Merge pull request #398 from rusq/token-re

Token patterns fix
rusq · Jan 9, 2025 · 0b96430 · 0b96430
2 parents a3e8bf0 + bbeac40
commit 0b96430
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 15 deletions.
diff --git a/cmd/slackdump/internal/man/assets/login.md b/cmd/slackdump/internal/man/assets/login.md
@@ -6,9 +6,9 @@ Automated:
 - Browser authentication (**_EZ-Login 3000_**);
 
 Manual:
-- Login with Client Token and a cookie value;
+- Login with Client Token (`xoxc-`) and a cookie value;
 - Login with Client Token and a Cookie file, exported from your browser;
-- Login with Legacy `xoxp-`, Application `xoxa-` or Bot `xoxb-` Token 
+- Login with Legacy `xoxp-`, Application `xapp-` or Bot `xoxb-` Token 
   (no cookie needed).
 
 

diff --git a/cmd/slackdump/internal/workspace/assets/import.md b/cmd/slackdump/internal/workspace/assets/import.md
@@ -17,7 +17,7 @@ current.
 
 **SLACK_TOKEN** can be one of the following types:
 
-- xoxa-...: App token
+- xapp-...: App token
 - xoxb-...: Bot token
 - xoxc-...: Client token
 - xoxe-...: Export token

diff --git a/internal/fixtures/fixtures.go b/internal/fixtures/fixtures.go
@@ -12,8 +12,8 @@ import (
 )
 
 const (
-	TestAppToken      = "xoxa-888888888888-888888888888-8888888888888-fffffffffffffffa915fe069d70a8ad81743b0ec4ee9c81540af43f5e143264b"
-	TestBotToken      = "xoxb-888888888888-888888888888-8888888888888-fffffffffffffffa915fe069d70a8ad81743b0ec4ee9c81540af43f5e143264b"
+	TestAppToken      = "xapp-1-A012RNBPFL3-1234567890123-c045facebeefbabecafef624ab2f2fe1cc640babf30e37e6b2d11c6094774782"
+	TestBotToken      = "xoxb-123456789012-1234567890123-qCl4vKrWXWjArO5eoWgEUIPb"
 	TestClientToken   = "xoxc-888888888888-888888888888-8888888888888-fffffffffffffffa915fe069d70a8ad81743b0ec4ee9c81540af43f5e143264b"
 	TestExportToken   = "xoxe-888888888888-888888888888-8888888888888-fffffffffffffffa915fe069d70a8ad81743b0ec4ee9c81540af43f5e143264b"
 	TestPersonalToken = "xoxp-777777777777-888888888888-8888888888888-fffffffffffffffa915fe069d70a8ad81743b0ec4ee9c81540af43f5e143264b"

diff --git a/internal/structures/structures.go b/internal/structures/structures.go
@@ -20,15 +20,21 @@ const (
 
 // tokenRe is a loose regular expression to match Slack API tokens.
 // a - app, b - bot, c - client, e - export, p - legacy
-var tokenRE = regexp.MustCompile(`xox[abcep]-[0-9]+-[0-9]+-[0-9]+-[0-9a-f]{64}`)
+var (
+	tokenRE    = regexp.MustCompile(`\bxox[abcep]-[0-9]+-[0-9]+-[0-9]+-[0-9a-fA-F]{64}\b`)
+	appTokenRE = regexp.MustCompile(`\bx(?:app|oxa)-(?:\d-)?(?:[a-zA-Z0-9]{1,20}-)+[a-fA-F0-9]{1,64}\b`)
+	botTokenRE = regexp.MustCompile(`\bxoxb-(?:[a-zA-Z0-9]{1,20}-){2}[a-zA-Z0-9]{1,40}\b`)
+)
 
-var errInvalidToken = errors.New("token must start with xoxa-, xoxb-, xoxc-, xoxe- or xoxp- and be followed by 3 group of numbers and then 64 hexadecimal characters")
+var ErrInvalidToken = errors.New("token must start with xoxa-, xoxb-, xoxc-, xoxe- or xoxp- and be followed by 3 group of numbers and then 64 hexadecimal characters")
 
 func ValidateToken(token string) error {
-	if !tokenRE.MatchString(token) {
-		return errInvalidToken
+	for _, pattern := range []*regexp.Regexp{appTokenRE, botTokenRE, tokenRE} {
+		if pattern.MatchString(token) {
+			return nil
+		}
 	}
-	return nil
+	return ErrInvalidToken
 }
 
 var ErrInvalidDomain = errors.New("invalid domain")

diff --git a/internal/structures/structures_test.go b/internal/structures/structures_test.go
@@ -50,22 +50,22 @@ func TestValidateToken(t *testing.T) {
 		},
 		{
 			name:    "short token",
-			args:    args{token: "xoxa-123456789012-123456789012-123456789012-1234567890123456789012345678901"},
+			args:    args{token: "xoxc-123456789012-123456789012-123456789012-1234567890123456789012345678901"},
 			wantErr: true,
 		},
 		{
 			name:    "long token",
-			args:    args{token: "xoxa-123456789012-123456789012-123456789012-123456789012345678901234567890123"},
+			args:    args{token: "xoxc-123456789012-123456789012-123456789012-123456789012345678901234567890123"},
 			wantErr: true,
 		},
 		{
 			name:    "non-numeric sections",
-			args:    args{token: "xoxa-123456789012-abcdefg-123456789012-12345678901234567890123456789012"},
+			args:    args{token: "xoxc-123456789012-abcdefg-123456789012-12345678901234567890123456789012"},
 			wantErr: true,
 		},
 		{
 			name:    "non-alphanumeric suffix",
-			args:    args{token: "xoxa-123456789012-123456789012-123456789012-1234567890123456789012345678901!"},
+			args:    args{token: "xoxc-123456789012-123456789012-123456789012-1234567890123456789012345678901!"},
 			wantErr: true,
 		},
 	}

diff --git a/slackdump.1 b/slackdump.1
@@ -236,7 +236,7 @@ avoid bot detection algorithms.
 .Bl -tag -width token+cookie
 .It Em token
 This method requires Application
-.Pq xoxa-
+.Pq xapp-
 , Bot
 .Pq xoxb-
 or a Legacy