Skip to content

Switch auth from Safari cookies to Slack desktop app#7

Closed
Copilot wants to merge 5 commits intomainfrom
copilot/investigate-gh-slack-auth
Closed

Switch auth from Safari cookies to Slack desktop app#7
Copilot wants to merge 5 commits intomainfrom
copilot/investigate-gh-slack-auth

Conversation

Copy link
Contributor

Copilot AI commented Feb 22, 2026
edited
Loading

Ports the auth approach from gh-slack (via rneatherway/slack): reads the d cookie from the Slack desktop app's SQLite cookie database instead of parsing Safari's binary cookies.

Auth flow

  1. Locate Slack's Chromium cookie DB (~/Library/Application Support/Slack/Cookies on macOS, ~/.config/Slack/Cookies on Linux)
  2. Read encrypted d cookie via modernc.org/sqlite (pure Go, no CGo)
  3. Retrieve decryption key from macOS Keychain (security CLI) or Linux Secret Service (secret-tool)
  4. Decrypt with PBKDF2 + AES-CBC, strip Chromium 128+ domain hash prefix
  5. Exchange cookie for API token via workspace homepage

Changes

  • internal/auth/desktop.go — New DesktopProvider implementing the full flow above
  • internal/auth/desktop_test.go — Tests for AES-CBC decryption, domain hash prefix stripping, provider interface
  • main.go — Wire DesktopProvider in place of SafariProvider, update --test flag and help text
  • README.md / AGENTS.md — Updated docs
  • Removed safari.go / safari_test.go — Legacy Safari auth code fully deleted
  • Removed unused dependenciesutls, brotli, klauspost/compress dropped via go mod tidy

Why

  • Eliminates Safari sign-in requirement and TLS fingerprinting (utls)
  • Adds Linux support
  • Matches the proven approach used by gh-slack in production
Original prompt

Investigate how gh-slack parses auth from Slack desktop app and use that instead of Safari cookies.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits February 22, 2026 20:36
@wham
Add Slack desktop app auth provider, replacing Safari cookie auth
39d8c1d 
Implements the auth approach from gh-slack (rneatherway/slack): reads the
'd' cookie from the Slack desktop app's SQLite cookie database, decrypts
it using the system keychain, and exchanges it for a Slack API token.

Supports macOS (Keychain via security CLI) and Linux (Secret Service via
secret-tool). No longer requires Safari or TLS fingerprinting.

Co-authored-by: wham <448809+wham@users.noreply.github.com>
@wham
Fix XDG_CONFIG_DIR to XDG_CONFIG_HOME per XDG spec
fcaf536 
Co-authored-by: wham <448809+wham@users.noreply.github.com>
Copilot AI changed the title [WIP] Investigate auth parsing in gh-slack from Slack app Switch auth from Safari cookies to Slack desktop app Feb 22, 2026
wham
wham requested changes Feb 22, 2026
View reviewed changes
AGENTS.md Outdated
- `main.go` — Entry point with cobra root command, flags (`--test`, `-o`), and `slog`-based logging
- `internal/auth/safari.go` — Safari cookie auth provider with uTLS fingerprinting, binary cookie parsing, and Slack token extraction
- `internal/auth/desktop.go` — Slack desktop app cookie auth provider: reads the `d` cookie from Slack's SQLite cookie database, decrypts it using the system keychain, and exchanges it for a Slack API token
- `internal/auth/safari.go` — Legacy Safari cookie auth provider (retained for reference)
Copy link
Owner

@wham wham Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot no legacy. All in for the new way.

Copy link
Owner

@wham wham Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot are you here?

Copy link
Contributor Author

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed safari.go, safari_test.go, cleaned up AGENTS.md references, and dropped the unused utls/brotli/compress dependencies in 668f5bd.

Copy link
Contributor Author

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done — all legacy Safari code removed in 668f5bd.

@wham
Remove legacy Safari auth code entirely
668f5bd 
Delete safari.go and safari_test.go, clean up AGENTS.md references,
and remove unused utls/brotli/compress dependencies.

Co-authored-by: wham <448809+wham@users.noreply.github.com>
@wham
Copy link
Owner

wham commented Feb 24, 2026

I realized reading the desktop DB triggers macOS keychain access dialog. The Safari implementation is more convenient in a way. Punting for now.

@wham wham closed this Feb 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wham wham wham requested changes

Assignees

@wham wham

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wham