Now all the Blueprints examples have been updated with new Slack platform features. So what are the diffs in this updated example?
Your OAuth access token should begins with -xoxb (or -xoxa), instead of -xoxp. User tokens will be deprecated.
This requires to update your code!
Previously, you needed to verify a verificatin token to see if a request was coming from Slack, not from some malicious place by simply comparing a string with the legacy token with a token received with a payload. But now you must use more secure sigining secrets.
Basically, you need to compare the value of the X-Slack-Signature, the HMAC-SHA256 keyed hash of the raw request payload, with a hashed string containing your Slack signin secret code, combined with the version and X-Slack-Request-Timestamp.
Learn more at Verifying requests from Slack.
OAuth refresh tokens are also introduced as a security feature, which allows the app owners to proactively rotate tokens when the tokens are compromised.
Your workspace app can use the new apps.uninstall method to uninstall itself from a single workspace, revoking all tokens associated with it. To revoke a workspace token without uninstalling the app, use auth.revoke.
Although the example of using the short-lived refresh token is not included in this Blurprints example since this tutorial is written for internal integration, if you are distributing your app, use a short-lived OAuth Refresh token. Implementing token rotation is required for all apps that are distributed, whether submitted for the App Directory or not.
To lean more, read Token rotation for workspace apps.
🎁 If you are using the Node SDK, the token refresh feature is available for you already!