Has anybody checked out Outgoing Webhooks and Slash commands in Slack?
In the case of both Slash commands and Outgoing Webhooks, the command string along with the user_id and token is sent in the POST body to the external URL(corresponding to the command). The problem is that the token remains the same for all the team members(The token is visible on the Integrations page, and is therefore public to the team. The endpoint URL is also public). Which means this is a mechanism to authenticate the request against the team but there is no mechanism to authenticate the request against the user.
I can reproduce the request from a different server with the same header, token and request body, but with my team member's user_id, making it appear that somebody else executed the command. There is also no way to verify if the request came from the Slack servers.
My question is - Am I missing something here? Are Slash commands even meant for CRUD operations(on an external service) or are they just to fetch data from simple services like weather, stack overflow or public APIs? If not, how do you solve this problem?
Update - Spoke to @SlackAPI and they say we need to verify the user_id separately.
