Everything I see around slack bot say that a bot cannot post within a conversation it's not been invited to.
➡️ However, why /giphy or simple poll (/poll) can post in PM (one to one) OR in a conversation where the bot has not been added to?
The current permissions are chat:write,commands,files:write
The oauth token is a "Bot User OAuth Access Token"
The plan is to support the Add to slack and to distribute the app.
Functionality wise, it support a /command and post file to a conversation.
The bot can:
- receive the oauth token uppon app install (via add to slack)
- delete ephemeral messages
- post a file only where it's been added too, which suck because the bot does not need to read any message within anything.
Code of the bot here
If the bot is not invited too, the answer is either channel_not_found or not_in_channel.
What am I missing?
It is correct that bots in general can only post messages to channels they are invited to. However, there are two exceptions:
Bots can inherit the rights of the installing user. So bots can post to every private channel the installing user is a member of (including direct message channels).
Slash commands work differently. If a user issues a slash command from a channel the bot can reply to that slash command. That works for every channel and does not require the bot to be invited. Those replies are normal Slack messages, so the can contain all kind of message features incl. image attachments or blocks with images.
A common pattern to give bot full access to private channels is the following:
User starts the bot with a slash command
Bot checks if it has full access to the current channel
If not it asks the user to invite it to that channel
Related
Let's assume a user chats with another user in a 1:1 chat. (Might also be a group chat.) The user adds a bot and continues to chat while the bot now adds value to the conversation.
We are searching for a way to make adding the bot to a chat as seamless as possible through a simple button click. It seems the closest we can get to a button is using a messaging extension action command.
When the user invokes the messaging extension our backend service runs and can respond e.g. with a card. Now instead of a card is it possible to generate a response to add a bot? There are special responses e.g. for authentication. Is there a response telling the Teams client to add a bot?
Any hints are appreciated.
JIT installation of bot is an option here. You will be able to add bot to user conversation. Check following sample application which helps to add bot instantly: https://github.com/SubbaReddi/89.teams-just-in-time-installation
Is there a way to send proactive cards from a bot to a Teams channel? The use case is a channel for service tickets. Once they get posted, a user will be able to interact with them with a few actions.
I’m looking at the documentation here for sending proactive messages. At the bottom, there’s a section for ”Creating channel conversations”, with a small reference to the startReplyChain(). However, the actual code and sample on GitHub still seem to reference a conversation with a member rather than sending something proactive to a channel.
There does appear to be documentation for incoming and outgoing webhooks, which is what I may end up doing. My only real concern is that it requires using Actionable Cards, which it references as legacy everywhere. This is despite saying that you can’t send Adaptive Cards with them. Perhaps they intend to enable these connectors to send Adaptive Cards, it’s not just very clear to me if this is a long-term solution I should be focusing on.
This is definitely possible, and it's important to note that you can even send from another process/application (e.g. on a schedule from an AWS Lamba). You can see a sample here for this.
The process of sending the message is just part of the story though - you need to have certain information already saved (e.g. in your database) to know how to contact the right user, group chat, or channel conversation, but there are a few ways to get that information. The most common is, when you bot is added to the conversation, to get it from the conversationUpdate event. You'll need conversation id, service url, tenant id, and your bot's App Id (what you get in the Azure portal for your bot, and which you're using already in your app's configuration, teams manifest, etc.). You can read more about the topic here and here.
Another option, if you don't have access to conversationUpdate (e.g. the user hasn't installed your app) is to call the Graph API to install your app. It's only possible to do this to a channel (on the v1 or beta api) (see here) or to a user (see here), but on the beta api only, and not (yet?) for a group chat.
What I did:
I developed a Telegram bot using TelegrafJS framework. This bot allow the user to subscribe to a paid channel, this channel is privated.
So after that the payment is completed, the bot send the invitation link to let the user join to the channel.
The problem
Now suppose that the paying user send the invitation link to another user (who didn't pay), the non-paying user will get the access to the paid channel as if it paid.
Before thinking of a solution, it's necessary to know the limit about the invitation links of Telegram:
It's not possible to add a user to a channel without invite link;
It's not possible to create a single-use invite link;
It's not possible to create a personal invite link (that only one user can use);
Invite links are cached on Telegram servers and become unstable if you reset them too fast (try resetting a link 2-3 times in 10 seconds using your Telegram app — you'll understand what I mean).
What I thought as solution
I thought to show the invite link behind an inline button, so the user will see CLICK HERE button for 3 seconds then this will be revoked and another link will be created. This doesn't remove the problem of access to the paying channel without pay a subscription, but it makes life for unfair users more difficult.
Possible other problem: When the user click on the link got:
Sorry, this channel doesn't seem to exist.
This means that the invite link to the channel is unstable at the moment. It usually happens after clicking Join several times in row OR if multiple users are trying to join at the same time.
Too many attempts, please try again later
It means that the user has clicked on too many invalid invite links recently. Most likely, he had a lot of messages "Sorry, this channel doesn't seem to exist" right before this one or joined too many channels/groups in a row.
Conclusion
Is there a more secure way to handle this?
Given the limitations of the Telegram API, the best option I can think of is having a unique link which redirects to your bot's invite link.
The bitly API might be something cool to look at for this.
As for now (Since March 9, 2021) there is a number of methods available to working with limited chat/channel invite links.
You can use createChatInviteLink method to create unique invite link limited to join certain users number.
Please refer to the official Telegram Bot API documentation.
How about you generate a link with an expire time on the website where only paid users have access. When they click on the link your Server responds the invite link with a 302 redirect Response.
Example: [Join telegram] https://myserver.com/generateInviteLink?expiretime={Date.now}+10minutes
Response
Http 302 location: T.me/invite/key
When the request time is < expiretime, otherwise you throw an error
The endpoint generateinvitelink should be pw protected aswell. And the Key should be encrypted
I know that an User who is tracking it's http requests will be able to get to the URL but for some users it would work.
Through userbot API your bot can act as a user who is the creator (unlimited admin) of the secret channel. So, this admin can watch the channel's log of subscribers joining/leaving this channel. This log lasts for 24 hours. As soon as the invited user has joined the secret channel, the joinchat-Button can be deleted, and the joinchat URL can be revoked. ElseIf other users join this secret channel, they can be kicked.
You can count number of members in your private chat (channel or group), when count=count+1 create a new invite link.
Well why not you add them personally from add member option. Ask them to open their privacy setting for a minute and add them. Keep your link private no one will know.
I'm making a slack bot (A) that responses to a message from another slack bot (incoming-webhook) (B).
I'd like to know the user_id of B so that its message will be a trigger for A, where I have some problem getting it.
I tried users.list method (https://slack.com/api/users.list?token=blabla) but the B didn't appear in a result.
Do you have an idea about what method to take to know the user_id of B?
Incoming webhooks appear as apps, not as bot users on Slack. So you won't find a bot user ID in the user list as you would for normal bot users.
Apps have a bot ID, but unfortunately there is no official API method to get the list of bots / apps in a workspace. But if you have control over a workspace and can generate a legacy token you can use the unofficial API method bots.list.
There also is the official bots.info method, if you already have the bot ID and just want to know which app it belongs to.
To create a legacy token for your workspace make sure you are logged in and then go to this page.
I am trying to implement a Bot which can get all the Direct Message Channels, all the workspace Users and send Direct Messages to them.
If I work with my development workspace everything works as expected but when I try with my company workspace, my Bot is only capable to retrieve the Direct Message Channel it is belonging to.
Any idea on how to fix by production Bot.
You can't. Due to the security architecture of Slack one can only see the messages of channels he is part of. Its the same even for the "super admin" of a Slack team (the primary owner). Bots and apps inherit that right from the user who installed it (= authed the access token).
The reason it works on your development Slack, is that your user has probably created all private channels on Slack, and/or is the same that authed the access token your app uses.
Thanks to Slack support I got my answer:
The OAuth Token issued is specific to the user who has installed your app and represents the permission(s) to perform actions on behalf of the user. More detailed information here - https://api.slack.com/docs/oauth.
The token can only perform the same actions as the user who installed the app i.e If the user can’t view or post in the channel, they can’t grant permission to something they do not have.