Session expire too soon for some clients.

Hi there!

We have been using Secret Santa for a couple of years now, and this year we encountered a "bug" or maybe more of a user experience failure:

The problem

This year, our Secret Santa admin received 2 gift instead of one, and someone did't get a present.

But it wasn't an algorithm failure, here's what happened:

• Once all is set, each player gets a You've been chosen to gift X message.
• The X being the tag name of the designated target.
• But this message also contain another name (that is automatically highlighted by Slack as well): the admin's tag name.
• One player simply identified the second name as their Secret Santa target.
• So their real designated target didn't get anything*.

In an environment saturated by notifications of all kind, and with just a little bit of inattention, I think anyone could have make the same mistake.
The very nature of secret Santa made it impossible for us to identify there had been a confusion before the due date.

My suggestion

Maybe, for this critical** message, don't mention the admin's name at all.
Only display the target's name to prevent any confusion.

Did anyone else experienced that problem?
What do you think?

We would like to thank you all for that very important piece of software. 🎅🎄☃️

*: And yet they deserved it! They've been a very good person all year. 😢
**: Yeah... we're very serious about Christmas 😁

A lot of Slack API calls are failing these days. It looks like it's related to a network timeout :

cURL error 28: Operation timed out after 2001 milliseconds with 0 bytes received

We should probably make the timeout greater than 2 seconds (5 or 10s should be fine)

I got a report from a user, the old CSS was in it's cache and when displaying the Hall of fame everything was broken.

We don't update CSS that often so no need to make it automatic.

As we do not store anything, it could be nice to propose to send a summary to someone.

Sometimes Secret Santa is run in organisations where some people should not give each other a gift (think a family where a couple don't want to be assigned one to another) but still want to be part of the gift exchange.

We could allow users to select "forbidden assignations", when all the users are selected.

It should not be a preview of the draw, just a list of rules, to keep the magic / the secret!

We have a lot of 404 for this file.

As we now have multiple pages, we should try to improve SEO by adding custom titles on pages.

Also, we should take special care of the social sharing and un-furl https://api.slack.com/docs/message-link-unfurling

We can't handle big Slack team at the moment because we fail to download the whole user list under 5 secondes. Also, that's a huge JSON coming our way.

Slack API provide a cursor pagination: https://api.slack.com/methods/users.list

We should use this!

We should try to add this: https://docs.bugsnag.com/product/releases/#configuring-your-app-version

https://docs.bugsnag.com/platforms/php/symfony/#tracking-releases

Because we alreay have a redis (for session purposes), we could also store the number of distributed secret santa

Great Slack app!

I think the formatting of the message sent to the participants can be improved though. As it is now, it's not immediately evident to see who you have been matched with, being just a little mention in a sentence. Especially too because the visual focus is on the admin message, not on the selected username.

The current formatting looks like this:

It could for instance be made like this instead:

Markup:

Hi!

You have been chosen to be part of a Secret Santa!
Someone has been chosen to get you a gift.

> *And you have been chosen to gift:*
> :gift: *@username*

Here is a message from the Secret Santa admin:

` ` `
TEST
` ` `
_– Your Secret Santa admin, @admin._

(with no space between the back ticks)

There's still matter to improve, but it's a quick fix that can make the app so much more clear :)

Allow to search for users faster.

Provide a new deployment of Slack Secret Santa called "Discord Secret Santa", working with Discord: https://discordapp.com/developers/docs/intro

Some organization uses the Slack free plan and thus have a limited message history. The secret santa admin can then loose the message to retrieve the secret repartition.

We could propose to also send the spoiling method by email at the end of the process. This obviously requires to setup a mail platform.

I think users are not aware of the formatting allowed in the admin message,
we should add a little help about that.

We receive a lot of support requests for Secret Santa summary access after the fact,
and as we don't want to store anything we can't help most of those users.

Maybe it's possible to send the summary file to the admin, maybe with a un-readable format (rot13?), and a link to a page where we un-code the content.

We need to check if SlackBot can send files.

It would be convenient for companies sharing the same workspace.

Something we need to make sure it's clear what we do with the data.

The report shown here: https://developers.google.com/speed/pagespeed/insights/?url=https%3A%2F%2Fsecret-santa.team%2F&tab=mobile

Is not very good for such a simple website. We can improve that a lot.

Also, we load FontAwesome with ALL the icons, but only needs some. We may improve that.

We have a lot of PHP vendor to update.

To do after #116

Namespace:

• Current namespace is Joli\SlackSecretSanta.
• Should be Joli\SecretSanta, or even JoliCode\SecretSanta

Repo:

• Current repo is jolicode/slack-secret-santa
• Should be jolicode/secret-santa

To be done later.

It would be nice to have an option to select the date and time when the messages will be sent to everyone. I'd love to be able to set up my Secret Santa now, and have it run on Friday at 6 pm for instance. So that it can be planned for a company event without having to go back behind the computer and set up everything at the last minute.

After allowing our app to access slack data, we have to check all the users participating to the secret santa. It could be nice to have a selection by channel or something like that to ease this step.

Provide a new deployment of Slack Secret Santa called "Team Secret Santa", working with Microsoft Team: https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/apps/apps-overview

Creation process

• Create the app package: https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/apps/apps-package (maybe via the dedicated app https://aka.ms/InstallTeamsAppStudio)
• Add a test to check the manifest format? https://docs.microsoft.com/en-us/microsoftteams/platform/resources/schema/manifest-schema
• Create a Bot with Bot Framework, or a Connectors? Notification-only bots can push relevant information directly to a specific user in a channel or a direct message. https://dev.botframework.com/bots/new
• Bot require the "team" scope
• Set "notif only" https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/bots/bots-notification-only
• Get a bearer Token for the REST API
• Start private conversations, You need the user’s unique ID and tenant ID to send a proactive message: https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/bots/bot-conversations/bots-conv-proactive. There is a call to create or start the conversation, then another one to send the actual message! ⚠️
• Publish the app https://docs.microsoft.com/en-us/microsoftteams/platform/publishing/apps-publish

To be done / tested

• Test if everything is OK with the desktop app

We need to use the Add to Slack button to be listed in the App Directory.

https://api.slack.com/docs/slack-button

Atlassian released https://www.stride.com/ - the replacement for HipChat and a new way for teams to work and communicate. There is apps on it so we should be able to make Secret Santa compatible!

So far there is 25 apps: https://marketplace.atlassian.com/addons/app/stride?_ga=2.168561697.1487835320.1526475674-311972830.1526475674

• Free licence here: https://developer.atlassian.com/why-build-with-atlassian/
• Documentation available here: https://developer.atlassian.com/cloud/stride/integrating-with-stride/

ping @yulz ❤️

404 and 500 should be custom.

Avatars are not displayed anymore:

Our pages send this header: Content-Security-Policy: default-src 'self'; base-uri 'self'; so the avatars gets blocked:

Also, inline JavaScript is not executed:

Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-SYgPl6GxmNtUIiPe4ASGGixmj9g/tOP622WecLQi6Qo='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback.

So... Nothing works right now.

Just set it up for my company! Pro tip for anyone that wants to do this: be careful about what you include in the markdown writeup. My message included "<=" in the budget description, which made something barf and cut off most of my message. Otherwise, worked like a charm

We should remove the strip_tag protection. As the message is sent in a markdown, we can safely remove this protection. We must only forbid the use of "```"

Seen in the logs:

2019-11-15T12:49:07+01:00 [:error] [pid 1169:tid 139881523087104] [client 46.252.181.103:37412] FastCGI: server "/var/www/php5-fpm/php5.external" stderr: PHP message: [2019-11-15 11:49:05] php.WARNING: Warning: Invalid argument supplied for foreach() {"exception":"[object] (ErrorException(code: 0): Warning: Invalid argument supplied for foreach() at /home/bas/app_2e11a7d1-37ca-4bd1-8b51-083011a69f18/src/Slack/UserExtractor.php:108)"} [], referer: https://secret-santa.team/

We need to improve the retry workflow.

A quick win would be to at least add a percentage of messages sent on this page.
Something that would be nice too would be to launch the retry automatically.

The best workflow I can think of ATM is:

• on submit, post the form to sav in session (as it's done now)
• redirect to simple page that will trigger the sending of the messages in Ajax
• display a real-time percentage on this page
• retry automatically when the server answer a timeout and update the percentage
• redirect to the finish page

When the API is down or does not respond in a timely manner, we may not see any log in our Clever Cloud hosting.

Let's fix that. And maybe use Sentry?

https://developers.google.com/hangouts/chat

We do secret Santa as an opt-in activity at our workplace. It would be cool if people could send a message to Rodolf saying they want to join secret Santa.

Currently we are forced to update manually here: https://github.com/jolicode/secret-santa/blob/master/config/packages/framework.yaml#L16

It could be easily replaced by a hash of the assets directory.

See https://api.slack.com/changelog/2017-09-the-one-about-usernames#prepare.

We should store user.id in the SecretSanta object

When booting the app without data, we get this error:

 FastCGI: server "/var/www/php5-fpm/php5.external" stderr: PHP message: [2018-10-05 16:37:42] request.CRITICAL: Uncaught PHP Exception Predis\\Response\\ServerException: "ERR wrong number of arguments for 'mget' command" at /home/bas/app_2e11a7d1-37ca-4bd1-8b51-083011a69f18/vendor/predis/predis/src/Client.php line 370 {"exception":"[object] (Predis\\\\Response\\\\ServerException(code: 0): ERR wrong number of arguments for 'mget' command at //vendor/predis/predis/src/Client.php:370)"} []

Zoom is a big player in the entreprise chat eco-system now, and there ways to build apps for it:

https://marketplace.zoom.us/docs/guides

Investigations to be done!

We have a long lasting issue with Slack Apps requesting the email scope, even if we dont request it (we request users:read). Last February we got this answer from them:

Hi again Damien,
I am sorry to report that we are not able to remove the scoped email access that your app currently has been granted due to the older users:read scope.
We do not have a timeline on when we will be adjusting this from our side, and as far as I know, the only workaround is to create a new app (losing currently installations if you fully delete that app) and start fresh with a newly created app that won't have the same issues.
Apologies for the bad news here. Let me know if you have any other thoughts/questions.
Thanks,
xxx

So just because the app was created a long time ago, the email address is always asked for and this can't be removed.

More than a year after, I tried the suggestion to create a new app. Here is the results:

Actual application

New unpublished application

Conclusions

If we want to get rid of the View email addresses of people on your workspace permission, our only solution is to create a brand new application on Slack Apps, and go through the complete publication procedure.

Most of the code is already compatible.

• Heroku router stop everything at 30s and there is no way to take back control of the response
• A very large secret santa can send hundreds of Slack API requests

We have to make sure users are never left with in incomplete "Secret Santa" where only a bunch of users are notified. We have to:

• Add a low timeout on Slack API requests (1/2 seconds)
• Make sure the PHP script does stop itself nicely at ~25 seconds
• Display the proper "sorry" message and allow to download the list of users to notify manually (maybe a "retry" button could be used to send the remaining users?)

🔥 https://docs.bugsnag.com/platforms/javascript/ 🔥

A public wishlist that everyone can see by manually checking with the bot.
Notify the secret santa when wishes are added by respective person for secret santa

Remote teams can't really use the app without having an open list of all the mailing address on the side.

What we could allow is to ask for a Mailing address and give it to the Santa.