Now all the Blueprints examples have been updated with new Slack platform features. So what are the diffs in this updated example?
We’ve made major improvements to the way scopes work for apps. The bot scope used to be very broad and permissive, but now you can request more specific and granular permissions for your app.
This sample app used to need only bot scope, but now you need the chat:write
to allow the bot to post messages in channels. But no other actions.
We recommend selecting only the scopes your app needs. Requesting too many scopes can cause your app to be restricted by a team’s Admin or App Manager.
Please read Scopes and permissions to figure out which scopes you need.
Major updates!: This requires to update your code!
We released Modals, which is replacing the existing Dialogs, with more powerful features.
Now, instead of calling an API to open a dialog is replaced with the new view API to open a modal with Block Kit in the code sample.
We introduced Block Kit UI framework that allows you to create messages with the components called blocks. If you have been creating messages with the legacy "attatchment", please consider switching to Blcok Kit!
Read more at: Block Kit
Your OAuth access token should begins with -xoxb
instead of -xoxp
. The bot tokens will be the default token in future.
This requires to update your code!
Previously, you needed to verify a verificatin token to see if a request was coming from Slack, not from some malicious place by simply comparing a string with the legacy token with a token received with a payload. But now you must use more secure sigining secrets.
Basically, you need to compare the value of the X-Slack-Signature
, the HMAC-SHA256 keyed hash of the raw request payload, with a hashed string containing your Slack signin secret code, combined with the version and X-Slack-Request-Timestamp
.
Learn more at Verifying requests from Slack.
OAuth refresh tokens are also introduced as a security feature, which allows the app owners to proactively rotate tokens when the tokens are compromised.
Your workspace app can use the new apps.uninstall
method to uninstall itself from a single workspace, revoking all tokens associated with it. To revoke a workspace token without uninstalling the app, use auth.revoke
.
Although the example of using the short-lived refresh token is not included in this Blurprints example since this tutorial is written for internal integration, if you are distributing your app, use a short-lived OAuth Refresh token. Implementing token rotation is required for all apps that are distributed, whether submitted for the App Directory or not.
To lean more, read Token rotation for workspace apps.
🎁 If you are using the Node SDK, the token refresh feature is available for you already!