Closed dmittman closed 8 years ago
Thanks for the feedback @dmittman. I agree that the scopes requested can be trimmed down. files:read was added originally to provide an "undo post" option to Slackcat; however, the additional scope is ultimately not worth the convenience. I'll keep this issue open to track minimizing permissions as much as possible for the next release.
Concerning the --configure
process, authorization with the Slack API is done via OAuth2.0, so only the initial auth request code is provided to http://slackcat.chat/auth which gets exchanged for a token from Slack, displayed to the user. This extra step in OAuth2.0 is intended to provide an extra layer of authorization by verifying the request came from the same application. Additionally, we do have an explanation of our privacy policy here.
files:read has been removed as of the latest release. If have any other input; please do feel free to re-open this issue. Thanks!
Could we reopen this, the scope seems pretty excessive. Why do you need emails and profile information of all team members?
@treeder currently, users:read scope is only needed for username->Slack ID matching. The matching is used to verify the given user exists prior to posting to an IM channel, as well as in the --list
option to print human-readable channel targets.
It is possible now to remove that scope; however, there would be no verification that the given channel exists until the message stream or upload is started, at which point it would receive an error from the Slack API.
Some of the scopes requested don't seem necessary for the proper operation of Slackcat, for instance, files:read. Instead of scope being
I modified it to be
and I was still able to post text from stdin and upload a jpg. Some of the users in my Slack team have expressed concern about using Slackcat because it asks for more scope than seems necessary.
Also, the
--configure
process sends the authorization token to http://slackcat.chat, perhaps just for the purpose of displaying the next step in the configuration process. However, since these tokens are like passwords, sending a password to any third party system as part of service setup seems like a bad policy. The "echo" next step could perhaps as easily been output to the terminal instead of being served from the slackcat web server.