We are developing some slash commands to launch internal processes from mattermost.
The slash command api is really awesome!! And it works great.
But we would like to only allow users who are logged in to mattermost from the internal company network to be able to launch these slash commands.
In other words we want to reduce the chance that our mattermost server (which is available on the internet) can be attacked and launch these slash commands.
Are there any security measures we can take, to ensure users logged on to mattermost from outside the company network can NOT launch slash commands?
Glad to here you like slash commands!
Unfortunately we don’t have any way to distinguish between users logged in and sending requests from within a certain network or from outside it. You might be able to set up a load balancer to block certain API calls from any external IP address but I can’t guarantee that will work.
If you think this is something that would be useful in the product could I have your help creating a feature request?
Actually what would be most useful is to use the REST api on the mattermost server to query the logged in users and get their details, user_id, real name and ip address.
Then I could do some checking on the ip address. In slack this rest api call is named accessLogs (teams.accessLogs I think).
Does mattermost API offer the same, and can you point me to the docs for it?
Sorry for the late response, take a look inside
api/admin.go at the route for
/audits. That might be what you’re looking for.
@vikingsteve , could you implement your idea?
Now, I’m looking for something similar to your request; How we can ask Mattermost to send client IP to our slash command handler?
Hi @boluq and welcome to the Mattermost forums!
I’ve also raised this question some time ago on the Community server, I’d also need this functionaliy for securing my applications. Would you mind raising your voice on this (in my opinion important) feature at https://mattermost.com/suggestions? Thanks!