You may be familiar with the chat platform named Slack, it contains a very rich and powerful API, however not all of it's endpoints are accessible through the same methods. This articles covers precisely that, this wonderful chatting platform's only downside.

Why?

To start off this adventure, I need to fill you in the full story. I'm part of the Hack Club Slack, it's not a normal workspace, but instead has over 20,000 teenagers in it, and many of them have their own "personal channels", which are a small real-time blog. However, not everyone wants a simple experience with workflows, I opted to create my own bot, named Therapist, one of it's features was to allow fellow personal channel-owners to mention everyone in the channel as that feature was locked away behind the "Workspace Admin" role.

I started researching ways to limit this without having to hardcode every user and stumbled upon a very interesting endpoint, admin.roles.listAssignments. However, if you read closely, or tested it yourself, you would realize it is locked away to "Enterprise Grid" customers, for which Hack Club is not. I talked to Samuel (thanks sam 😀) and he gave me some interesting documentation on using "secret" Slack API endpoints, which are used for the client version of the application. One instance of these undocumented endpoints is the admin.roles.entity.listAssignments endpoint, it's used when opening the channel details in the context menu. After discussing with fellow developers, it seemed like the only way to access such endpoints was by hard-coding the XOXD and XOXC authentication tokens in an environment variable.

My Solution

I came up with a simple solution: Automating the entire login process, I built out the entire system using the Selenium NodeJS webdriver and the Google Cloud Platform Gmail API to recieve the authentication codes. The entire automation takes around 15-25 seconds depending on various conditions and variables.

The entirety of the code for the actual browser part is around 60 lines, however the Gmail API code is quite messy as it attempts to only read unread emails to make sure the codes aren't repeated.

The entire solution is available over on my GitHub profile, the current code is here.

Conclusion

Overall, I learned more about the Slack undocumented API endpoints and their uses, and also advanced my Google Cloud Platform OAUTH2 skills. This was an interesting adventure, especially as you can now use these tokens for pretty much anything that needs to be automated, without having to pay for Enterprise!