-
Notifications
You must be signed in to change notification settings - Fork 639
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: Update bot code to log the content of the received text message #544
base: main
Are you sure you want to change the base?
Conversation
This makes debugging easier and also allows users to assert on the message content inside the tests, etc.
Codecov Report
@@ Coverage Diff @@
## master #544 +/- ##
==========================================
+ Coverage 85.55% 85.63% +0.08%
==========================================
Files 6 6
Lines 353 355 +2
Branches 79 79
==========================================
+ Hits 302 304 +2
Misses 29 29
Partials 22 22
Continue to review full report at Codecov.
|
Thanks for taking the time to demonstrate this idea with a code contribution. I think this is an interesting discussion. The main reason we removed the logging (even under the Some background information for you: we find that Hubot is most commonly used as an internal app. That means it's authorized as a bot user against one workspace, and only will ever be on that one workspace. That also means Hubot is exposed to a large stream of information (RTM is a broad firehose) in the company. What this adds up to is that even a developer who is still implementing a script or debugging a script is exposed to a ton of actual message content, some of which is considered sensitive by their own teammates. Consider the situation where the Hubot bot user is invited into a private channel where some people are discussing a secret project that's not ready to be shared with the rest of the company. A developer who happens to be working on a script and running locally in debug mode would see those very private messages fly by in their console. Of course a developer who wants to read every message and has access to the bot token could go out of their way to see these message whether we log them or not, it's just a lot easier to unintentionally do this (and maybe even panic about it) with logging included in the adapter. I understand your need for a better debugging solution. I would propose that if you need logging in order to debug script issues, as someone who knows what they are doing you could use a listener middleware to accomplish this. An excerpt from the Hubot docs suggests this as a use case it was designed for:
In fact, the first example in that section might be exactly what you're looking for. |
Summary
This pull request updates bot code to log the actual received message content inside the event handler.
Keep in mind that the code is not the final version. I just opened the PR and included something to get the discussions going and I'm open to improving / changing it.
Context, Background
Older versions of hubot-slack logged the actual message content, but the newer ones don't.
Older versions:
Recent versions:
Not having the direct access to the message content makes debugging and other things harder / impossible. We also have some tests which need to assert on the raw text message value and recent versions make that impossible.
The message content is logged under
debug
log level (same as in the past) so it should have no "negative" security implications or consequences (even if the message contains sensitive data, that's the whole point of the debug log level - to log as much context as possible to make debugging easier / possible and debug shouldn't be used in production).Requirements (place an
x
in each[ ]
)