Skip to content

fix(oauth): coalesce slack token refresh per installation and preserve provider refresh errors#5723

Open
TheodoreSpeaks wants to merge 6 commits into
stagingfrom
fix/cred-refresh-error
Open

fix(oauth): coalesce slack token refresh per installation and preserve provider refresh errors#5723
TheodoreSpeaks wants to merge 6 commits into
stagingfrom
fix/cred-refresh-error

Conversation

@TheodoreSpeaks

@TheodoreSpeaks TheodoreSpeaks commented Jul 16, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Slack bot tokens are per-installation (team × app), but every connect creates a new `account` row holding a copy of the same rotating token chain — each row refreshed independently and revoked the siblings' copies, causing intermittent `token_revoked` failures
  • Key Slack refresh coalescing (singleflight + leader lock) and terminal-error dead flags per installation (`oauth:refresh:slack:`) instead of per account row
  • Leader refreshes using the freshest sibling's refresh token and fans the new chain out to all sibling rows of the team, so stale rows self-heal; fresh connects propagate their newly issued chain the same way
  • Slack lock budgets (follower wait + lock TTL) sized past the 15s provider timeout so followers observe slow-but-successful refreshes
  • Legacy pasted `slack-bot-*` rows keep per-row behavior
  • Add `token_revoked` to the terminal refresh-error set

Type of Change

  • Bug fix

Testing

Added unit coverage for installation-keyed locking, freshest-chain selection, fan-out writes, legacy row behavior, and installation-scoped dead flags. `bun run lint`, `bun run check:api-validation:strict`, and `tsc --noEmit` pass.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@greptile-apps

greptile-apps Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR coordinates Slack OAuth token rotation at the installation level. The main changes are:

  • Coalesces refreshes by Slack team instead of account row.
  • Selects the freshest sibling token chain and propagates updates across the installation.
  • Adds version-guarded writes for concurrent refresh and connect flows.
  • Scopes terminal refresh flags to the installation and recognizes token_revoked.
  • Extends Slack lock and follower wait budgets to 30 seconds.
  • Preserves per-row behavior for legacy pasted Slack bot credentials.

Confidence Score: 5/5

The latest fixes look safe to merge.

  • The Slack follower budget now covers the provider timeout and persistence headroom.
  • Version-guarded fan-out prevents stale refresh results from overwriting a newer installation chain.
  • Transient refresh failures retain the generic fallback behavior.
  • No additional blocking issue qualifies for this follow-up review.

Important Files Changed

Filename Overview
apps/sim/app/api/auth/oauth/utils.ts Adds installation-scoped Slack refresh coordination, extended lock timing, freshest-chain selection, guarded fan-out, and installation-scoped terminal flags.
apps/sim/lib/oauth/slack.ts Introduces helpers for Slack team extraction, token-chain selection, guarded fan-out, and concurrent-chain movement detection.
apps/sim/lib/auth/auth.ts Propagates newly connected Slack token chains to sibling account rows and clears the installation dead flag.
apps/sim/lib/oauth/terminal-errors.ts Treats Slack token_revoked responses as terminal refresh errors.
apps/sim/app/api/auth/oauth/token/route.ts Logs token-refresh failures before returning the existing unauthorized response.

Reviews (6): Last reviewed commit: "fix(oauth): clear slack dead flag before..." | Re-trigger Greptile

Comment thread apps/sim/app/api/auth/oauth/utils.ts Outdated
Comment thread apps/sim/app/api/auth/oauth/utils.ts Outdated
@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator Author

@greptile

@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator Author

@cursor review

@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator Author

@greptile

@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator Author

@cursor review

@vercel

vercel Bot commented Jul 16, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jul 17, 2026 1:30am

Request Review

@cursor

cursor Bot commented Jul 17, 2026

Copy link
Copy Markdown

PR Summary

High Risk
Changes core OAuth refresh, Redis locking, and multi-row token persistence for Slack—security-sensitive auth paths where races could still affect token validity until reconnect.

Overview
Fixes intermittent Slack token_revoked failures when multiple account rows share one workspace installation’s rotating bot token chain.

Slack installation-scoped refresh: Coalesced refresh now keys locks and terminal dead flags by slack:<teamId> (parsed from the external account id) instead of per row. The refresh leader picks the freshest sibling refresh token, reuses a still-valid sibling access token when possible, and fans out the updated chain to every row for that team. Lock TTL and follower wait are raised to 30s so concurrent sibling requests wait through slow provider refreshes. Version-guarded writes skip overwriting a newer chain if a connect or competing refresh landed first; terminal dead flags are skipped when the chain moved during a failed refresh. Legacy slack-bot-* pasted rows keep per-row behavior.

On connect: After a new Slack OAuth account is created, the hook clears the installation dead flag and fans out the new tokens to sibling rows.

Other: token_revoked is treated as a terminal refresh error. The OAuth token route logs refresh failures instead of swallowing them.

Reviewed by Cursor Bugbot for commit a0b4518. Bugbot is set up for automated code reviews on this repo. Configure here.

Comment thread apps/sim/lib/auth/auth.ts
@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator Author

@greptile

@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/app/api/auth/oauth/utils.ts Outdated
Comment thread apps/sim/app/api/auth/oauth/utils.ts Outdated
@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator Author

@greptile

@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator Author

@cursor review

Comment thread apps/sim/lib/auth/auth.ts Outdated
@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator Author

@greptile

@TheodoreSpeaks

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit a0b4518. Configure here.

Comment thread apps/sim/lib/oauth/slack.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant