search

slackapi / deno-slack-sdk

SDK for building Run on Slack apps using Deno
https://api.slack.com/automation
MIT License
158 stars 27 forks source link

[BUG] PermissionDenied: Requires env access to all #207

Closed onmax closed 1 year ago

onmax commented 1 year ago

The deno-slack versions

$ cat import_map.json | grep deno-slack
"deno-slack-sdk/": "https://deno.land/x/deno_slack_sdk@2.2.0/",
"deno-slack-api/": "https://deno.land/x/deno_slack_api@2.1.1/"

Deno runtime version

$ deno --version
deno 1.32.0 (release, x86_64-unknown-linux-gnu)
v8 11.2.214.9
typescript 5.0.2

OS info

Deployment

Describe the bug

I get the following error:

Caught error from user supplied module: PermissionDenied: Requires env access to all, run again with the --allow-env flag

Steps to reproduce

You can find my code in Github in this repo

These are the commands I execute:

  1. slack run and then I execute the workflow successfully
  2. slack trigger update trigger-id {ID_TRIGGER} -> Gets redeploy
  3. slack deploy
  4. Execute the workflow and it fails in step 2.

Expected result

I would expect the same behaviour as when I run it locally

Actual result

Logs

Running `slack platform activity -t -v` I get: ``` 2023-08-25 14:17:27 [info] [Fn05BNHPTMRD] (Trace=Tr05PVPNULCR) Function output: Caught error from user supplied module: PermissionDenied: Requires env access to all, run again with the --allow-env flag at Object.toObject (ext:runtime/30_os.js:96:16) at readEnv (file:///var/task/functions/create_establishment_with_place_id.js:2822:21) at assertSafe (file:///var/task/functions/create_establishment_with_place_id.js:2801:24) at load (file:///var/task/functions/create_establishment_with_place_id.js:2774:9) at eventLoopTick (ext:core/01_core.js:183:11) at async file:///var/task/functions/create_establishment_with_place_id.js:2845:1 ```

Probably it is a small error. But I cannot spot it. 🙂

Requirements

Please read the Contributing guidelines and Code of Conduct before creating this issue or pull request. By submitting, you are agreeing to those rules.

filmaj commented 1 year ago

I see in the util/database.ts there is a call to load() from the dotenv dependency in the top-level module scope. This file also exports a couple of addEstablishment* methods. These in turn are used in your function logic. So the final bundled function file that executes remotely (or locally), as soon as the functions are invoked, will try to call the dotenv module's load method.

According to the dotenv docs, this method needs both file-reading and env-reading access. Custom functions deployed to Slack do not run with the --allow-env permission. So that is the problem!

filmaj commented 1 year ago

I don't think you need to use the dotenv dependency in your code. Have you read our documentation on environment variables? When locally running your app using slack run, the CLI tool will automatically load your local .env file and populate the env function input parameter, while when deployed, the values you added using slack env will be available in the env function input parameter.

Let me know if that makes sense or if I misunderstood something.

onmax commented 1 year ago

That was the issue in fact! Thank you.

ChuckJonas commented 5 months ago

@filmaj This is a serious issue and needs to be reopened! I'm trying to use https://deno.land/x/openai@v4.32.1, but because the library accesses the OPENAI_BASE_URL env, I get an error:

Requires env access to "OPENAI_BASE_URL", run again with the --allow-env flag

Even after manually adding the variable with:

slack env add OPENAI_BASE_URL https://api.openai.com/v1

I still get an error...

filmaj commented 5 months ago

Do you get this error in a deployed context, or locally when you slack run?

ChuckJonas commented 5 months ago

@filmaj no issues when running locally. I only get this issue when running the deployed app...

seratch commented 5 months ago

Reading real env variales on the Slack hosting servers is not allowed. Thus, if a 3rd party library tries to read env variables internally, unfortunately it's not feasible to use it in production. slack env is just a mechanism to pass env-ish string data to your custom function as an argument. When it comes to the OpenAI library, what happens if you pass all {baseURL, apiKey, organization} explicitly? Doing so may prevent the library from reading env variables for default values.

ChuckJonas commented 5 months ago

@seratch ya that did the trick!

Should have noticed that workaround myself; my brain must be fried from integrating the files API between slack and OpenAI 😵‍💫

Still, this is an interesting limitation that definitely puts things a bit "out of your own control". I started to submit a PR to openai to see if it's possible to check for --allow-env using the permissions API, but unfortunately it's an async call so not really possible