search Slack messages as a bot - slack-api

I have a Slack App (source code) where I want to send reminders to channels where a certain piece of text has been mentioned the most on a schedule. It works, but there's a limitation:
The search.messsages API method only supports user tokens. I want this to run in the background, without interaction. Approaches that have come to mind:
Store my personal user token
Con: Would allow others with access to the token to be able to see my private messages
Create a fake user whose only purpose is that user token
Con: Have to pay for that fake user indefinitely, manage shared credentials, etc.
Any other ideas?

Here is what you can do:
Switch on distribution of the Slack app.
Have the admin, or an existing user on the Slack channel install the app. During the time of installation, you can ask for permissions with user token and search:read scope.
Now you can make all the searches using this user's token. You'll need to plan for the scenario where this user is deleted from the Slack workspace, your user token will stop working.
I don't think there is a way to control it from searching for your personal messages. Search functionality is dependent on the user token.

Related

Is it possible to get a webhook/event at the user level for the Slack API?

I would like to build an app where users add a configuration and I can retrieve their user token so the app can act on behalf of the user.
I would like to be able to receive webhook events (much like if a bot user were in a public or private channel) whenever the user receives a message, is this possible?
A while back you could achieve this with a personal user token and hooking into the event stream via sockets but this has been deprecated.
Did some snooping, they moved the User Tokens over to the same area as the Bot tokens. You DON'T have to do some weird configuration if the app is installed by you, you automatically get a new user token section.
You can then go to the Events section and subscribe to events on behalf of users.

How do you "reset" a user's TOTP in Twilio?

I am using Twilio's verify API for TOTP services (Authy, Google Authenticator, etc).
I am trying to figure out how to handle the case where a user has lost access to their phone and cannot get past the TOTP 2FA challenge. Can I create a new Factor for that user and somehow "invalidate" the previous one?
Anyone know how to do this?
You can delete a factor, which would remove it from the entity. You can then create a new factor.
How to handle how you re-enable access to the user's account in your system is up to you though. Presumably after the user has convinced your support team that they are the rightful owner of the account, you could turn off 2FA verification for their account, allowing them to log in, and then have them go through 2FA set up again themselves. You might also want to consider generating back up codes which they can use in the case that they lose their device again.

Slack Oauth: Automatically authorize user if user had already authorized app

I’m working on a Slack app that a user can install to a workspace using Slack’s Oauth flow. After installing and configuring the app, I’m using Oauth to allow the user to log in and make changes to the app configuration.
The flow for a new user uses the "Add to Slack" button which asks the user to agree to allow bot and identity.* scopes after which my app retrieves and stores bot and user tokens.
Now I'd like to allow the same user to sign in using the "Sign in with Slack" Oauth flow. Per the Slack documentation, the "Sign in with Slack" flow allows just this using the same /oauth/authorize endpoint, but requests only one of the identity.* scopes (I'm using identity.basic):
Sign in with Slack
The user has already authorized my app for bot and identity.* scopes on the initial app install, but surprisingly he/she is re-prompted to confirm allowing my app identity.* scopes on each "Log in with Slack" action.
The slack documentation implies that subsequent login attempts will result in an automatic redirect:
After a user clicks your Sign in with Slack button, their web browser should arrive on Slack's servers.
Your application will wait patiently while the user handles some business or Slack just sends them on their way back to your redirect URL.
(emphasis mine)
However, Slack always requests that the user (re-)authorize my app for identity.* scopes. How can I log users in using Slack with a one-click flow?
Update: Response from Slack
I reached out to the Slack team and got this response:
Unfortunately it looks like we'll need to update the documentation as for the moment what's described there is not accurate. Particularly:
Returning users won’t be distracted by unnecessary approvals, we’ll send them back to your site, service, or app as fast as we can!
Due to a change we made to our authentication flow where we now allow users to select what workspace they're authing with, we present them with the "scopes" or "permissions" page again.
This is definitely something we should consider make better but for the time being it's the expected behaviour and we're going to revise the documentation to eflect that.
Sorry for the bad news.
As of 11/17/19 the Sign in with Slack documentation has not been updated.
For your requirement to implement a web page that is linked to your Slack app with authenticated Slack user you have two alternatives:
Sign-in with Slack
One approach would be to use Sign-in with Slack to authenticate users for your web page. This allows you to clearly authenticate users. However, the drawback is that users would have to repeat the login process every time they open this web page again. This can be somewhat mitigated by using cookies to keep users logged in between browser restarts until they manually log out of the web app.
Note that this auth process is independent from the user logging into his Slack workspace.
Own authentication
Alternatively you can let users directly open your web app from Slack, e.g. by clicking a link button you provide. This URL needs to include information that would allow your web app to get the users current context, e.g. his Slack and User ID.
Note that this URL can be obtainable and potentially misused by a user, so you would need to add measure to protect it e.g. by encrypting the IDs or by adding a secure hash or a one time token ...

How to identify existing users after authenticating via Slack OAuth?

I have an web application with existing users and user ids (i.e. not Slack user ids). I'd like to allow my users to install my new Slack app.
How do I know which of my users connects to Slack using OAuth and installs my app? I know you can request email but what if the Slack email is different from the email address used to originally sign up to my application.
It's crucial that I know which Slack users are linked to my existing users. Is there a way to send my existing users' user_id through the OAuth process so I know how to link a Slack user to one of my users?
Potential Solutions?
User's cookie will allow me to identify them upon the Slack OAuth
redirect.
Use the state variable as a way to identify a user on my
site
I would not use the state property to transfer user information. It's theoretical possible, but would defy the purpose of the state property as security measure.
Instead you just need to keep the user context on your website during the Oauth process (e.g. by storing the user ID in a server session), so you can store the connection between your custom user ID and the Slack user ID later.
Here is the full process:
You users will first need to log-in to your website to identify
themselves.
Your website will then have the user ID of the user and need to keep
this context, e.g. in a server session.
Next your user has the option to install your Slack app. After the
installation is finished the Oauth process will automatically
redirect your user back to your website.
You can then get the current user ID by calling auth.test
with the access token you just received.
Finally have both the custom user ID and the Slack user ID an can store
this connection, e.g. in your database for future reference.
Alternatively you can add this information to the Slack user as
custom property with users.profile.set

Twitter API: Separate read and read/write tokens

On my site users should be able to authenticate using their twitter account. Another optional feature is, that users should be able to have tweets sent in their name on certain events.
For this I've setup the twitter application to be read & write.
My problem now is, when a user is using twitter to authenticate, then he is automatically also granting read/write permissions. But I'd like to leave it up to the user to decide at a later stage if he trusts me enough, to grant me this permission..
I can't find any setting/parameter in the api which would allow this split. The only solution I can currently see, is splitting the twitter app into two: One read-only app for authentication and one read-write app for tweeting etc.
Send users to https://api.twitter.com/oauth/authorize?oauth_token=xyz and add a parameter of oauth_access_type with a value of read. That should restrict that particular user to read only permissions.
https://groups.google.com/forum/#!topic/twitter-development-talk/1P765h9ecBk

Resources