[BUG] Calling the SCIM API via fetch in a NextGen app

[mcsescott]

I'm creating a NextGen app and need to query a user's IDP groups. The only way to do this is via a call to the SCIM API. So, I am using a fetch method inside my code.

        const url = "https://api.slack.com/scim/v1/Users/" + requester
        const scimuser_result = await fetch(url, {
          method: 'GET',
          headers: {'Authorization': scim_token}
        })

        const scim_obj = await scimuser_result.json();
        console.log ("IDP: " + scim_obj["Resources"][0]["groups"])

When trying to save the file, I get the following error:

error: Uncaught (in promise) PermissionDenied: Detected missing network permissions; add the domain to your manifest's 
outgoingDomains. Original message: Requires net access to "api.slack.com", run again with the --allow-net flag

So, I head over to my manifest file to add slack.com or api.slack.com, and of course I get the following error:

> Error: The provided manifest file does not validate against schema. Consult the additional errors field to locate specific issues (invalid_manifest)

Error Details:

1: Following domains api.slack.com are allowed by default for hosted apps, please remove them from your project configuration to continue deploying. (domains_allowed_by_default)
Source: /outgoing_domains

I am able to make other successful calls to Slack's API using the fetch method (http://slack.com/api/xxxxxxxx), but the SCIM API is giving me fits.

Any ideas?

Thanks in advance...

[filmaj]

Hey @mcsescott sorry for my late response here!

First, just to clarify, and based on your code it look to me like you have done this already, but the SCIM APIs need a special admin token with admin scopes. The default token provided in Custom Functions won't have the ability to use the SCIM APIs. Given you seem to be leveraging your own token in a separate variable, look to me like you are managing this token yourself...

Second, are you seeing this in local run or in deployed?

[mcsescott]

Hi @filmaj!

Yes, I am managing the admin token myself. Since there are no native functions for SCIM (and admin APIs) I am managing these in code for a NextGen app. I have other admin (and Discovery) APIs working, but I believe the URL format of SCIM is what the hangup is here.

I am testing locally prior to deploying to "run on Slack." We may have to continue to run locally as well, so we have internal access to our environment/servers, without bypassing firewalls and proxies to query internal systems from Slack.

[filmaj]

I can definitely reproduce this when running locally 😬 I believe it is because the 'deno runtime' portion of this SDK (the deno-slack-runtime project) only pre-approves the 'slack.com' domain when running locally. It looks to me like slack.com and api.slack.com are treated as separate domains by deno (which is reasonable).

And indeed, adding api.slack.com as a domain raises the error you experienced.

I have a work-in-progress branch up as a draft PR, which fixes this issue in my local testing (you can track dev here: slackapi/deno-slack-runtime#60). You can take advantage of this pre-release patch, in your app, when running locally via slack run, by doing the following modifications to your app (at least temporarily until I flesh the patch out and cut a full release of it):

1. Either:

• Add raw.githubusercontent.com to your app manifest's outgoingDomains. This is so that your local app can use the in-progress branch of the deno-slack-runtime that is up on GitHub, and

• Change your app's slack.json to 'override' the start hook. This hook mechanism is how the Slack CLI delegates work to the SDK. By default, slack.json should contain a single get-hooks property. To override a hook, simply add an entry for the hook to this file. In my case, when testing locally, my slack.json file looks like this:

  {
    "hooks": {
      "get-hooks": "deno run -q --allow-read --allow-net https://deno.land/x/[email protected]/mod.ts",
      "start": "deno run -q --config=deno.jsonc --allow-read --allow-net --allow-run --allow-env https://raw.githubusercontent.com/slackapi/deno-slack-runtime/allow-api-slack-com/src/local-run.ts"
    }
  }
  

2. OR:

• Clone the deno-slack-runtime repo and check out the allow-api-slack-com branch, and

• Update your slack.json to point to your local clone + branch of the deno-slack-runtime for the start hook. Like so:

  {
    "hooks": {
      "get-hooks": "deno run -q --allow-read --allow-net https://deno.land/x/[email protected]/mod.ts",
      "start": "deno run -q --config=deno.jsonc --allow-read --allow-net --allow-run --allow-env file:///Users/fmaj/src/deno-slack-runtime/src/local-run.ts"
    }
  }
  

That should unblock you for local run in the short term, at least.

[filmaj]

I also took a quick look at our backend code and I think deployed apps will suffer from the same issue, unfortunately. I will get this on that team's radar so that we can get to work patching it.

[filmaj]

Update: as for deployed apps, they seem to already pre-approve api.slack.com, just tested it out.

[mcsescott]

I have tested this successfully using your option 1 above.

Thanks for the great support, @filmaj !

[filmaj]

deno-slack-hooks v1.2.3 is now live and should fix this issue. It also lets you remove this workaround from your app @mcsescott. In particular, you should be able to update the slack.json file in your app to contain just:

{
  "hooks": {
    "get-hooks": "deno run -q --allow-read --allow-net https://deno.land/x/[email protected]/mod.ts"
  }
}

Just pointing the get-hooks field to the 1.2.3 version of deno_slack_hooks on deno.land should be sufficient.

I will close this down, but if you have further problems, feel free to re-open/comment/at-mention me/open a new issue and we will be happy to help.

[mcsescott]

Yep... I've already removed the start parameter from my slack.json file earlier this morning and tested successfully.

Thank you again!