fix(slack): add an alternate path for access_token if undefined (#4025)

## Describe the problem and your solution

- Add an alternate path for `access_token` interpolation if not found at
top-level, Nango's default for Oauth2.

<!-- Issue ticket number and link (if applicable) -->

<!-- Testing instructions (skip if just adding/editing providers) -->

<!-- Summary by @propel-code-bot -->

---

This PR addresses an issue with Slack's OAuth2 authentication flow where
access tokens are sometimes returned in a nested path
('authed_user.access_token') rather than at the top level. The changes
add support for retrieving tokens from alternate paths when the default
path returns undefined, ensuring connections can be established
successfully with Slack's API.

**Key Changes:**
• Added alternate_access_token_response_path property to ProviderOAuth2
interface
• Modified parseRawCredentials to check alternate paths when
access_token is not found
• Updated Slack provider configuration to use the new alternate path

**Affected Areas:**
• OAuth2 authentication flow
• Slack provider integration
• Connection credential parsing logic

*This summary was automatically generated by @propel-code-bot*

Author: hassan254-prog

packages/providers/providers.yaml

@@ -9046,6 +9046,7 @@ slack:
     auth_mode: OAUTH2
     authorization_url: https://slack.com/oauth/v2/authorize
     scope_separator: ','
+    alternate_access_token_response_path: authed_user.access_token
     token_url: https://slack.com/api/oauth.v2.access
     token_response_metadata:
         - incoming_webhook.url

packages/server/lib/controllers/connection.controller.ts

@@ -21,7 +21,8 @@ import type {
     OAuth1Credentials,
     OAuth2ClientCredentials,
     ProviderGithubApp,
-    TbaCredentials
+    TbaCredentials,
+    ProviderOAuth2
 } from '@nangohq/types';
 import type { NextFunction, Request, Response } from 'express';
 
@@ -205,7 +206,8 @@ class ConnectionController {
 
                 const { expires_at: parsedExpiresAt } = connectionService.parseRawCredentials(
                     { access_token, refresh_token, expires_at, expires_in },
-                    provider.auth_mode
+                    provider.auth_mode,
+                    provider as ProviderOAuth2
                 ) as OAuth2Credentials;
 
                 if (!access_token) {

packages/server/lib/controllers/oauth.controller.ts

@@ -1017,7 +1017,7 @@ class OAuthController {
             let parsedRawCredentials: OAuth2Credentials;
 
             try {
-                parsedRawCredentials = connectionService.parseRawCredentials(rawCredentials, 'OAUTH2') as OAuth2Credentials;
+                parsedRawCredentials = connectionService.parseRawCredentials(rawCredentials, 'OAUTH2', provider as ProviderOAuth2) as OAuth2Credentials;
             } catch (err) {
                 void logCtx.error('The OAuth token response from the server could not be parsed - OAuth flow failed.', { error: err, rawCredentials });
                 await logCtx.failed();

packages/shared/lib/clients/oauth2.client.ts

@@ -172,7 +172,7 @@ export async function getFreshOAuth2Credentials({
 
     let newCredentials: OAuth2Credentials;
     try {
-        newCredentials = connectionsManager.parseRawCredentials(rawNewAccessToken.token, 'OAUTH2') as OAuth2Credentials;
+        newCredentials = connectionsManager.parseRawCredentials(rawNewAccessToken.token, 'OAUTH2', provider) as OAuth2Credentials;
 
         if (!newCredentials.refresh_token && credentials.refresh_token != null) {
             newCredentials.refresh_token = credentials.refresh_token;

packages/shared/lib/services/connection.service.ts

@@ -840,10 +840,15 @@ class ConnectionService {
 
         switch (authMode) {
             case 'OAUTH2': {
-                if (!rawCreds['access_token']) {
-                    throw new NangoError(`incomplete_raw_credentials`);
+                let accessToken: string | undefined = rawCreds['access_token'];
+
+                if (!accessToken && template && 'alternate_access_token_response_path' in template && template.alternate_access_token_response_path) {
+                    accessToken = extractValueByPath(rawCreds, template.alternate_access_token_response_path);
                 }
 
+                if (!accessToken) {
+                    throw new NangoError(`incomplete_raw_credentials`);
+                }
                 let expiresAt: Date | undefined;
 
                 if (rawCreds['expires_at']) {
@@ -854,7 +859,7 @@ class ConnectionService {
 
                 const oauth2Creds: OAuth2Credentials = {
                     type: 'OAUTH2',
-                    access_token: rawCreds['access_token'],
+                    access_token: accessToken,
                     refresh_token: rawCreds['refresh_token'],
                     expires_at: expiresAt,
                     raw: rawCreds
@@ -1289,7 +1294,7 @@ class ConnectionService {
     > {
         if (providerClient.shouldUseProviderClient(providerConfig.provider)) {
             const rawCreds = await providerClient.refreshToken(provider as ProviderOAuth2, providerConfig, connection);
-            const parsedCreds = this.parseRawCredentials(rawCreds, 'OAUTH2') as OAuth2Credentials;
+            const parsedCreds = this.parseRawCredentials(rawCreds, 'OAUTH2', provider as ProviderOAuth2) as OAuth2Credentials;
 
             return { success: true, error: null, response: parsedCreds };
         } else if (provider.auth_mode === 'OAUTH2_CC') {

packages/types/lib/providers/provider.ts

@@ -101,6 +101,7 @@ export interface ProviderOAuth2 extends BaseProvider {
         grant_type: 'refresh_token';
     };
     authorization_method?: OAuthAuthorizationMethodType;
+    alternate_access_token_response_path?: string;
 
     refresh_url?: string;
     expires_in_unit?: 'milliseconds';

scripts/validation/providers/schema.json

@@ -14,6 +14,9 @@
                 "display_name": {
                     "type": "string"
                 },
+                "alternate_access_token_response_path": {
+                    "type": "string"
+                },
                 "auth": {
                     "type": "object",
                     "additionalProperties": true,