slack-cloudflare-workers icon indicating copy to clipboard operation
slack-cloudflare-workers copied to clipboard
verified publisher icon seratch

Intermittent `not_authed` SlackAPIError errors

Open StephenTangCook opened this issue 6 months ago • 4 comments

Background

We've been seeing intermittent authorize errors coming from the slack-cloudflare-workers / slack-edge part of our Slack app:

AuthorizeError: Failed to authorize (error: SlackAPIError: Failed to call auth.test due to not_authed: {"ok":false,"error":"not_authed","headers":{}}

I haven't discovered a pattern. It happens for various workspaces, some enterprise installs and some not, some queries include userId and some don't.

I have even encountered this locally on occasion. When I saw it locally, even refreshing the app did not appear to fix it. It seemed to be stuck in a bad state, affecting the app's ability to handle any incoming Slack API events. The issue seemed to be resolved after I performed a complete re-install of the Slack app, although I can't say if this would extend to non-local environments.

Debugging

From on the auth.test API docs, this error happens when "omitting a token". If that's true, then I assume that the bot_token passed into the Slack API client here somehow ends up being empty, since that is the client used to call auth.test.

I have investigated one particular event and verified the installation for the workspace was correctly in our KV store, and that it contained a valid bot_id. I manually tested the bot_id with the auth.test method and received a success response.

Next Steps

I am adding an authorizeErrorHandler on our SlackOAuthApp to log additional info about the response to see if we can learn anything useful. @seratch I'm wondering if you have any ideas on where to look next?

StephenTangCook avatar Jul 02 '25 08:07 StephenTangCook

"not_authed" indicates the auth.test API call does not have any token (or empty string)

seratch avatar Jul 02 '25 09:07 seratch

@seratch I understand that part, but I'm trying to figure out why the framework intermittently fails to get the bot token when I have verified the KV entry exists with a valid token. (And why a re-install appears to fix it.)

StephenTangCook avatar Jul 03 '25 17:07 StephenTangCook

@seratch In one particular instance, a Salesforce support dev installed our app into an Enterprise Grid SDO workspace. All events for this workspace were failing with the error:

AuthorizeError: Failed to authorize (error: SlackAPIError: Failed to call auth.test due to not_authed: {\"ok\":false,\"error\":\"not_authed\",\"headers\":{}}, query: {\"enterpriseId\":\"E06HPBF3XYZ\",\"teamId\":\"E06HPBF3XYZ\",\"userId\":\"U06GW5JRXYZ\"})

I'm fuzzy on the edge cases of Enterprise Grid, but I don't think the enterpriseID and teamId are intended to be the same, right? Does that point to a problem with extractIsEnterpriseInstall?

I confirmed the KV installation entries are in our store as expected (correct enterprise_id and team_id values). But clearly the query is failing to find anything when the enterpriseId and teamId are unexpectedly the same.

StephenTangCook avatar Jul 05 '25 22:07 StephenTangCook

Perhaps, this sounds like org-wide installation scenario (is_enterprise_install: true). I haven't checked the code yet, but if the current token resolution fails due to the E*** team_id, simply querying with only enterprise_id would help.

seratch avatar Jul 06 '25 00:07 seratch