Open forestaa opened 5 months ago
Hi @forestaa, thanks for sharing this! In this scenario, the user token data must be removed, so the Prisma implementation needs improvements!
Thank you for your quick response! I understand this behavior is not expected.
I have another question.
Should fetchInstallation
return an user.token
if the userId is not specified in query?
Currently both FileInstallationStore.fetchInstallation
and PrismaInstallationStore.fetchInstallation
return an user.token
in such case, but I'm not sure if this is appropriate behavior.
(I should have open an issue in https://github.com/slackapi/node-slack-sdk, but what do you think?)
I don't think the user token for the app installer should be always removed when a user ID is not given in query. It depends on your requirements. For example, when you build an app that utilizes an admin user's previledges only when certain conditions are surtisfied (e.g., submit a request using modal and then use admin APIs with an admin's user token when it's safe enough), having both bot and user tokens in authorize result should be convenient.
If you think the user token should be consistently omitted, you can implement your own InstallationStore in the way. There is no issue that can prevent you from implementing it on the node-slack-side side.
Regarding this project, my opinion is that 1) when the query has a user ID, the user token must be the user's one, 2) when the query does not have a user ID, the full information including the installed user's token should be kept as-is. Adding an option to customize 2) behavior like you mentioned may be a good addition too, though.
I indeed understand it is convenient in such a case. Thank you for the detailed explanation. I really appreciate it.
Hi, thank you for your awesome extensions!
I have a question about the behavior of
PrismaInstallationStore.fetchInstallation
(and other implementations in this repository), which is different fromFileInstallationStore.fetchInstallation
's if userId is specified in the query.FileInstallationStore.fetchInstallation
returns installation data withoutuser.token
if the specified user's installation data is not found. (see https://github.com/slackapi/node-slack-sdk/blob/664db4e58d5a7b7082d3006b969e82a4b459402e/packages/oauth/src/installation-stores/file-store.ts#L84-L87) However,PrismaInstallationStore.fetchInstallation
returns full installation data with different user's token even if the specified user's installation data is not found.Is this behavior is expected? (There will be no problem as long as all users install the app before use it because everyone's installation is always found, I think.)
Here is sample code.
Execution result:
fileInstallationStore.fetchInstallation
deletesuser.token
anduser.scopes
, butPrismaInstallationStore
doesn't and return user1's token.