feat(web-api): add configs to toggle absolute url usage in dynamic api calls

[zimeg]

Summary

This PR adds a new allowAbsoluteUrls option to the WebClient constructor that can toggle if the slackApiUrl is always the prefix of the request URL when calling Slack API methods or if an absolute URL can override this.

To keep the current behavior, allowAbsoluteUrls defaults to true 📚

Preview

The following code attempts to make a request to "https://slack.com/api/https://example.com/method"!

const client = new webapi.WebClient(process.env.SLACK_TOKEN, {
  allowAbsoluteUrls: false,
});

const _response = await client.apiCall("https://example.com/method", { /* ... */ })

[DEBUG]  web-api:WebClient:0 initialized
[DEBUG]  web-api:WebClient:0 apiCall('https://example.com/method') start
[DEBUG]  web-api:WebClient:0 http request url: https://slack.com/api/https://example.com/method

Reviewers

The above example can be used with Slack API methods in "dot" notation - chat.postMessage - and different values of the allowAbsoluteUrls option 👾

For fast reference, it might be neat to use the absolute "https://slack.com/api/chat.postMessage" URL.

Requirements

• I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.99%. Comparing base (e1e3df0) to head (b154b6b).
Report is 1 commits behind head on main.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2176      +/-   ##
==========================================
+ Coverage   91.94%   91.99%   +0.05%     
==========================================
  Files          38       38              
  Lines       10328    10386      +58     
  Branches      652      657       +5     
==========================================
+ Hits         9496     9555      +59     
+ Misses        820      819       -1     
  Partials       12       12              

Flag	Coverage Δ
cli-hooks	95.23% <ø> (ø)
cli-test	94.76% <ø> (ø)
oauth	77.39% <ø> (ø)
socket-mode	61.82% <ø> (ø)
web-api	96.93% <100.00%> (+0.04%)	⬆️
webhook	96.65% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[zimeg]

📝 A few quick notes on these changes for the kind reviewers!

[zimeg]

Open to suggestions as always, but wanted to make sure a note of this option is included in these details 📚 ✨

[zimeg]

🔗 And a link for reference: https://tools.slack.dev/node-slack-sdk/web-api#call-a-method

[zimeg]

📝 The requestURL variable is only used in debug logs, axios details configured separately, though this did seem close to what the logic of allowAbsoluteUrls might do!

[WilliamBergamin]

These changes look good 💯

I'm just not clear on when a developer would want to do this, why would they be passing and override URL if it will have not effect 🤔 instead of this addition should we advise them to not pass the override value if they don't want to override the URL?

[WilliamBergamin]

The complexity of this line seems to be growing, could it be more readable if we broke it up in an if statement 🤔 ?

[zimeg]

I was thinking the same... So much is happening here 😓

I'll explore the if statements, but do also like the const allowed in the current setup 👾

[WilliamBergamin]

Maybe breaking the logic out into its own function could make sense

private deriveRequestUrl(url: string): string {
    if (this.allowAbsoluteUrls) {
        return url.startsWith('https' || 'http') ? url : `${this.axios.getUri() + url}`
    }
    return `${this.axios.getUri() + url}`;
}

[zimeg]

Similar logic was moved into a deriveRequestUrl function in 5f98b56! I forget private functions can be useful sometimes - it's a great call 😅

[zimeg]

@WilliamBergamin Thanks for checking out the changes! ✨

I don't believe this option is needed for scripts or apps making known API calls, but this option can be useful in setups that might pass unknown methods to WebClient.apiCall

The same guards against absolute URLs could definitely be added to application code, prefixing all .apiCall requests with the default API URL as you suggest, but IMO this implementation might be forgotten in some places which makes me think having an SDK implementation is preferred 👁️‍🗨️

[WilliamBergamin]

I see how the changes could be useful for security use cases 🤔

I've added one more comment about breaking the requestUrl logic into a method to increase readability, let me know what you think

[zimeg]

@WilliamBergamin 🙏 Thanks for suggesting the improvement to code structures. I'm hoping this'll make later changes around this logic a bit quicker to understand!

Tests continue to pass with that change too, but please let me know if other changes are requested!

[WilliamBergamin]

Nice 💯 this looks good

[zimeg]

@WilliamBergamin Thanks so much calling out the changes of this PR 🙏

I did a bit more testing and found one thing strange with http URLs fixed b154b6b. AFAICT this change only updates the request URL shown in logs since axios handles actual request logic, which is why the tests were passing 📺 ✨

Now is seeming like an alright time to merge this! I'll open a release PR for @slack/[email protected] but wait until tomorrow to release and make adjacent updates if this is all alright. Please let me know if other changes are needed before that though! 🔍