Add an auth command #62
Conversation
|
This looks great! I wonder if it would be good to add a mention that the Token and Cookies should be treated as secrets. AFAIK, if you have the team, token and cookies, you can basically impersonate someone on Slack. |
cmd/gh-slack/cmd/auth.go
Outdated
| Short: "Prints authentication information for the Slack API", | ||
| Long: `Prints authentication information for the Slack API.`, |
There was a problem hiding this comment.
Maybe a simple update like this would be enough?
| Short: "Prints authentication information for the Slack API", | |
| Long: `Prints authentication information for the Slack API.`, | |
| Short: "Prints authentication information for the Slack API (treat those as secrets)", | |
| Long: `Prints authentication information for the Slack API (treat those as secrets).`, |
| {{.CommandPath}}{{end}}{{if gt (len .Aliases) 0}} | ||
| Aliases: | ||
| {{.NameAndAliases}}{{end}}{{if .HasExample}} | ||
|
|
There was a problem hiding this comment.
But I'd like to have a longer message explaining the criticality of this in the description as well. Maybe this?
| Security: | |
| Treat those values as secrets and don't share them with anyone. | |
| If someone get access to them, they will be able to impersonate you. | |
There was a problem hiding this comment.
I also am wondering if there's a way to reset the cookie so that we can add a section saying
In case of leak, run `slack auth renew`
And if it's not possible, then to add
Those values can't be manually rotated, so be careful
There was a problem hiding this comment.
You can invalidate the token and cookies by logging out of the Slack app. That does seem worth mentioning 👍. Will update.
|
I'm pretty happy with this now except for one thing. I'm a little concerned that the environment variable names output here and accepted at https://github.com/rneatherway/slack/pull/3/files#diff-2feccbe0109db2f6b93af0c4afed26af571a61438266ebd8690bf669c75d2874R19-R20 are too generic in case someone already has |
|
I'll go ahead with this, it's always possible to change if it causes problems. |
|
@rneatherway could you create a new release with this included? I just realized that 0.0.23 does not include it 🙏 |
|
Sure, done 😁 |
To be used like this:
Then you will have
SLACK_TOKENandSLACK_COOKIESset in the environment and can (with rneatherway/slack#3) use other slack commands as you wish.The main use is during development you don't have to keep unlocking the MacOS keychain. "Always allow" doesn't help because the binary changes on every compile.
@nobe4 we discussed this a while back. What do you think?