Closed samhh closed 1 year ago
samhh
commented
1 year ago This can be solved during the implementation of #11. The Mercury instance will need a Slack token to forward to Slack in receipt of a valid Heroku webhook request. This can be reused to check the token supplied by Slack message clients.
samhh
commented
1 year ago We now authenticate the token ourselves as well: https://github.com/unsplash/mercury/commit/82debc3d9efae0b70440f2f64978b2589427748e
README will be updated later along with the Heroku webhook implementation.
In terms of authentication we act as a proxy in front of the Slack API. This poses the risk that someone uses their own access token on our hosted instance - which will be visible in public repos - to send messages to their own instance.
This is particularly unlikely given that they can't be sure we won't steal their access token, but I thought it's worth documenting.
It should be noted that this is an improvement over Otto which allows anyone to post arbitrary messages to our own Slack instance.