Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move token sending to authorization header instead of body parameter #1337

Merged
merged 2 commits into from
Sep 17, 2021
Merged

Move token sending to authorization header instead of body parameter #1337

merged 2 commits into from
Sep 17, 2021

Conversation

filmaj
Copy link
Contributor

@filmaj filmaj commented Sep 15, 2021

Fixes #1132

I also removed some trailing whitespace because that's the kind of nitpicky dude I am

@filmaj filmaj added enhancement M-T: A feature request for new functionality pkg:web-api applies to `@slack/web-api` labels Sep 15, 2021
@filmaj filmaj self-assigned this Sep 15, 2021
filmaj
filmaj commented Sep 15, 2021
View reviewed changes
packages/web-api/src/WebClient.spec.js
@@ -521,9 +522,6 @@ describe('WebClient', function () {
const file = parts.files[0];
// the filename is picked up from the the ReadableStream since it originates from fs
assert.include(file, { fieldname: 'someBinaryField', filename: 'train.jpg' });

assert.lengthOf(parts.fields, 1);
assert.deepInclude(parts.fields, { fieldname: 'token', value: token });
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the token no longer a part of the request body, this part needed removal.

seratch
seratch requested changes Sep 16, 2021
View reviewed changes
Copy link
Member

@seratch seratch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the change! Can you check the two points I mentioned in comments?

packages/web-api/src/WebClient.ts Outdated
@@ -183,6 +183,9 @@ export class WebClient extends Methods {
this.logger = getLogger(WebClient.loggerName, logLevel ?? LogLevel.INFO, logger);
}

// eslint-disable-next-line no-param-reassign
if (!headers.Authorization) headers.Authorization = `Bearer ${this.token}`;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this.token can be absent. For instance, some API calls (such as oauth.v2.access with code parameter, openid.connect.token with code parameter, api.test) do not require token in the authorization header. Can you update the logic to check if this.token exists too?

packages/web-api/src/WebClient.spec.js
@@ -425,7 +426,7 @@ describe('WebClient', function () {
it('should properly serialize simple API arguments', function () {
const scope = nock('https://slack.com')
// NOTE: this could create false negatives if the serialization order changes (it shouldn't matter)
.post(/api/, 'token=xoxb-faketoken&team_id=T12345678&foo=stringval&bar=42&baz=false')
.post(/api/, 'team_id=T12345678&foo=stringval&bar=42&baz=false')
.reply(200, { ok: true });
return this.client.apiCall('method', { foo: 'stringval', bar: 42, baz: false, team_id: 'T12345678' })
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we override the token in the authorization header if a developer passes a token like this.client.apiCall('method', { token: 'xoxb-' })? Switching tokens is not a rare use case. For instance, the singleton WebClient does not hold any token and your app utilizes multiple user tokens for user related API calls.

@filmaj filmaj requested a review from seratch September 16, 2021 12:51
@filmaj
Copy link
Contributor Author

filmaj commented Sep 16, 2021

@seratch I believe I have addressed your comments, and also added another test for the Authorization header overriding behaviour via apiCall() options parameter.

seratch
seratch approved these changes Sep 16, 2021
View reviewed changes
Copy link
Member

@seratch seratch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@filmaj LGTM! Having unit tests this way makes reviews easier 👍

stevengill
stevengill approved these changes Sep 16, 2021
View reviewed changes
Copy link
Member

@stevengill stevengill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

@seratch seratch added this to the web-api@6.5.0 milestone Sep 17, 2021
@seratch seratch merged commit 957c957 into main Sep 17, 2021
@seratch seratch deleted the web-api-token-in-header branch September 17, 2021 00:37
srajiang pushed a commit that referenced this pull request Dec 10, 2021
@filmaj @srajiang
Move token sending to authorization header instead of body parameter (#…
801c52c 
…1337)

* Move token sending to authorization header instead of body parameter. Fixes #1132.
* Enable another level of overriding Authorization header via the apiCall() method options parameter.
@kaandok kaandok mentioned this pull request Jul 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@seratch seratch seratch approved these changes

@stevengill stevengill stevengill approved these changes

@misscoded misscoded Awaiting requested review from misscoded

@srajiang srajiang Awaiting requested review from srajiang

Assignees

@filmaj filmaj

Labels
enhancement M-T: A feature request for new functionality pkg:web-api applies to `@slack/web-api`
Projects
None yet
Milestone
web-api@6.5.0
Development

Successfully merging this pull request may close these issues.

web-api token should be passed in header instead of body param
3 participants
@filmaj @seratch @stevengill