Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

data_import: Protect better against bad Slack tokens. 

An invalid token would be treated the same as a token with no scopes;
differentiate these better.
This commit is contained in:
Alex Vandiver 2021-05-27 18:27:19 -07:00 committed by Tim Abbott
parent 94e4f33b29
commit ff9126ac1e
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
zerver/data_import/slack.py
View File

@ -1362,6 +1362,8 @@ def check_token_access(token: str) -> None:
data = requests.get( data = requests.get(
"https://slack.com/api/team.info", headers={"Authorization": "Bearer {}".format(token)} "https://slack.com/api/team.info", headers={"Authorization": "Bearer {}".format(token)}
) )
if data.status_code != 200 or not data.json()["ok"]:
raise ValueError("Invalid Slack token: {}".format(token))
has_scopes = set(data.headers.get("x-oauth-scopes", "").split(",")) has_scopes = set(data.headers.get("x-oauth-scopes", "").split(","))
required_scopes = set(["emoji:read", "users:read", "users:read.email", "team:read"]) required_scopes = set(["emoji:read", "users:read", "users:read.email", "team:read"])
missing_scopes = required_scopes - has_scopes missing_scopes = required_scopes - has_scopes