bcicen
commented
8 years ago Thanks for the feedback @dmittman. I agree that the scopes requested can be trimmed down. files:read was added originally to provide an "undo post" option to Slackcat; however, the additional scope is ultimately not worth the convenience. I'll keep this issue open to track minimizing permissions as much as possible for the next release.
Concerning the --configure process, authorization with the Slack API is done via OAuth2.0, so only the initial auth request code is provided to http://slackcat.chat/auth which gets exchanged for a token from Slack, displayed to the user. This extra step in OAuth2.0 is intended to provide an extra layer of authorization by verifying the request came from the same application. Additionally, we do have an explanation of our privacy policy here.
treeder
Some of the scopes requested don't seem necessary for the proper operation of Slackcat, for instance, files:read. Instead of scope being
I modified it to be
and I was still able to post text from stdin and upload a jpg. Some of the users in my Slack team have expressed concern about using Slackcat because it asks for more scope than seems necessary.
Also, the
--configureprocess sends the authorization token to http://slackcat.chat, perhaps just for the purpose of displaying the next step in the configuration process. However, since these tokens are like passwords, sending a password to any third party system as part of service setup seems like a bad policy. The "echo" next step could perhaps as easily been output to the terminal instead of being served from the slackcat web server.