Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

fix: migrate Slack integration from Bot Token to User Token for security#185

Merged
breaking-brake merged 1 commit intomainbreaking-brake/cc-wf-studio:mainfrom
feat/user-token-onlybreaking-brake/cc-wf-studio:feat/user-token-onlyCopy head branch name to clipboard
Dec 1, 2025
Merged

fix: migrate Slack integration from Bot Token to User Token for security#185
breaking-brake merged 1 commit intomainbreaking-brake/cc-wf-studio:mainfrom
feat/user-token-onlybreaking-brake/cc-wf-studio:feat/user-token-onlyCopy head branch name to clipboard

Conversation

@breaking-brake
Copy link
Copy Markdown
Owner

@breaking-brake breaking-brake commented Dec 1, 2025

Problem

Security Issue

Users could post workflows to Slack channels they had left, as long as the Bot remained in those channels.

Current Behavior

  1. User joins a Slack channel and shares a workflow
  2. User leaves the channel
  3. ❌ User can still post to the channel (via Bot Token)

Expected Behavior

  1. User joins a Slack channel and shares a workflow
  2. User leaves the channel
  3. ✅ User cannot post to the channel (User Token respects channel membership)

Solution

Migrate all Slack API operations from Bot Token (xoxb-) to User Token (xoxp-).

Key Changes

Bot Token vs User Token:

  • Bot Token (chat:write): Posts as Bot, can post to any channel Bot is in
  • User Token (chat:write): Posts as user, can only post to channels user is a member of

Changes

Extension Host:

  • slack-api-service.ts: Remove ensureClient() (Bot Token), use only ensureUserClient() (User Token) for all operations
  • slack-connect-oauth.ts: Validate User Token instead of Bot Token in OAuth response
  • slack-connect-manual.ts: Only require User Token input
  • slack-token-manager.ts: Check User Token for connection validation
  • open-editor.ts: Remove CHECK_BOT_CHANNEL_MEMBERSHIP handler

Webview:

  • SlackShareDialog.tsx: Remove Bot membership check UI
  • SlackManualTokenDialog.tsx: Remove Bot Token input field
  • slack-integration-service.ts: Remove checkBotChannelMembership() function

Types & i18n:

  • messages.ts: Remove Bot membership check types
  • Translation files: Remove Bot membership related messages

Impact

  • Security: Users can only post to channels they are members of
  • UX: Messages appear as user (not Bot), more natural
  • Simplified: No Bot membership checking needed
  • ⚠️ Breaking: Existing Bot Token connections need re-authentication

Testing

  • OAuth authentication flow works with User Token only
  • Channel list shows only channels user is member of
  • Workflow sharing posts as user
  • Manual token input accepts User Token only
  • Build passes without errors

🤖 Generated with Claude Code

@breaking-brake @claude
fix: migrate Slack integration from Bot Token to User Token
27be7c7 
- Remove Bot Token dependency, use User Token for all Slack API operations
- Update OAuth flow to validate User Token instead of Bot Token
- Remove Bot membership check (no longer needed with User Token)
- Update token manager to check User Token for connection validation
- Remove Bot Token input field from manual token dialog

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@breaking-brake breaking-brake merged commit a6d2ce9 into main Dec 1, 2025
3 checks passed
@breaking-brake breaking-brake deleted the feat/user-token-only branch December 1, 2025 03:55
@breaking-brake breaking-brake mentioned this pull request Dec 1, 2025
Merged
github-actions Bot added a commit that referenced this pull request Dec 1, 2025
@github-actions
chore(release): 2.17.2 [skip ci]
254a97f 
## [2.17.2](v2.17.1...v2.17.2) (2025-12-01)

### Bug Fixes

* migrate Slack integration from Bot Token to User Token ([#185](#185)) ([a6d2ce9](a6d2ce9))
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Dec 1, 2025

🎉 This PR is included in version 2.17.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

This was referenced Dec 1, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@breaking-brake
Morty Proxy This is a proxified and sanitized view of the page, visit original site.