Safe Previews: Introducing Smart Link Unfurling for Slack

Sharing a link in Slack is usually great—you get a nice preview image and description. But when you share a **secret**, that preview can be dangerous.

If we unfurled the actual content (e.g., "Password: 12345"), it would be logged in Slack's servers, defeating the entire purpose of EnvShareApp.

Today, we're introducing **Smart Unfurling**. It's the best of both worlds: high-fidelity UI without the data leak.

The Metadata-Only Approach

When you paste an `envshare.app/s/...` link into Slack, our new bot intercepts the preview request. Instead of trying to decrypt the secret (which it physically can't do), it looks up the **metadata**.

You see exactly what you need to know:

• Is it still active? (or already burned?)
• How many views are left?
• When does it expire?

But you **never** see the password itself.

Technical Implementation

We use Slack's Link Unfurling API securely:

1. Verification: We verify the request signature `X-Slack-Signature` to ensure it's actually Slack asking.
2. Lookup: We check the `Read-Only` database replica for the secret's ID.
3. Sanitization: We construct a JSON payload with *only* the view count and expiry time.
4. Response: We send back the structured message block.