Notifications¶
Slack via teamsnotification.js¶
A single file at the repo root, scheduled to ping a Slack channel when content templates are missing.
// teamsnotification.js (excerpt)
const token = 'xoxb-3144030948916-4162895069441-K1RjRxBuP8k9z6rQAxnmyKS2'
const channel = 'C05H25MDY3Z'
const Slack = require('slack')
var schedule = require('node-schedule');
const bot = new Slack({token})
let hour = [4, 6, 8, 10, 12];
let minute = [30, 30, 30, 30, 30];
for (let i = 0; i < hour.length; i++) {
let rule = new schedule.RecurrenceRule();
rule.dayOfWeek = [0, 1, 2, 3, 4, 5, 6];
rule.hour = hour[i];
rule.minute = minute[i];
let j = schedule.scheduleJob(rule, function(){
notificationformissing();
});
}
The file:
- Uses
node-schedule(different scheduling lib from thenode-cronused by jobs and bots) - Runs at 4:30, 6:30, 8:30, 10:30, 12:30 every day
- Calls
notificationformissing()— queries the DB for missing content and posts a Slack message
Findings¶
F-N1: Hardcoded Slack bot token (HIGH)¶
The token xoxb-3144030948916-4162895069441-K1RjRxBuP8k9z6rQAxnmyKS2 is in source. Anyone with repo access can post to channel C05H25MDY3Z or do anything else the bot's scopes allow.
Fix: rotate; move to process.env.SLACK_BOT_TOKEN; same for channel id (SLACK_NOTIFY_CHANNEL).
F-N2: Misleading file name¶
teamsnotification.js uses the Slack SDK, not Microsoft Teams. Rename or document.
F-N3: Two scheduling libs¶
The codebase uses node-cron for jobs / bots and node-schedule for this one file. Use one for consistency. node-cron is simpler; switch this file.
F-N4: No-op if Slack is down¶
The file doesn't catch Slack API failures. If Slack returns 5xx or the network fails, the bot prints an error and that's it — the notification is lost. Fix: log to a tNotificationFailure table for retry.
F-N5: Time zone unspecified¶
The schedule hour: [4, 6, 8, 10, 12] is in the server's local time zone (Node.js default). Different deploy boxes in different regions will send notifications at different absolute times. Fix: declare time zone explicitly via the tz option on node-schedule (or node-cron).
What gets notified¶
Per the file's notificationformissing() function (read the full body to confirm):
- Templates without certain fields filled in
- Categories without sufficient library entries
- Industries with stale content
The Slack message likely includes counts + a Someli-internal URL pointing to the designer FE for the content team to act on.
Recommendations¶
| ID | Recommendation | Effort |
|---|---|---|
| N-1 | Rotate Slack token; move to env | 30 minutes |
| N-2 | Rename file (e.g., slack_notifier.js) or document the misnomer |
5 minutes |
| N-3 | Migrate to node-cron for consistency |
1-2 hours |
| N-4 | Add error handling + retry table for failed notifications | 1 day |
| N-5 | Declare time zone explicitly | 5 minutes |
| N-6 | Extract the notification helper (bot.chat.postMessage) into a shared module that all backends can use |
1 day (cross-repo) |