This repository has been archived by the owner on Mar 27, 2024. It is now read-only.
"token" header parameter not actually required #58
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
{{ message }}
Description
“token” is designated as a required header parameter for many methods in the OpenAPI spec for the Web API (e.g. "operationId": "chat_postMessage"), but this input behaves as optional and is not actually needed when a request is made with a valid token for Authorization: Bearer. Please update the spec to ensure any occurrence of the header parameter of name "token" is properly designated as true or false...and included in the spec conjunction with the Authorization header behavior.
What type of issue is this? (place an
xin one of the[ ])Requirements (place an
xin each of the[ ])Bug Report
Filling out the following details about bugs will help us solve your issue sooner.
Reproducible in:
Development environment:
Steps to reproduce:
Both of the following calls work, proving that the token parameter is not required:
/* No token parameter */
curl --location --request POST 'https://slack.com/api/chat.postMessage'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'Authorization: Bearer xoxb-'
--data-urlencode 'channel='
--data-urlencode 'as_user=1'
--data-urlencode 'text=hello'
/* Invalid token parameter */
curl --location --request POST 'https://slack.com/api/chat.postMessage'
--header 'token: garbage'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'Authorization: Bearer xoxb-'
--data-urlencode 'channel='
--data-urlencode 'as_user=1'
--data-urlencode 'text=hello'
Expected result:
If the token header parameter is actually required, I'd expect both of the above requests to fail.
Actual result:
Both requests succeed
Attachments:
Logs, screenshots, screencast, sample project, funny gif, etc.
If attaching logs, please remove user data and tokens.
The text was updated successfully, but these errors were encountered: