mcp-server-slack

Name: mcp-server-slack
Author: fany321

Verified Safe

by fany321

View Source

Overview

Provides a Model Context Protocol (MCP) server that enables clients to post messages to Slack channels, optionally secured with Duo authentication and supporting WebSocket, HTTP POST, and Server-Sent Events (SSE) communication.

Installation

Run Command

node server-http-duo-render.js

Environment Variables

SLACK_BOT_TOKEN
PORT
DUO_ENABLED
DUO_AUTHORIZATION_ENDPOINT
DUO_TOKEN_ENDPOINT
DUO_CLIENT_ID
DUO_CLIENT_SECRET
DUO_TOKEN_INTROSPECTION_ENDPOINT
DUO_REDIRECT_URI
RENDER_EXTERNAL_HOSTNAME

Security Notes

The repository contains multiple server implementations. 'server.js' (WebSocket-based) and 'server-sse.js' (SSE-based) lack any authentication, critically exposing the Slack bot functionality and token to anyone who connects. 'server-http.js' offers optional Duo authentication, but if disabled, it also allows anonymous access. The primary script specified in 'package.json' is 'server-http-duo-render.js', which implements a robust Duo OAuth 2.0 PKCE flow with token introspection for all MCP interactions (HTTP POST and SSE). This version is significantly more secure as it enforces user authentication and ties messages to the authenticated user. However, it still uses a permissive 'Access-Control-Allow-Origin: *' header, which should be restricted for production use. Running the unauthenticated versions (server.js, server-sse.js, or server-http.js without DUO_ENABLED) is highly unsafe for public exposure.