Closed jettero closed 8 years ago
arjunmat
commented
9 years ago @jettero Hey, thanks for this. Our focus was to enable a simple chat solution that integrates with Slack, without needing a server. If using oAuth2, we would need a server for the integration.
Will add the oAuth2 integration to the pipeline and look into the feasibility.
jettero
commented
9 years ago It's not just a minor features problem. It gives any visitor full access to all your slackchat features and services. With your code, I could delete all your channels, create a bunch of users, make myself an admin... you name it.
People will look at the source to see how you got slack to work with pure js — and they'll notice the code and you'll just wonder what the hell happened to your slack.
bendikl
commented
9 years ago I totally agree. @improvi I urge you to put a CLEAR warning on the projects website and in the source code documentation UNTIL you fix the above implementation with a serverside (ex. Node.js / PHP) functionality-filter.
The idea is great but the current implementation exposes the api-keys of many users (that are not technically inclined) and putting them at risk of having their whole slack setup deleted, abused or worse - exploited.
arjunmat
commented
9 years ago I've added a warning message against using User tokens and recommending the Bot User instead.
Also, added a sample PHP code for the server implementation when using private Channels. You will need to provide a user token in the server code to be able to create the private channel.
bendikl
commented
8 years ago Great job. Before I suggest closing this.
What about serverside-sanitizing the data that are feeded into the PHP before executing anything, I`m worried it could be exploited.
Or do you think PHP does a good enough job itself in regards to your implementation? Maybe you are fully right in the way you have done it.
arjunmat
commented
8 years ago Hi bendikl,
You only need to sanitize the data if you're doing database operations. Furthermore, this is just a demonstration of the server side code implementation. I'm sure it can be improved manyfolds!
On Wed, Sep 23, 2015 at 12:09 AM, bendikl notifications@github.com wrote:
Great job. Before I suggest closing this.
What about serverside-sanitizing the data that are feeded into the PHP before executing anything, I`m worried it could be exploited.
Or do you think PHP does a good enough job itself in regards to your implementation? Maybe you are fully right in the way you have done it.
— Reply to this email directly or view it on GitHub https://github.com/improvi/slack-chat/issues/2#issuecomment-142379295.
+91.98802.11003 http://www.improvi.in
bendikl
commented
8 years ago Yeah, you are probably right, I was just thinking that there might be possibilities of injecting malicious API requests through the PHP.
It all seems good to me then. Should prob. close this issue.
mvaragnat
commented
7 years ago Bot token have a LOT of privilege. Suggesting that users should expose them client side is very dangerous. Potential dangers include
I think you have a cool, interesting project, but I'm afraid it can unintentionally mislead users to grave security risks.
I'm concerned that the demo wants a user api auth token, which it then uses to build the chat. It works, which is really neat btw. I was about to install it on my site when something occured to me: What would stop someone from copying the js containing my auth token and using the auth token to inflict all manor of havoc on my slack?
Nothing?
It's not like the auth token is only good on one site or something. It'd be good anywhere anyone decided to use it. Perhaps the application tokens work differently. I haven't checked that yet.