Q: Bot vs. User token for reminders methods

krissirk commented 3 years ago

Description

The add reminders method (as well as complete and delete) only accepts a User token; however, I can assign the reminders:write scope to the Bot token, which would never come into play - why include the Bot token here?

Further, even when you do provide a User token and call the method via the Web API, the "Slackbot" is what adds the reminder in Slack, which is confusing. What is the interplay between the User and Bot token in this case of managing reminders via the API?

What type of issue is this? (place an `x` in one of the `[ ]`)

[ ] bug
[ ] enhancement (feature request)
[x] question
[ ] documentation related
[ ] testing related
[ ] discussion

Requirements (place an `x` in each of the `[ ]`)

[x] I've read and understood the Contributing guidelines and have done my best effort to follow them.
[x] I've read and agree to the Code of Conduct.
[x] I've searched for any related issues and avoided creating a duplicate issue.

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Reproducible in:

Development environment:

Steps to reproduce:

1. 2. 3.

Expected result:

What you expected to happen

Actual result:

What actually happened

Attachments:

Logs, screenshots, screencast, sample project, funny gif, etc. If attaching logs, please remove user data and tokens.

srajiang commented 3 years ago

Hi @krissirk - You're right that the documentation in this case is incorrect. As you've pointed out, the reminders:write scope (and the reminders:read) scopes are available on User token types only and should NOT be available as a selection for the bot token in the App Configuration pages or listed in documentation.

I'll share this with the internal team to get these corrected and will report back if we're notified that the issue is resolved. Thank you for raising this and helping to make our public docs better! 🥇

Further, even when you do provide a User token and call the method via the Web API, the "Slackbot" is what adds the reminder in Slack, which is confusing.

It was confusing to me too at first as to why an app with User token scoped with reminders:write wouldn't just post AS the user and I had to think a little about it:

One way I look at it is from the perspective of what the app installer has actually authorized. In this case, the user grants permission for the application to create reminders on their behalf. A narrow reading of that, says that the user doesn't give the bot permission to create reminders AS them or post under their identity.

Let us know whether that's helpful!

srajiang commented 3 years ago

Hi @krissirk - I wanted to let you know that we've corrected the available scopes on the Bot Token so that it no longer incorrectly shows reminders:write and reminders:read. The docs are also corrected here and here.

Appreciate you surfacing this! I will go ahead and mark this as closed.

slackapi / slack-api-specs