[slack-status ] Authentication Loop—Doesn't work anymore

[xmadscientist]

Extension

https://www.raycast.com/petr/slack-status

Raycast Version

1.88.3

macOS Version

14.7.1

Description

I keep getting put into an authentication loop.

And cannot actually set statuses anymore.

Steps To Reproduce

1. Run slack-status from Raycast
2. When the prompt for re-connecting your Slack account shows up, click on the Confirm button.
3. Sign into your Slack workspace.
4. After signing in and authenticating, click Allow
5. You will see a success message saying that you were successfully authenticated
6. Raycast will open, but you will not be authenticated.
7. You will be looped back to step Add gitlab extension #2

Current Behaviour

N/A—outlined above.

Expected Behaviour

Get authenticated and start using slack-status from Raycast.

[raycastbot]

Thank you for opening this issue!

🔔 @PitNikola @johnhampton @thomaspaulmann @pernielsentikaer @ramsaysewell @henrik you might want to have a look.

💡 Author and Contributors commands

The author and contributors of petr/slack-status can trigger bot actions by commenting:

• @raycastbot close this issue Closes the issue.
• @raycastbot close as not planned Closes the issue as not planned.
• @raycastbot rename this issue to "Awesome new title" Renames the issue.
• @raycastbot reopen this issue Reopens the issue.
• @raycastbot assign me Assigns yourself to the issue.
• @raycastbot good first issue Adds the "Good first issue" label to the issue.
• @raycastbot keep this issue open Make sure the issue won't go stale and will be kept open by the bot.

[pernielsentikaer]

CC @henrik

[henrik]

Just getting on a plane but will look soon.

@xmadscientist When you go through the auth flow, does Slack list dnd among the permissions?

Basically the code tries to get DND status and if it fails due to missing permissions, it logs you out and when you log back in, that should be with the right permissions.

[xmadscientist]

This is what it's requesting, @henrik.

[henrik]

Thanks! I tried the upgrade flow several times when writing it (having old permissions, running the extension, being logged out, logging back in) and never saw this issue 🤔

Would be interesting to hear if this is an isolated issue – is it working for others?

Does Raycast show any error message (toast bottom left) when it happens? If so, can you expand it and tell me what it says?

If you're willing to debug further, you could go to https://CHANGE_THIS.slack.com/apps/manage, find Raycast among your installed apps, and confirm that the "Permissions" tab includes "dnd:read".

You could also go its "App details" tab, then "Configuration", then try revoking your authorization from there, and going through the flow again.

If that doesn't help, does @pernielsentikaer have any suggestions on Raycast debugging practices? Could we make an update with a lot of sprinkled console.log-ing, and is there then a way for a user to get at those logs?

[xmadscientist]

It does include dnd:read!

You could also go its "App details" tab, then "Configuration", then try revoking your authorization from there, and going through the flow again.

Trying this right now.

[xmadscientist]

Does Raycast show any error message (toast bottom left) when it happens? If so, can you expand it and tell me what it says?

Nope! It doesn't show any error messages. In fact, it flashes the "Slack successfully connected" Raycast panel for a few frames before looping back to asking for authorization again.

[henrik]

Thanks! This is the relevant code:

extensions/extensions/slack-status/src/slack.ts

Lines 22 to 50 in 1712079

	let dndResponse;
	let dndCalled = false;
	while (!dndCalled) {
	try {
	dndResponse = await slack.dnd.info();
	dndCalled = true;
	if (!dndResponse.ok) {
	throw Error("Failed to fetch DND info");
	}
	} catch (error: unknown) {
	// We added new scopes for DND. Old installs don't automatically upgrade scopes.
	// The `instanceof` is a type guard.
	if (!(error instanceof Error) || !error.message.includes("missing_scope")) {
	throw error;
	}
	// We don't care about the response. The user *needs* to reconnect.
	// There's no option for a cancel-less alert AFAIK.
	await confirmAlert({
	title: "Missing permissions after upgrade",
	message: "Reconnect your Slack account to get the right permissions.",
	});
	await slackAuth.client.removeTokens();
	await slackAuth.authorize();
	// The loop will re-attempt the DND call.
	}
	}

The idea with the loop is to reattempt the DND lookup (whether you've paused notifications) after being logged out and re-authenticating, but it sounds like you're somehow authenticating, but then looking up the DND info fails with a "missing_scope" error, so it logs you out and on and on it goes.

Just to rule it out, I now tried with a local production build (npm run build) to throw some other error (not "missing_scope") and it did show up as a toast + did not cause a login loop. Just an empty status.

Did revoking the permissions change anything?

[thnk2wn]

I have the same issue. I an authenticate correctly but when I come back it still thinks I don't have correct permissions. I can briefly see my previous / current custom statuses beneath but can't use them.

Likely not useful but here's a log file:
ray.20241218_155438.log

[xmadscientist]

Thanks! This is the relevant code:

extensions/extensions/slack-status/src/slack.ts

Lines 22 to 50 in 1712079

	let dndResponse;
	let dndCalled = false;
	while (!dndCalled) {
	try {
	dndResponse = await slack.dnd.info();
	dndCalled = true;
	if (!dndResponse.ok) {
	throw Error("Failed to fetch DND info");
	}
	} catch (error: unknown) {
	// We added new scopes for DND. Old installs don't automatically upgrade scopes.
	// The `instanceof` is a type guard.
	if (!(error instanceof Error) || !error.message.includes("missing_scope")) {
	throw error;
	}
	// We don't care about the response. The user *needs* to reconnect.
	// There's no option for a cancel-less alert AFAIK.
	await confirmAlert({
	title: "Missing permissions after upgrade",
	message: "Reconnect your Slack account to get the right permissions.",
	});
	await slackAuth.client.removeTokens();
	await slackAuth.authorize();
	// The loop will re-attempt the DND call.
	}
	}

The idea with the loop is to reattempt the DND lookup (whether you've paused notifications) after being logged out and re-authenticating, but it sounds like you're somehow authenticating, but then looking up the DND info fails with a "missing_scope" error, so it logs you out and on and on it goes.

Just to rule it out, I now tried with a local production build (npm run build) to throw some other error (not "missing_scope") and it did show up as a toast + did not cause a login loop. Just an empty status.

Did revoking the permissions change anything?

Unfortunately, revoking the permissions didn't help. :(

[henrik]

@PitNikola @pernielsentikaer Can you confirm the extension works for you?

[henrik]

The permissions screen has the message "Below are the default permissions configured for Raycast by the developer. Permissions installed might be different for each workspace."

So one possible explanation might be that the workspace does not grant this permission, even though it's a default permission. I'm not sure how to test that theory, though. Can you see any indications that "dnd:read" is denied by the workspace?

This is what my App details -> Configuration page looks like, but I'm not sure if it actually shows what the workspace allows. Does yours look any different, @xmadscientist?

[pernielsentikaer]

It worked as expected for me as expected without any issues

[thnk2wn]

@henrik If it helps any...

2024-12-19_10-56-38.mp4

[thnk2wn]

Looks like it has old permission set. I was able to break the auth loop by revoking and reauthorizing but now an error just pops up in status bar each time on load or set status.

Error: An API error occurred: token_revoked
    at Zg (/Users/jobotgeoff/.config/raycast/extensions/6916ad50-03ad-4b88-b83a-d25c3393a417/setStatus.js:44:29363)
    at e.apiCall (/Users/jobotgeoff/.config/raycast/extensions/6916ad50-03ad-4b88-b83a-d25c3393a417/setStatus.js:46:6161)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /Users/jobotgeoff/.config/raycast/extensions/6916ad50-03ad-4b88-b83a-d25c3393a417/setStatus.js:50:118926

Before revoking:

After revoking and reauthorizing:

[xmadscientist]

The permissions screen has the message "Below are the default permissions configured for Raycast by the developer. Permissions installed might be different for each workspace."

So one possible explanation might be that the workspace does not grant this permission, even though it's a default permission. I'm not sure how to test that theory, though. Can you see any indications that "dnd:read" is denied by the workspace?

This is what my App details -> Configuration page looks like, but I'm not sure if it actually shows what the workspace allows. Does yours look any different, @xmadscientist?

I noticed that there are two different Raycast apps (one for the base app and one for the slack status thingy). Here are screenshots of what their app pages look like:

[henrik]

Thanks so much for the additional detail!

---

Regarding the "token_revoked" error mentioned by @thnk2wn, based on the line number I think this might be the slackAuth.client.removeTokens() call (are you able to confirm via the stated file and line number on your end?).

If that's the case, then having the extension silently ignoring that error might help, though I can't say I fully understand what's going on.

It succeeds getting the profile details, but then fails to get the DND details with "token_revoked". Perhaps there is still one unrevoked app/authentication without DND permissions, that succeeds in getting the profile; and there's also another app/authentication with DND permissions, that Raycast tries to use, but fails to because it's revoked on the Slack end?

---

@xmadscientist Thank you. You cut off the name of the app in the second screenshot, but are you saying that there's an app in Slack that got DND permissions in December 2024 but that is not named "Slack Status"? And there's also the "Slack Status" app which does not have DND permissions, and that was authorised in June 2023?

---

@pernielsentikaer Do you have context on how Raycast handles OAuth that might help understand this situation? Each extension using Slack should get its own access token, right? Two extensions using Slack with different permissions should be able to live side by side?

[thnk2wn]

@henrik I can't remember whether the error I posted was at load or when trying to change status but it appears the latter

[henrik]

Thanks!

My thinking so far is that I want to hear more from Raycast (e.g. Per) about how this is supposed to work – if there could be some kind of interference between Slack integrations, and if so, whether that's considered a bug.

I also think I should add a text to the "Missing permissions" dialogue saying something to the effect of "If you keep seeing this message, please log out manually in the extension settings and uninstall all Raycast apps via Slack's admin UI".

I appreciate that this is a frustrating situation, but I'm still not clear on precisely what's going on, so I can't reproduce it myself to fix it more gracefully than that. But it does seem to me like there is some leakiness to (my assumptions about) the OAuth abstractions that extensions lean on.

It would be great if @thnk2wn and @xmadscientist could confirm whether doing those things fixes the issue. So specifically:

1. In the "Slack Status" extension settings in Raycast, click "Logout" if available. (I think this might fix the "token_revoked" error.)
2. In the Slack web admin interface, select "Uninstall" on all "Raycast" apps.
3. Open "Slack Status" again and go through the auth flow.

[thnk2wn]

@henrik Thanks, that worked with the caveat that clicking the Logout button didn't actually clear the token, I had to wipe that out manually.

I'm good with this workaround but going forward it should ideally handle upgrade paths when permissions change and that be included as part of testing

[xmadscientist]

Thanks!

My thinking so far is that I want to hear more from Raycast (e.g. Per) about how this is supposed to work – if there could be some kind of interference between Slack integrations, and if so, whether that's considered a bug.

I also think I should add a text to the "Missing permissions" dialogue saying something to the effect of "If you keep seeing this message, please log out manually in the extension settings and uninstall all Raycast apps via Slack's admin UI".

I appreciate that this is a frustrating situation, but I'm still not clear on precisely what's going on, so I can't reproduce it myself to fix it more gracefully than that. But it does seem to me like there is some leakiness to (my assumptions about) the OAuth abstractions that extensions lean on.

It would be great if @thnk2wn and @xmadscientist could confirm whether doing those things fixes the issue. So specifically:

1. In the "Slack Status" extension settings in Raycast, click "Logout" if available. (I think this might fix the "token_revoked" error.)
2. In the Slack web admin interface, select "Uninstall" on all "Raycast" apps.
3. Open "Slack Status" again and go through the auth flow.

This seemed to do it! Thanks so much!

[henrik]

@thnk2wn Thank you! How did you wipe the token manually?

I did try the upgrade path several times and spent a fair amount of time on it, but this seems to be some additional path of having multiple Raycast Slack apps that I still don’t understand well enough. Perhaps related to having both this extension and the other Slack extension?

@xmadscientist Thank you for confirming!

Happy holidays :)