Slack机器人令牌应如何存储?

huangapple go评论57阅读模式
英文:

How should Slack bot tokens be stored?

问题

我正在构建我的第一个Slack机器人,基本功能已经大部分完成...发送API请求、接收命令和事件等等。但是让我感到有些困惑的部分是关于我应该如何处理"Bot User OAuth Access Token"。

这个令牌似乎在团队/工作区之间共享,但是它是通过调用/oauth.v2.access来进行个别用户的身份验证时返回的。目前,我将返回的凭证数据存储在一个具有三列的表中:

  • 我的应用程序的内部用户ID
  • 嵌入在凭证数据中的Slack用户ID,作为authed_user.id
  • 整个JSON凭证数据本身(如果您感兴趣的话,这是Postgres中的jsonb

这使我能够发起新的API调用,用于在我的应用程序中发生的操作(按内部用户ID查找),以及用于Slack内部的互动(按Slack用户ID查找)。

让我感到有些困惑的是,当一个用户与我的机器人互动,但尚未添加我的应用程序时,应该遵循什么惯例。当一个人("Jose")添加我的应用程序,然后他们的同事("Mary")在Slack中发现它并查看主屏幕、发送消息等时,就会发生这种情况。

为了采取一些行动,比如提示用户安装我的应用程序,我需要一个令牌。当然,我有Jose的令牌,但没有Mary的令牌。我还将Jose的团队ID存储在我的表中,而Mary的团队ID是作为传入事件的一部分。所以从技术上讲,我可以这样做,以获取一个可以与Mary互动的工作令牌:

select credential_json from slack_credentials
where credential_json->>'type' = 'bot' and credential_json->'team'->>'id' = :marysTeamId

... 这将提取出Jose添加应用程序时捕获的机器人令牌。这种方法可以行得通,但感觉很"不对"。我想,如果我只是将机器人令牌存储在一个看起来像这样的团队中心的表中:

  • 嵌入在凭证数据中的Slack团队ID,作为team.id
  • 一些JSON凭证数据的子集(例如:access_tokenscopebot_user_id等,但不包括authed_user

那么它就不会感觉那么不正当。但是文档和API的使用方式也没有暗示这是一个常见的方法。所以我很好奇其他人是如何处理的。如果我没有听到任何回复,我想我的计划是将机器人令牌拆分到一个团队中心的表中。

谢谢!

英文:

I'm building my first Slack bot and I've got the basics mostly working... sending API requests, receiving commands and events, etc. But the part I'm left a bit confused about is what I'm supposed to do with the "Bot User OAuth Access Token".

The token appears to be shared across teams/workspaces, but it is returned to be during authentication of individual users with a call to /oauth.v2.access. Currently I'm storing the returned credentials payload in a table that has three columns:

  • My app's internal user ID
  • The Slack user ID embedded in the payload as authed_user.id
  • The entire JSON payload itself (jsonb in postgres if you're curious)

This allows me to initiate new API calls for actions that take place in my app (find by internal user ID) and also for interactions within Slack (find by Slack user ID).

What has left me a bit puzzled is what the convention is for when a user interacts with my bot that hasn't added my app. This can happen when a person ("Jose") adds my app and then their colleague ("Mary") discovers it in Slack and views the home screen, sends it a message, etc.

In order to take some action, such as prompt for the user to install my app, I need a token. Of course I have a token for Jose but not for Mary. I also have Jose's team ID stored in my table and Mary's team ID as part of the incoming event. So technically I could do something like this to get a working token to interact with Mary:

select credential_json from slack_credentials
where credential_json->>'type' = 'bot' and credential_json->'team'->>'id' = :marysTeamId

... which would pull out the bot token I captured when Jose added the app. This works, but it feels very wrong. I suppose if I just stored bot tokens in a separate table that looked like this:

  • The Slack team ID embedded in the payload as team.id
  • A subset of the JSON payload (ex: access_token, scope, bot_user_id, etc but not authed_user)

Then it wouldn't feel so yucky. But the docs + API ergonomics don't suggest this is a common approach either. So I'm curious what others do. If I don't hear anything back, I suppose my plan is to break out the bot tokens into a team-centric table.

Thanks!

答案1

得分: 2

Slack应用的基本概念是它们是按工作区安装的,而不是按用户安装的。

因此,虽然应用的令牌是从将您的应用安装到新工作区的用户派生的,但大多数应用的功能对工作区的所有用户都可用。

例如,斜杠命令将适用于每个频道中的每个用户
例如,您的应用程序的帖子将对相关频道的所有用户可见。

因此,通常最好的存储令牌的方法是使用Slack团队ID和Slack用户ID作为主键。

只是为了澄清一下。您不需要令牌来提示用户安装您的应用程序。每个应用程序都可以从您托管的网页(使用“添加到Slack”按钮)或直接从应用程序目录中安装。

英文:

The basic concept of Slack apps is that they are installed per workspace, not per user.

So while it's true that the app's token is derived from the user who installed your app to a new workspace, most the apps function are available to all users of the workspace.

e.g. slash commands will work for every user in every channel
e.g. posts of your app will be visible to all users of the related channel.

Therefore the best approach for storing tokens usually is with a primary key of Slack Team ID, Slack User ID.

And just to clarify. You do not need a token to prompt a user to install you app. Every app can be installed from webpage hosted by you (with the "Add to Slack button") or directly from the App Directory.

huangapple
  • 本文由 发表于 2020年1月4日 01:06:43
  • 转载请务必保留本文链接:https://go.coder-hub.com/59582536.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定