Add option to limit which slack team the app will respond to (#58)

alexbrazier · Aug 18, 2019 · bbf778b · bbf778b
1 parent c8ef703
commit bbf778b
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -93,6 +93,7 @@ POSTGRES_PASS=password HOSTS=localhost APP_URI=http://localhost:3000 go run serv
 | `POSTGRES_PASS`        |          | password       |                              | Postgres password                                                                                      |
 | `SLACK_TOKEN`          |          |                | xoxb-xxxxxxxxx-xxxxxxxx-xxxx | Slack OAuth token to enable slackbot                                                                   |
 | `SLACK_SIGNING_SECRET` |          |                | xxxxxxxxxxx                  | Slack signing secret to enable Slack `/go` command                                                     |
+| `SLACK_TEAM_ID`        |          |                | Txxxxxxxx                    | Slack team id to restrict slash command responses to single team                                       |
 | `ENABLE_AUTH`          |          | false          |                              | Enable Azure auth or not - if enabled, all other fields must be filled in                              |
 | `AD_TENANT_ID`         |          |                |                              | Azure AD tenant ID                                                                                     |
 | `AD_CLIENT_ID`         |          |                |                              | Azure AD client ID                                                                                     |

diff --git a/api/config/config.go b/api/config/config.go
@@ -25,6 +25,7 @@ type Specification struct {
 	AppURI             string   `envconfig:"APP_URI" required:"true"`
 	SlackToken         string   `envconfig:"SLACK_TOKEN"`
 	SlackSigningSecret string   `envconfig:"SLACK_SIGNING_SECRET"`
+	SlackTeamID        string   `envconfig:"SLACK_TEAM_ID"`
 }
 
 // Auth config
@@ -48,6 +49,7 @@ type Database struct {
 type Slack struct {
 	Token         string
 	SigningSecret string
+	TeamID        string
 }
 
 // Config definition
@@ -93,6 +95,7 @@ func Init() {
 	config.Slack = Slack{
 		Token:         spec.SlackToken,
 		SigningSecret: spec.SlackSigningSecret,
+		TeamID:        spec.SlackTeamID,
 	}
 
 	config.BlockedHosts = append(spec.BlockedHosts, spec.Hosts...)

diff --git a/api/handler/slack.go b/api/handler/slack.go
@@ -69,6 +69,19 @@ func verifySignedSecret(v *SlackSecretsVerifier) bool {
 	return false
 }
 
+// Optionally only allow requests from specified slack team
+func verifySlackTeam(payload *SlackPayload) error {
+	appConfig := config.GetConfig()
+	teamID := appConfig.Slack.TeamID
+	if teamID != "" && teamID != payload.TeamID {
+		err := fmt.Sprintf("TeamID: %s does not match required TeamID: %s - Blocking", payload.TeamID, teamID)
+		log.Printf(err)
+		return errors.New(err)
+	}
+	return nil
+}
+
+// verify request has been signed by slack
 func verifySlackRequest(r *http.Request) error {
 	buf, err := ioutil.ReadAll(r.Body)
 	body := ioutil.NopCloser(bytes.NewBuffer(buf))
@@ -108,6 +121,10 @@ func (h *Handler) SlackCommand(c echo.Context) error {
 		return c.JSON(http.StatusOK, response)
 	}
 
+	if err := verifySlackTeam(payload); err != nil {
+		return c.JSON(http.StatusUnauthorized, "Unauthorized")
+	}
+
 	key := payload.Text
 	if ValidateKey(key) == false {
 		response.Text = "The URL key you provided is an invalid format. You can only provide one key at a time, e.g. `/go help`"