fix: remove chat:write.public scope for better security#267
fix: remove chat:write.public scope for better security#267GPTI314 wants to merge 2 commits intoslackapi:mainfrom
Conversation
Changed botScopes from ["commands", "chat:write", "chat:write.public"] to ["commands", "chat:write"] to remove the overly broad public permission. The chat:write.public scope allows bots to write to channels they're not members of, which is unnecessarily permissive. Using just chat:write provides better security and privacy while maintaining necessary functionality. Updated: - Test data manifests (manifest-sdk.ts, manifest-sdk-app-name.ts) - Documentation example - Test expectations in strings_test.go
|
Thanks for the contribution! Before we can merge this, we need @claude to sign the Salesforce Inc. Contributor License Agreement. |
There was a problem hiding this comment.
Pull Request Overview
This PR improves security by removing the overly permissive chat:write.public scope from bot configurations. The chat:write.public scope allows bots to write to channels they're not members of, which is unnecessarily broad. The change maintains necessary functionality while following the principle of least privilege.
Key changes:
- Removed
chat:write.publicfrom botScopes arrays, keeping onlycommandsandchat:write - Updated test data, test expectations, and documentation to reflect the security improvement
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| test/testdata/manifest-sdk.ts | Updated test data manifest to remove chat:write.public from botScopes |
| test/testdata/manifest-sdk-app-name.ts | Updated test data manifest to remove chat:write.public from botScopes |
| internal/goutils/strings_test.go | Updated test expectations to match the new scope configuration in mock HTTP responses |
| docs/guides/using-environment-variables-with-the-slack-cli.md | Updated documentation example to reflect the security-improved scope configuration |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Thanks for the contribution! Before we can merge this, we need @claude @GPTI314 to sign the Salesforce Inc. Contributor License Agreement. |
mwbrooks
left a comment
There was a problem hiding this comment.
Hi @GPTI314 👋🏻
Thanks for the PR and using conventional commits in the title. 👌🏻
This PR only changes our tests and a documentation example, although I agree that is does set a better example for security.
Before we can review your PR, you'll need to sign our open source CLA. It looks like the CLA is looking for @claude to sign it. Did you put together this PR with Claude Code?
|
@GPTI314 Ahaha I'm hoping to poke the CLA bot with closing and reopening this PR, but I cannot find how to do the second part of this 😓 |
Changed botScopes from ["commands", "chat:write", "chat:write.public"] to ["commands", "chat:write"] to remove the overly broad public permission.
The chat:write.public scope allows bots to write to channels they're not members of, which is unnecessarily permissive. Using just chat:write provides better security and privacy while maintaining necessary functionality.
Updated:
Summary
(Please describe the goal of this pull request and mention any related issue numbers)
Requirements