
Outdated
|
|
||
| ```shell | ||
| $ export SLACK_WEBHOOK_URL=https://hooks.slack.com/services/... | ||
| $ export SLACK_ACCESS_TOKEN=xoxa-... | ||
| ``` | ||
|
|
||
| Open `tutorial.js` and add the following code: |
There was a problem hiding this comment.
Create a file called tutorial.js and add the following code:
docs/_pages/web_client.md
Outdated
| @@ -220,6 +221,128 @@ web.channels.list((err, res) => { | |||
|
|
|||
| --- | |||
|
|
|||
| ### Using refresh tokens | |||
|
|
|||
| If you're using workspace apps, refresh tokens can be used to obtain short-lived access tokens that power your Web API calls from the `WebClient` (this is *required* for distributed apps). To enable the `WebClient` to automatically refresh and swap your access tokens, you need to pass your app's refresh token, client ID, and client secret in the `WebClientOptions`. | |||
There was a problem hiding this comment.
Maybe right after the first sentence: "This can increase the security of your app, since in the event of a token accidentally being exposed, that token cannot be used against your app or your users after a short time."
docs/_pages/web_client.md
Outdated
|
|
||
| If you're using workspace apps, refresh tokens can be used to obtain short-lived access tokens that power your Web API calls from the `WebClient` (this is *required* for distributed apps). To enable the `WebClient` to automatically refresh and swap your access tokens, you need to pass your app's refresh token, client ID, and client secret in the `WebClientOptions`. | ||
|
|
||
| At the time of refresh, the `WebClient` will emit a `token_refreshed` event that will contain the new access token (`access_token`) and time to expiration (`expires_in`). It's recommended to listen to this event and store the access token in a database so you have access to your active token. |
There was a problem hiding this comment.
the event also contains team_id and enterprise_id.
docs/_pages/web_client.md
Outdated
| const secret = process.env.SLACK_CLIENT_SECRET; | ||
|
|
||
| // Intialize a data structure to store team access token info (typically stored in a database) | ||
| const slackAccessTokens = {}; |
There was a problem hiding this comment.
i've got multiple suggestions here but i think it would be easier to talk about in person.
docs/_pages/web_client.md
Outdated
|
|
||
| Note: Before implementing it on your own, it's suggested you read through the [token rotation documentation](http://api.slack.com/docs/rotating-and-refreshing-credentials). | ||
|
|
||
| If you need more control over token refreshing, you don't need to pass in your refresh token, client ID, or client secret. However, you'll need to listen for `invalid_auth` errors and handle calls to `oauth.access` to fetch new access tokens: |
docs/_pages/web_client.md
Outdated
| .then(console.log) | ||
| .catch((error) => { | ||
| if (error.code === ErrorCode.PlatformError && error.data.error === 'invalid_auth') { | ||
| return refreshToken() |
There was a problem hiding this comment.
maybe a comment here to say "this error could have occurred because of an expired token, refresh and try again"
Codecov Report
@@ Coverage Diff @@
## feat-short-lived-tokens #622 +/- ##
========================================================
Coverage 92.01% 92.01%
========================================================
Files 7 7
Lines 426 426
Branches 78 78
========================================================
Hits 392 392
Misses 19 19
Partials 15 15Continue to review full report at Codecov.
|
docs/_pages/getting_started.md
Outdated
| return to the OAuth & Permissions page copy the OAuth Access Token (it should begin with `xoxa`). Treat this value like a password and keep it safe. The Web API uses tokens to to authenticate the requests your app makes. In a later step, you'll be asked to use this token in your code. | ||
| Our app has described which scope it desires in the workspace, but a user hasn't authorized those scopes for the development workspace yet. Scroll up and click "Install App". You'll be taken to your app installation page. This page is asking you for permission to install the app in your development workspace with specific capabilities. That's right, the development workspace is like every other workspace -- apps must be authorized by a user each time it asks for more permissions. | ||
|
|
||
| Go ahead and click "Continue". The next page asks you which conversations the app should be able to post messages in. In this case, choose "No channels", which still allows the app to directly message who install the App -- which means you. |
There was a problem hiding this comment.
directly message users who install the App
| @@ -141,82 +147,6 @@ ideas about where to look next: | |||
|
|
|||
There was a problem hiding this comment.
line above still references a dev instance in the URL, change that.
docs/_pages/web_client.md
Outdated
| @@ -231,32 +231,69 @@ At the time of refresh, the `WebClient` will emit a `token_refreshed` event that | |||
| const { WebClient } = require('@slack/client'); | |||
|
|
|||
| const refreshToken = process.env.SLACK_REFRESH_TOKEN; | |||
Summary
Refresh token documentation
Requirements (place an
xin each[ ])