Cookie auth terminates browser Slack session #45
Description
Problem
Using --mode cookie authentication causes Slack to log out the browser session.
Reproduction
- Login to Slack in browser
- Extract xoxc token and d cookie
- Run
clacks auth login --mode cookie - Use any clacks command (read, send, etc.)
- Browser Slack session gets terminated
Root Cause
The cookie auth implementation only sets Cookie: d={cookie} header but doesn't spoof browser headers like User-Agent, Accept, etc.
Slack likely detects non-browser client using the session token and terminates it as a security measure.
Suggested Fix
Add browser-like headers to cookie auth requests:
client = WebClient(
token=token,
headers={
"Cookie": f"d={cookie}",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36",
"Accept": "application/json",
"Accept-Language": "en-US,en;q=0.9",
}
)This would make API requests look more like legitimate browser requests and avoid session termination.
Impact
Currently cookie auth is unusable for regular work as it constantly logs users out of Slack in their browser, defeating the purpose of the stopgap authentication method.