jpbruinsslot/slack-term

Using this without legacy tokens?

cdrage opened this issue ยท 40 comments

Is there any way possible of using this without having to use a legacy token? For teams such as kubernetes.slack.com unfortunately there's no way to get one (they don't allow it).

+1 for this feature. Using an oauth robot token doesn't allow me to reply and send messages as 'me'

This depends on whether the slack api will allow additional methods of authentication and if nlopes/slack will support it.

ventz commented

Weechat's slack plugin does this via an interesting method which can be copied here:

https://github.com/wee-slack/wee-slack/blob/89864b5ab952b426e77cd76cc0941035335063df/wee_slack.py#L3107

Basically they generate a "fake url" oauth request, and then the user copies the authenticated oauth token, and provides that to complete the login. After that, the session is saved and it's done.

The following procedure should allow slack-term usage without the use of legacy token, could you guys perhaps test if it works?


  1. Go to the following page: https://slack.com/oauth/authorize?client_id=91899392594.382712253827&scope=client

  2. Select the workspace to which you want slack-term to provide access to.

  3. Click "Authorize", this will redirect you, this redirect will fail, which is expected.

  4. Copy the code portion of the URL. http://not.a.host?code=[code-will-be-here]&state=

  5. In your terminal issue the following command, inserting the code at the right location:

$ curl -s "https://slack.com/api/oauth.access?client_id=91899392594.382712253827&client_secret=c7986be41b6ddb478041d1848dad5f6e&code=[code-goes-here]"
  1. From the response, copy the access_token and place it in your .slack-term

The curl command could perhaps be slightly improved in output if you have jq installed by adding | jq -r .access_token to the end of your command. This outputs just the token without the other stuff, it might even be possible to inject it into the config file, but that could get magical.

Also, I did test these commands and they work great, the only slightly painful part is the code is single use, so once it has been redeemed you need to go through the process again, but it doesn't appear to revoke the old token so it is fairly safe.

I ended up using CODE="theCodeFromUrl"; curl -s "https://slack.com/...?code=$CODE" so that I could change the code with CODE="newCode" without having to repaste it into the command every time.

I'm wondering whether it is much of a security concern that the initial response portion after the redirect to GitHub probably shows up in their logs, but it is only useful once, and it is very unlikely anybody except a malicious browser extension could really do anything with it before a user utilizes it and if you've installed a bad extension you are probably at risk of many other avenues like your full credentials being compromised.

UPDATE:
So it appears that doing it the Oauth way registers slack-term as an application rather than granting it access to your personal account, this may be desirable but might not work if you don't have administrator privileges to the Slack where you are trying to use slack-term.

@dragon788 You're right I've changed the redirect url and updated the instructions. Thanks for testing it out, and I'll have a look at your suggestions.

Here is another useful trick for the linux users to grab a token from a logged in browser session - I tested this and it works with both firefox and google-chrome.

$ sudo apt-get install gdb
<...>
$ for i in $(ps auxwwwfg | grep firefox | grep -v grep | cut -c9-15); do gcore -o $i.core $i; done
$ cat *.core |  grep -ao 'xoxs-[-0-9a-f]*' | sort | uniq -c | sort
<output...>
$ rm *.core

In the "output" area you will see a list of strings that start "xoxs-<...>" plus the number of times they occur. There will usually only be one or two, depending on how many times you are logged into slack. You can snatch these and put them straight into your ~/.slack-term file.

Closing this, because the workaround has been added to the wiki.

https://github.com/erroneousboat/slack-term/wiki#running-slack-term-without-legacy-tokens

Can we re-open this? The problem that I was originally facing is allow this in organizations that do not allow new applications.. Or perhaps add the:

$ sudo apt-get install gdb
<...>
$ for i in $(ps auxwwwfg | grep firefox | grep -v grep | cut -c9-15); do gcore -o $i.core $i; done
$ cat *.core |  grep -ao 'xoxs-[-0-9a-f]*' | sort | uniq -c | sort
<output...>
$ rm *.core

Instructions to the wiki?

Unfortunately since I do not have authorization to add slack-term to the Kubernetes wiki I have to use the above instructions ๐Ÿ‘

Have you tried #136 (comment) ? That allows you to create a slack token without the organization adding an application. I've added the additional instructions to the wiki.

@erroneousboat Yup. You have to have permission to the org to actually add the slack-term client.

See the attached image

screenshot from 2018-11-06 13-52-12

Ok, cool I'll reopen the issue.

ventz commented

Hi,

Just wanted to point out that there are 2 different issues mixing here.

The Apologies, but you are not authorized to install slack-term is completely different than the legacy tokens vs new oAuth tokens.

The "authorized to install" simply means that the slack organization has locked down who can install Add-ons. (usually for security or because they have a free account and only have 5, and this will take up one of them). The oAuth keys install the same as a "bot" and so it takes up one of the "Integration slots".

So that said -- this is completely as expected.

I was able to use the solution provided by @terabyte, but would love to see a feature added wherein we could auth from the client itself.

Any ETA on this? This issue is a deal-breaker for me.

+1!

This solution is no longer working for me, does the grep regex need to be updated?

Try changing the grep regex to 'xox.-[-0-9a-f]*' instead? I'm seeing "xoxc" for my tokens I think.

I'm getting an error Slack rate limit exceeded, retry after 2s when trying this. Anyone else having this issue?

$ sudo apt-get install gdb
<...>
$ for i in $(ps auxwwwfg | grep firefox | grep -v grep | cut -c9-15); do gcore -o $i.core $i; done
$ cat *.core |  grep -ao 'xoxs-[-0-9a-f]*' | sort | uniq -c | sort
<output...>
$ rm *.core

I didn't get any results from this, but I did find xoxc-* in the localstorage. It's not working as a slack token either.

es02 commented

I'm getting an error Slack rate limit exceeded, retry after 2s when trying this. Anyone else having this issue?

Build from master branch or wait for the next release if you aren't comfortable doing so.

Ripcord is able to login via email&password, or import a browser HAR file. Perhaps this is something slack-term could take inspiration from?

Unless slack-term is developed from the ground up as a slack add-on and not a slack client .. ?

Would it be worthwhile to have an OAuth go client? I was in the process of writing one in cpp for the terminal some time ago. I could have another...ahem...go at it if it could be useful in these kinds of tui apps, or maybe even just write up the library with appropriate functions to make the OAuth network calls and structs to handle the OAuth models?

@nathanblair, couldn't this just be achieved with https://github.com/golang/oauth2? I don't see the point of reinventing the wheel except for if your implementation would use this library and would go beyond what it offers.

@mastertinner indeed. Yes. I don't know much about the libraries of go. I'm not a go dev but was interested in finding a project to tackle to get to know the language. But yeah, if there's already stuff for it, I won't bud myself in.

I tried this, both with the gcore approach and the authorized app approach and in both cases I got a token, but when trying to run slack-term I get this error:

2020/04/08 21:02:07 not able to authorize client, check your connection and if your slack-token is set correctly

A couple of notes from trying @terabyte 's solution on Fedora 31...

for i in $(ps auxwwwfg | grep firefox | grep -v grep | awk '{print $2}'); do gcore -o $i.core $i; done
grep -ao 'xox.-[-0-9a-f]*' *.core.* | sort | uniq -c | sort

Basically, the cut command was truncating pids, and the cat was un-needed.

Hi, what do the lines of code that @terabyte put out there actually do?
Curious!

Nevermind, now I read the comment.

https://api.slack.com/legacy/custom-integrations/legacy-tokens:

Legacy tokens are a deprecated method of generating tokens for testing and development.

This tool will not allow creation of new tokens on May 5th, 2020. Learn more about why you shouldn't use it anymore.

Use Slack apps to quickly generate finely-scoped tokens instead, without OAuth, by installing your app to your own team.

dan-v commented

I ended up using method 4 from the wiki successfully, which is nice from the perspective of not having to install an app into the organization, but who knows how long this will continue to work.

Before I landed on that, I had success with method 1 but didn't want my token sent to Github pages and was not able to get method 2 to work. So I ended up creating yet another method slack-rtm-token which is really just method 1 but with your own slack app, with token generation happening locally and not being sent to github pages.

I do not have permission for https://github.com/erroneousboat/slack-term/wiki#method-4 requiring "developer tools".
I tried https://github.com/erroneousboat/slack-term/wiki#method-2 , but the final curl response is 7, or "CURL ERROR 7 Failed to connect to Permission denied"
Either the wiki direction methods are wrong or the required permissions should be advertised more explicitly.

I'm trying to run slack-term in Windows 10 via WSL2 using Ubuntu 20.04.
I've obtained the token via browser devtools (method 4), but if I run it with
slack-term -token here-goes-my-token
I'm getting
not able to authorize client, check your connection and if your slack-token is set correctly error
Same if I paste that token into config file.
Any thoughts on how this can be fixed?

I believe the problem is the token now requires the cookie d https://github.com/jackellenberger/emojme#finding-a-slack-cookie

Tried the GDB approach and tried to grab the token from localStorage or from the Slack customization page. All result in "not able to authorize client, check your connection and if your slack-token is set correctly". Is it possible to implement OAuth?

A couple of notes from trying @terabyte 's solution on Fedora 31...

for i in $(ps auxwwwfg | grep firefox | grep -v grep | awk '{print $2}'); do gcore -o $i.core $i; done
grep -ao 'xox.-[-0-9a-f]*' *.core.* | sort | uniq -c | sort

Basically, the cut command was truncating pids, and the cat was un-needed.

How many GBs of storage am I supposed to have for this? It's using every single byte I have available and doesn't even get through all processes.

I used the approach in which we manually copy the code parameter into a curl command but I get this:

{"ok":false,"error":"bad_redirect_uri","response_metadata":{"messages":["[WARN] Auth request OAuth redirect url must use https"]}}

Perhaps the slack folks now require a https url?

I also tried to connect with the d cookie got from Slack storage and I had this error:

not able to authorize client, check your connection and if your slack-token is set correctly