Building Admin Tools on Slack

We, at True Sparrow, have found a very innovative way of using slack. Instead of developing a web interface for admins, they can perform CRUD functions on various entities via custom slack slash commands and interactions.

Why admin over slack vis-a-vis web?

The first thought which comes to mind is why implement admin functionality over slack and not go ahead with the traditional admin interface over the web. I am listing down the reasons below:

  • Admins like all other employees will always be available on slack. They will already be logged in and monitoring slack. If we can provide admin functionality over slack then they have one less application to monitor.
  • Development-wise, admin over the web will need resources from both the frontend and backend teams. If we develop admin over slack, then only backend team dev resources will be enough. We even have exposed wrappers to help in message formatting and modal creation in our open-source NPM package - @truesparrow/slackmin.
  • Admin activity logs persist as messages in the admin channel and thus easier to track and are transparent as compared to web implementation.
  • Search functionality of slack can be re-used and no extra implementation is required.
  • Important alert messages can be sent to channels for admin and other employees to take action on.

How to setup and integrate with slack?

Admin over slack is just one way of integrating slack into your application. In the following, we go through the steps involved in slack integration for any kind of requirement, in general and not limited to admin.

Slack app setup

First, we need to setup slack app as mentioned in this guide. Following are the major steps involved:

  • Configure request URL for interactive components. Refer here.
  • Configure slash commands. Refer here.
  • Add scopes chat:write and chat:write:public to the bot token scopes. Then install the app. Refer here.

Integrate Slackmin

Our node package @truesparrow/slackmin helps you in easy integration with slack to use slash commands, interactive endpoints, send alert messages and open custom designed modals.

Refer package readme for integration details.

Why Slackmin NPM Package?

Built-in Security

  • Sanitize unwanted HTML tags from parameters obtained in request body, query, headers. HTML sanitization is recommended by Open Web Application Security Project (OWASP)
  • Signature / signed secret verification is provided as a middleware ready to be plugged in and used for all the requests coming from slack. This guide gives a detailed description of signature verification.
  • Slack app id is validated against whitelisted app ids. This validation is also provided via middleware.
  • Slack channel validation is done to only allow requests from whitelisted slack channels. For example, there can be one admin channel, in which we add all the admins and they can execute slash commands from there. Requests coming from other channels will be outright rejected. This validation is also provided via middleware.
  • User authentication helps in validating whether the user has admin rights or not. We validate the slack id of the user against whitelisted slack ids. This validation is also provided via middleware.
  • Slack app’s workspace domain validation is also exposed as a middleware.

Additional advantages

  • Additionally, the view submission parameters which are obtained in the request from slack are extracted into key value pairs for ease of use.
  • Slackmin also provides Message and Modal wrappers that help in easy writing of messages and opening of modals.
  • There is a limitation from slack that there can be at max 25 slash commands in a single app. To overcome this limitation, Slackmin supports multiple slack apps.
    Thus Slackmin helps in integrating with slack involving minimum efforts (hence the name, Slackmin). Refer package readme for more details.

Contributors

Divyajyoti Ukirde, Shraddha Falane, Parv Saxena, Kedar Chandrayan

Kedar Chandrayan

Kedar Chandrayan

I focus on understanding the WHY of each requirement. Once this is clear, then HOW becomes easy. In my blogs too, I try to take the same approach.
Divyajyoti Ukirde

Divyajyoti Ukirde

Senior Software Engineer | Investing in knowledge | with Passion for building stuff
Shraddha Falane

Shraddha Falane

Parv Saxena

Parv Saxena

Bengaluru, India