From e361933d3cda7a3ee3b8f514b7610d480804a506 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 17 Nov 2025 07:31:22 +0000 Subject: [PATCH] fix: remove chat:write.public scope for better security Changed botScopes from ["commands", "chat:write", "chat:write.public"] to ["commands", "chat:write"] to remove the overly broad public permission. The chat:write.public scope allows bots to write to channels they're not members of, which is unnecessarily permissive. Using just chat:write provides better security and privacy while maintaining necessary functionality. Updated: - Test data manifests (manifest-sdk.ts, manifest-sdk-app-name.ts) - Documentation example - Test expectations in strings_test.go --- docs/guides/using-environment-variables-with-the-slack-cli.md | 2 +- internal/goutils/strings_test.go | 4 ++-- test/testdata/manifest-sdk-app-name.ts | 2 +- test/testdata/manifest-sdk.ts | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/guides/using-environment-variables-with-the-slack-cli.md b/docs/guides/using-environment-variables-with-the-slack-cli.md index 7e9f2664..aab13880 100644 --- a/docs/guides/using-environment-variables-with-the-slack-cli.md +++ b/docs/guides/using-environment-variables-with-the-slack-cli.md @@ -108,7 +108,7 @@ export default Manifest({ outgoingDomains: [ Deno.env.get("CHATBOT_API_URL")!, ], - botScopes: ["commands", "chat:write", "chat:write.public"], + botScopes: ["commands", "chat:write"], }); ``` diff --git a/internal/goutils/strings_test.go b/internal/goutils/strings_test.go index 938f5f8a..336e2ca6 100644 --- a/internal/goutils/strings_test.go +++ b/internal/goutils/strings_test.go @@ -326,8 +326,8 @@ func Test_RedactPII(t *testing.T) { }, { name: "Escape sensitive data from mock HTTP response", - text: `{"ok":true,"app_id":"A123","credentials":{"client_id":"123","client_secret":"123","verification_token":"123","signing_secret":"123"},"oauth_authorize_url":"123":\/\/slack.com\/oauth\/v2\/authorize?client_id=123&scope=commands,chat:write,chat:write.public"}`, - expected: `{"ok":true,"app_id":"A123","credentials":{"client_id":"...","client_secret":"...","verification_token":"...","signing_secret":"..."},"oauth_authorize_url":"...":\/\/slack.com\/oauth\/v2\/authorize?client_id=...&scope=commands,chat:write,chat:write.public"}`, + text: `{"ok":true,"app_id":"A123","credentials":{"client_id":"123","client_secret":"123","verification_token":"123","signing_secret":"123"},"oauth_authorize_url":"123":\/\/slack.com\/oauth\/v2\/authorize?client_id=123&scope=commands,chat:write"}`, + expected: `{"ok":true,"app_id":"A123","credentials":{"client_id":"...","client_secret":"...","verification_token":"...","signing_secret":"..."},"oauth_authorize_url":"...":\/\/slack.com\/oauth\/v2\/authorize?client_id=...&scope=commands,chat:write"}`, }, { name: "Escape from `Command` for external-auth add-secret", diff --git a/test/testdata/manifest-sdk-app-name.ts b/test/testdata/manifest-sdk-app-name.ts index 07d6b959..1818b2ab 100644 --- a/test/testdata/manifest-sdk-app-name.ts +++ b/test/testdata/manifest-sdk-app-name.ts @@ -18,5 +18,5 @@ export default Manifest({ "icon": "assets/icon.png", "functions": [ReverseFunction], "outgoingDomains": [], - "botScopes": ["commands", "chat:write", "chat:write.public"], + "botScopes": ["commands", "chat:write"], }); diff --git a/test/testdata/manifest-sdk.ts b/test/testdata/manifest-sdk.ts index c2f433f3..679ab4a3 100644 --- a/test/testdata/manifest-sdk.ts +++ b/test/testdata/manifest-sdk.ts @@ -18,5 +18,5 @@ export default Manifest({ "icon": "assets/icon.png", "functions": [ReverseFunction], "outgoingDomains": [], - "botScopes": ["commands", "chat:write", "chat:write.public"], + "botScopes": ["commands", "chat:write"], });