bolt-python icon indicating copy to clipboard operation
bolt-python copied to clipboard
verified publisher icon slackapi

Enhancement: Assistant should inherit global middleware for security and consistency

Open manthram opened this issue 6 months ago • 2 comments

Problem

Assistant handlers bypass global middleware entirely, creating a significant security gap and architectural inconsistency. Assistant events, assistant.user_message, assistant.thread_started etc. skip critical middleware that regular events receive, including:

  • SSL certificate verification
  • Request signature verification
  • Authorization middleware
  • URL verification
  • Custom middleware

This forces developers to manually implement security checks in each assistant handler, which is error-prone and violates the principle of secure-by-default design.

# These handlers get full middleware protection:
@app.event("app_mention")
async def handle_mention(event, say, context):
    # Already authenticated via middleware
    pass

# These handlers bypass ALL middleware (security vulnerability):

@assistant.user_message
async def handle_message(event, say, context):
    # No authentication, no SSL check, no signature verification!
    pass

Developer Experience: Developers must remember to add security manually to every assistant handler:

# Current: Manual security in every handler (error-prone)
@assistant.user_message(middleware=[auth_middleware, ssl_middleware])
async def handle_message(event, say, context):
    pass

Category

  • [X] slack_bolt.App and/or its core components
  • [X] slack_bolt.async_app.AsyncApp and/or its core components
  • [ ] Adapters in slack_bolt.adapter
  • [ ] Others

Requirements

Proposed Solution Enhance Assistant/AsyncAssistant to automatically inherit the app's global middleware when handlers are registered. This would:

  1. Maintain backwards compatibility - existing explicit middleware still works
  2. Provide opt-in enhancement - controlled via auto_inherit_app_middleware=True parameter
  3. Apply middleware in correct order - app middleware first, then handler-specific middleware

Benefits

  1. Security by default - Assistant events get same protection as regular events
  2. Architectural consistency - All Slack events treated uniformly
  3. Developer productivity - No more manual security boilerplate
  4. Backwards compatible - Existing code continues working unchanged
  5. Performance neutral - Middleware already exists, just applied consistently

manthram avatar Aug 05 '25 23:08 manthram

Hi, @manthram! Thanks so much for submitting this proposed enhancement! It's a great idea to improve security in assistant apps. I have marked this as an enhancement - please feel free to come out with a PR for your idea if you have the time to do so! Your contributions are much appreciated. 🙇

hello-ashleyintech avatar Aug 06 '25 15:08 hello-ashleyintech

👋 It looks like this issue has been open for 30 days with no activity. We'll mark this as stale for now, and wait 10 days for an update or for further comment before closing this issue out. If you think this issue needs to be prioritized, please comment to get the thread going again! Maintainers also review issues marked as stale on a regular basis and comment or adjust status if the issue needs to be reprioritized.

github-actions[bot] avatar Sep 08 '25 00:09 github-actions[bot]