bridge: fail fast on expired broker access token

Author: benvinegar

slack-bridge/broker-bridge.mjs

@@ -95,6 +95,7 @@ const directSlackRateLimiter = createRateLimiter({ maxRequests: 1, windowMs: 1_0
 const workspaceId = process.env.SLACK_BROKER_WORKSPACE_ID;
 const brokerBaseUrl = String(process.env.SLACK_BROKER_URL || "").replace(/\/$/, "");
 const brokerAccessToken = String(process.env.SLACK_BROKER_ACCESS_TOKEN || "").trim();
+const brokerAccessTokenExpiresAt = String(process.env.SLACK_BROKER_ACCESS_TOKEN_EXPIRES_AT || "").trim();
 
 // Check if direct Slack API mode is available
 const hasDirectSlackToken = Boolean(process.env.SLACK_BOT_TOKEN);
@@ -110,6 +111,7 @@ let socketPath = null;
 let cryptoState = null;
 
 const dedupe = new Map();
+let brokerTokenExpiryFormatWarned = false;
 
 const brokerHealth = {
   started_at: new Date().toISOString(),
@@ -386,7 +388,29 @@ function signPullRequest(timestamp, maxMessages, waitSeconds) {
   });
 }
 
+function isBrokerAccessTokenExpired() {
+  if (!brokerAccessToken || !brokerAccessTokenExpiresAt) return false;
+  const ts = Date.parse(brokerAccessTokenExpiresAt);
+  if (!Number.isFinite(ts)) {
+    if (!brokerTokenExpiryFormatWarned) {
+      logWarn("⚠️ invalid SLACK_BROKER_ACCESS_TOKEN_EXPIRES_AT format; expected ISO-8601 timestamp");
+      brokerTokenExpiryFormatWarned = true;
+    }
+    return false;
+  }
+  return Date.now() >= ts;
+}
+
+function enforceBrokerTokenFreshnessOrExit() {
+  if (!isBrokerAccessTokenExpired()) return;
+
+  logError("❌ broker access token is expired; broker API auth will fail.");
+  logError("   run: sudo baudbot broker register && sudo baudbot restart");
+  process.exit(1);
+}
+
 async function brokerFetch(pathname, body) {
+  enforceBrokerTokenFreshnessOrExit();
   const url = `${brokerBaseUrl}${pathname}`;
   const headers = { "Content-Type": "application/json" };
   if (brokerAccessToken) {
@@ -992,6 +1016,8 @@ async function startPollLoop() {
     serverSignSecretKey: signKeypair.privateKey,
   };
 
+  enforceBrokerTokenFreshnessOrExit();
+
   refreshSocket();
   startApiServer();
   persistBrokerHealth();

test/broker-bridge.integration.test.mjs

@@ -727,4 +727,51 @@ describe("broker pull bridge semi-integration", () => {
 
     bridge.kill("SIGTERM");
   });
+
+  it("exits when broker access token is expired", async () => {
+    await sodium.ready;
+
+    const testFileDir = path.dirname(fileURLToPath(import.meta.url));
+    const repoRoot = path.dirname(testFileDir);
+    const bridgePath = path.join(repoRoot, "slack-bridge", "broker-bridge.mjs");
+    const bridgeCwd = path.join(repoRoot, "slack-bridge");
+
+    let bridgeStdout = "";
+    let bridgeStderr = "";
+
+    const bridge = spawn("node", [bridgePath], {
+      cwd: bridgeCwd,
+      env: {
+        ...process.env,
+        SLACK_BROKER_URL: "http://127.0.0.1:65535",
+        SLACK_BROKER_WORKSPACE_ID: "T123BROKER",
+        SLACK_BROKER_SERVER_PRIVATE_KEY: b64(32, 11),
+        SLACK_BROKER_SERVER_PUBLIC_KEY: b64(32, 12),
+        SLACK_BROKER_SERVER_SIGNING_PRIVATE_KEY: Buffer.alloc(32, 25).toString("base64"),
+        SLACK_BROKER_PUBLIC_KEY: b64(32, 14),
+        SLACK_BROKER_SIGNING_PUBLIC_KEY: b64(32, 15),
+        SLACK_BROKER_ACCESS_TOKEN: "expired-token",
+        SLACK_BROKER_ACCESS_TOKEN_EXPIRES_AT: "2000-01-01T00:00:00.000Z",
+        SLACK_ALLOWED_USERS: "U_ALLOWED",
+        BRIDGE_API_PORT: "0",
+      },
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+
+    bridge.stdout.on("data", (chunk) => {
+      bridgeStdout += chunk.toString();
+    });
+    bridge.stderr.on("data", (chunk) => {
+      bridgeStderr += chunk.toString();
+    });
+
+    children.push(bridge);
+
+    const exited = await new Promise((resolve) => {
+      bridge.on("exit", (code, signal) => resolve({ code, signal }));
+    });
+
+    expect(exited.code).toBe(1);
+    expect(`${bridgeStdout}\n${bridgeStderr}`).toContain("broker access token is expired");
+  });
 });