-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an auth command #62
Conversation
This looks great! I wonder if it would be good to add a mention that the Token and Cookies should be treated as secrets. AFAIK, if you have the team, token and cookies, you can basically impersonate someone on Slack. |
cmd/gh-slack/cmd/auth.go
Outdated
Short: "Prints authentication information for the Slack API", | ||
Long: `Prints authentication information for the Slack API.`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe a simple update like this would be enough?
Short: "Prints authentication information for the Slack API", | |
Long: `Prints authentication information for the Slack API.`, | |
Short: "Prints authentication information for the Slack API (treat those as secrets)", | |
Long: `Prints authentication information for the Slack API (treat those as secrets).`, |
{{.CommandPath}}{{end}}{{if gt (len .Aliases) 0}} | ||
Aliases: | ||
{{.NameAndAliases}}{{end}}{{if .HasExample}} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But I'd like to have a longer message explaining the criticality of this in the description as well. Maybe this?
Security: | |
Treat those values as secrets and don't share them with anyone. | |
If someone get access to them, they will be able to impersonate you. | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also am wondering if there's a way to reset the cookie so that we can add a section saying
In case of leak, run `slack auth renew`
And if it's not possible, then to add
Those values can't be manually rotated, so be careful
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can invalidate the token and cookies by logging out of the Slack app. That does seem worth mentioning 👍. Will update.
I'm pretty happy with this now except for one thing. I'm a little concerned that the environment variable names output here and accepted at https://github.com/rneatherway/slack/pull/3/files#diff-2feccbe0109db2f6b93af0c4afed26af571a61438266ebd8690bf669c75d2874R19-R20 are too generic in case someone already has |
I'll go ahead with this, it's always possible to change if it causes problems. |
@rneatherway could you create a new release with this included? I just realized that 0.0.23 does not include it 🙏 |
Sure, done 😁 |
To be used like this:
Then you will have
SLACK_TOKEN
andSLACK_COOKIES
set in the environment and can (with rneatherway/slack#3) use other slack commands as you wish.The main use is during development you don't have to keep unlocking the MacOS keychain. "Always allow" doesn't help because the binary changes on every compile.
@nobe4 we discussed this a while back. What do you think?