slack_integration: Audit the Slack bot token scope requirements.

This clarifies which Slack bot token scopes the integration really uses. Extraneous scopes are: `users:read.email`, `team:read`, and `emoji:read`. Fixes part of #30827.
2025-10-23 04:52:12 +00:00 · 2025-10-06 16:09:35 +07:00
parent e65fb2d051
commit c54dee9fab
2 changed files with 30 additions and 10 deletions
--- a/zerver/webhooks/slack/doc.md
+++ b/zerver/webhooks/slack/doc.md
@@ -48,14 +48,14 @@ If you are looking to quickly move your Slack integrations to Zulip, check out
 1. Create a new [Slack app][4], and open it. Navigate to the **OAuth
   & Permissions** menu, and scroll down to the **Scopes** section.

-1. Make sure **Bot Token Scopes** includes `channels:read`,
-   `channels:history`, `emoji:read`, `team:read`, `users:read`, and
-   `users:read.email`.
+1. Make sure **Bot Token Scopes** includes `channels:history`, `channels:read`,
+   and `users:read`. If you're setting up a [bidirectional bridge][6], make sure
+   to also include the `chat:write` scope.

    !!! tip ""

-        See [Slack's Events API documentation][3] for details about
-        these scopes.
+        See the [required bot token scopes](#required-bot-token-scopes)
+        section for details about these scopes.

 1. Scroll to the **OAuth Tokens for Your Workspace** section in the
   same menu, and click **Install to Workspace**.
@@ -79,6 +79,26 @@ If you are looking to quickly move your Slack integrations to Zulip, check out

 ![](/static/images/integrations/slack/001.png)

+### Required bot token scopes
+
+- `channels:history` is required by Slack's Event API's
+  [message.channels](https://api.slack.com/events/message.channels) event. This
+  is used to send new messages from Slack to Zulip.
+
+- `channels:read` is required for Slack's
+  [conversations.info](https://api.slack.com/methods/conversations.info)
+  endpoint. This is used to get the name of the Slack channel a message came
+  from.
+
+- For a [bidirectional bridge][6] setup, the `chat:write` is also required for
+  Slack's
+  [chat.postMessage](https://docs.slack.dev/reference/methods/chat.postMessage/)
+  method. This is used to send new messages from Zulip to Slack.
+
+- `users:read` is required to call
+  Slack's [users.info](https://api.slack.com/methods/users.info) endpoint. This
+  is used to get the name of the Slack message's sender.
+
 ### Related documentation

 - [Forward messages Slack <-> Zulip][6] (both directions)
--- a/zerver/webhooks/slack/view.py
+++ b/zerver/webhooks/slack/view.py
@@ -155,12 +155,12 @@ def is_retry_call_from_slack(request: HttpRequest) -> bool:


 SLACK_INTEGRATION_TOKEN_SCOPES = {
-    "channels:read",
-    "channels:history",
+    # For Slack's users.info endpoint: https://api.slack.com/methods/users.info
    "users:read",
-    "emoji:read",
-    "team:read",
-    "users:read.email",
+    # For Slack's conversations.info endpoint: https://api.slack.com/methods/conversations.info
+    "channels:read",
+    # For Slack's Event's API: https://api.slack.com/events/message.channels
+    "channels:history",
 }

 INVALID_SLACK_TOKEN_MESSAGE = """