feat: support multiple Slack workspaces via ALLOWED_SLACK_WORKSPACES (#7)

danishi · claude · web-flow · commit ca2154aa896c · 2026-02-26T20:42:53.000+09:00
Rename ALLOWED_SLACK_WORKSPACE to ALLOWED_SLACK_WORKSPACES (plural) and accept comma-separated team IDs so the bot can serve multiple workspaces. Add README section explaining how to obtain Slack workspace team IDs. https://claude.ai/code/session_01TbRoBBCX3BFXjUZaiiQDb7 Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.env.example b/.env.example
@@ -1,6 +1,6 @@
 SLACK_BOT_TOKEN="xoxb-your-slack-bot-token"
 SLACK_SIGNING_SECRET="your-slack-signing-secret"
-ALLOWED_SLACK_WORKSPACE="T0123456789"
+ALLOWED_SLACK_WORKSPACES="T0123456789,T9876543210"
 GOOGLE_GENAI_USE_VERTEXAI=TRUE
 GOOGLE_CLOUD_PROJECT="your-gcp-project"
 GOOGLE_CLOUD_LOCATION="global"
diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ llms-full.txt      # Extended ADK documentation for LLM context
    ```bash
    cp .env.example .env
    # edit .env and set your Slack and Google Cloud credentials
-   # ALLOWED_SLACK_WORKSPACE is the Slack team ID to allow requests from
+   # ALLOWED_SLACK_WORKSPACES is a comma-separated list of Slack team IDs to allow requests from
    ```
 3. Run the server
    ```bash
@@ -88,6 +88,18 @@ The Agent Development Kit includes a built-in web-based Development UI that you
 5. Subscribe to bot events: `app_mention`.
 6. Invite the bot to channels where you want to use it.
 
+### Getting Slack Workspace (Team) IDs for `ALLOWED_SLACK_WORKSPACES`
+To restrict the bot to specific Slack workspaces, set `ALLOWED_SLACK_WORKSPACES` in your `.env` with comma-separated team IDs. You can find your workspace's team ID by:
+1. Open your Slack workspace in a browser.
+2. The team ID is the `T`-prefixed value in the URL (e.g., `https://app.slack.com/client/T0123456789/...`).
+3. Or go to your [Slack App settings](https://api.slack.com/apps), select your app, and find the **Team ID** displayed under **App Credentials** on the **Basic Information** page.
+
+Example:
+```
+ALLOWED_SLACK_WORKSPACES="T0123456789,T9876543210"
+```
+If the variable is empty or unset, requests from all workspaces are allowed.
+
 ## Deploy to Cloud Run
 The repository includes a helper script to build the container and deploy to Cloud Run. Ensure your `.env` contains `SLACK_BOT_TOKEN` and `SLACK_SIGNING_SECRET` before running:
 
diff --git a/app/main.py b/app/main.py
@@ -24,7 +24,10 @@
 SLACK_BOT_TOKEN = os.environ["SLACK_BOT_TOKEN"]
 SLACK_SIGNING_SECRET = os.environ["SLACK_SIGNING_SECRET"]
 MODEL_NAME = os.environ.get("MODEL_NAME", "gemini-3.1-pro-preview")
-ALLOWED_SLACK_WORKSPACE = os.environ.get("ALLOWED_SLACK_WORKSPACE")
+_allowed_ws_raw = os.environ.get("ALLOWED_SLACK_WORKSPACES", "")
+ALLOWED_SLACK_WORKSPACES: set[str] = {
+    w.strip() for w in _allowed_ws_raw.split(",") if w.strip()
+}
 APP_NAME = os.environ.get("APP_NAME", "slack-bot")
 
 # Initialize Slack Bolt AsyncApp
@@ -272,7 +275,7 @@ async def slack_events(req: Request):
         return JSONResponse(content={"challenge": challenge})
 
     team_id = data.get("team_id")
-    if ALLOWED_SLACK_WORKSPACE and team_id != ALLOWED_SLACK_WORKSPACE:
+    if ALLOWED_SLACK_WORKSPACES and team_id not in ALLOWED_SLACK_WORKSPACES:
         return JSONResponse(status_code=403, content={"error": f"{team_id}:workspace_not_allowed"})
     return await handler.handle(req)
 
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
@@ -65,7 +65,7 @@ SERVICE_URL=$(gcloud run deploy "${SERVICE_NAME}" \
   --allow-unauthenticated \
   --no-cpu-throttling  \
   --project "${PROJECT_ID}" \
-  --set-env-vars "SLACK_BOT_TOKEN=${SLACK_BOT_TOKEN},SLACK_SIGNING_SECRET=${SLACK_SIGNING_SECRET},GOOGLE_GENAI_USE_VERTEXAI=${GOOGLE_GENAI_USE_VERTEXAI},GOOGLE_CLOUD_PROJECT=${PROJECT_ID},GOOGLE_CLOUD_LOCATION=global,ALLOWED_SLACK_WORKSPACE=${ALLOWED_SLACK_WORKSPACE:-},MODEL_NAME=${MODEL_NAME:-gemini-3.1-pro-preview}" \
+  --set-env-vars "SLACK_BOT_TOKEN=${SLACK_BOT_TOKEN},SLACK_SIGNING_SECRET=${SLACK_SIGNING_SECRET},GOOGLE_GENAI_USE_VERTEXAI=${GOOGLE_GENAI_USE_VERTEXAI},GOOGLE_CLOUD_PROJECT=${PROJECT_ID},GOOGLE_CLOUD_LOCATION=global,ALLOWED_SLACK_WORKSPACES=${ALLOWED_SLACK_WORKSPACES:-},MODEL_NAME=${MODEL_NAME:-gemini-3.1-pro-preview}" \
   --format 'value(status.url)')
 
 echo "--------------------------------------------"
