Any idea what's the risk exposure when somebody accidentally loses the incoming webhook url for a Microsoft Teams channel?
To my understanding, data like team members or messages are not accessible and basically the person having the url could potentially just spam the channel but not really extract anything?
Yes, you are right. There will be no such risks with the incoming webhook url. One can only push connector cards to Microsoft Teams channels. Team Members and messages are not accessible using the webhook url.
The biggest risk is, that (unless I understand something wrong) if someone with malicious intent got that URL, he/she could send Actionable Message with form and send the contents of that form to endpoint that is beyond your control. They could e.g. disguise that form as form provided by HR and requesting some sensitive info.
This seems like a huge hole in security, and I still think/hope that I just understand it wrong.
Related
I'm trying to create a subscription to receive the contents of all new messages sent within a private Team, and so far it appears I have to configure a bot / webhook within Teams (and only messages #mentioned to that bot / webhook will be sent to me), or otherwise use the Graphs API (I can't determine whether the same caveat exists with #mentions).
The use case is to allow members of the Team to post messages, and for my listening application to consume the message contents and take an action (turn on a light, etc.. but external to Teams). I don't anticipate needing to write anything back into the Team.
I found this link in another post: https://blog.thoughtstuff.co.uk/2020/01/how-to-use-the-new-webhooks-for-microsoft-teams-channel-chat-messages/
Has anyone successfully been able to subscribe to all messages within a private team for a similar use case?
Thank you!
Posting the Answer for better knowledge
Copying from #Sridevi comments
To track messages and replies in a channel, you can create a change notification subscription at a channel level. Please follow this documentation.
I've created an incoming Teams Webhook connector within a Teams group (using the method below).
I can successfully curl to the webhook internally and get the message to display ok.
MS have checked my tenant and access is as expected.
When I apply my URL for the webhook to any external service they eventually come back stating there was a problem detected with the webhook (Please make sure that your webhook endpoint of xxx is responding with a 2xx response code within 30 seconds of initial connection.)
Can anyone advise what else may need to be done?
Thanks
In Microsoft Teams, choose More options (⋯) next to the channel name and then choose Connectors.
Scroll through the list of Connectors to Incoming Webhook, and choose Add.
Enter a name for the webhook, upload an image to associate with data from the webhook, and choose Create.
Copy the webhook to the clipboard and save it. You'll need the webhook URL for sending information to Microsoft Teams.
Choose Done.
Incoming webhooks are special type of Connector in Teams that provide a simple way for an external app to share content in team channels and are often used as tracking and notification tools. Teams provides a unique URL to which you send a JSON payload with the message that you want to POST, typically in a card format. Cards are user-interface (UI) containers that contain content and actions related to a single topic and are a way to present message data in a consistent way. Please test the incoming webhook url using postman and let us know the payload result or status code. Would be help full for us to understand more.
What we are trying to do
I am working on automation which posts messages to a Slack channel using Incoming Webhooks on a custom Slack App. The messages mentions people.
What works
We can send a message just fine, it has formatted content, and usernames are correctly resolved using the link-names flag.
What isn't working
The whole point of the notification is to inform a dynamic set of people about something they should care about. The set of people we tag varies hugely (think people who contributed to a pull request) and so not all possible recipients are in the channel these automated messages go to.
We assumed that given the usernames are being directly #-mentioned, they would be notified by Slack. However, two of the users we've tested with and #-mentioned confirm they never received a notification they had been tagged.
This is different to "human" behaviour, where if you #-mention someone in Slack, you get a little message reminding you that person isn't in this channel and offers to invite them or let them know.
As far as we can tell, sending the message programmatically is doing the equivalent of "Do nothing" in the picture above. I want to do either of the other two options, preferably "Let them know".
How can I notify people they've been mentioned? I've looked at all the API documentation and nothing discusses notifying users who aren't in the channel that they are mentioned.
This can't be an uncommon issue.... right?
Notes:
We aren't directly calling chat.postMessage, it's just the only documentation on link_names I could find to link to. We are using Incoming Webhooks, which has minimal documentation on the parameters - it seems to be the same as chat.postMessage.
We would prefer not to move off Incoming Webhooks, but we can do a custom integration with the API if we have to.
You need to invite the user to the channel first, using the Python client that's:
client.channels_invite(
channel=channel_id,
user=user_id
)
I am trying to send messages from several outer sources to a specific channel, which is private and belongs to myself only. The username should be the name of source, not my ID.
I found there are two ways to do such a similar function: Incoming Webhooks and chat.postMessage
I have already practiced these two, which seems no difference between them.
However, in Incoming Webhooks, a statement says:
You can't use Incoming Webhooks with Workspace Apps right now; those
apps can request single channel write access and then use
chat.postMessage in the Web API to post messages, providing very
similar functionality to Incoming Webhooks.
What does it mean?
To my work, which one is better?
with chat.postMessage() you send a message to a specific channel, often you do that in response to a users action. You will need the token to verify the postMessage Request which you receive when the user installs your app.
Incoming webhooks are often used to post general information, e.g. patch notes or general announcements.
As far as I know, you don't need the token since there is a verification behind that Url.
so the webhook url is bound to a specific channel, which is specified through the user. With chat.postMessage you can post messages anywhere (depending on your permissions, maybe not in private channels or direct messages)
Adding to what Ben said:
Incoming webhooks are limited in their functionality. They are great if you need an easy way to send a message that does not require a token, but in general the API method (chat.postMessage) is the better choice. It is more flexible (e.g. not fixed to one channel) and provides the full functionality (e.g. you get the ID for a message and can later update it).
Workspace apps / tokens where a new functionality that allowed apps to be installed in one channel only (among other things). It never left its beta stage and can be safely ignore for further development.
I am making an event organisation platform. Whenever user creates an event, the candidate gets an email notification as well as sms notification asking whether the suggested time fits or not. The problem is that since it is event organisation, there may be more than one occurance of candidate's mobile phone. So I need to have some unique information to identify to which event candidate is responding to.
I have tried identify using Message SID, but then I realised that Message SID is different on reply message.
So my question would be: is there any way to authenticate to which message candidate is replying to?
Hi Twilio developer evangelist here.
Because every message is idempotent, you wouldn't be able to track them just via the call sid. however, there's way to get around that such as passing a code that goes with each message which you can then read, or using cookies.
I think you are probably going to be more successful using cookies, and luckily enough there is an article on twilio's website that describes just how to do that. And because I noticed you're using PHP, I'm pointing you directly to the PHP article on tracking SMS conversations.
Hope this helps you