Add support for specifying signing secrets on a per-request basis (#256)

Author: Gabriel Deal

CHANGELOG.md

@@ -1,5 +1,6 @@
 ### 0.14.2 (Next)
 
+* [#256](https://github.com/slack-ruby/slack-ruby-client/pull/256): Added support for specifying signing secrets on a per-request basis via optional parameters to the `Slack::Events::Request` constructor - [@gabrielmdeal](https://github.com/gabrielmdeal).
 * Your contribution here.
 
 ### 0.14.1 (2019/2/26)

README.md

@@ -506,6 +506,13 @@ slack_request = Slack::Events::Request.new(http_request)
 slack_request.verify!
 ```
 
+To specify secrets on a per-request basis:
+```ruby
+Slack::Events::Request.new(http_request,
+                           signing_secret: signing_secret,
+                           signature_expires_in: signature_expires_in)
+```
+
 The `verify!` call may raise `Slack::Events::MissingSigningSecret`, `Slack::Events::InvalidSignature` or `Slack::Events::TimestampExpired` errors.
 
 ### Message Parsing

lib/slack/events/request.rb

@@ -5,10 +5,14 @@ class MissingSigningSecret < StandardError; end
       class TimestampExpired < StandardError; end
       class InvalidSignature < StandardError; end
 
-      attr_reader :http_request
+      attr_reader :http_request,
+                  :signing_secret,
+                  :signature_expires_in
 
-      def initialize(http_request)
+      def initialize(http_request, options = {})
         @http_request = http_request
+        @signing_secret = options[:signing_secret] || Slack::Events.config.signing_secret
+        @signature_expires_in = options[:signature_expires_in] || Slack::Events.config.signature_expires_in
       end
 
       # Request timestamp.
@@ -34,16 +38,16 @@ def body
 
       # Returns true if the signature coming from Slack has expired.
       def expired?
-        timestamp.nil? || (Time.now.to_i - timestamp.to_i).abs > Slack::Events.config.signature_expires_in
+        timestamp.nil? || (Time.now.to_i - timestamp.to_i).abs > signature_expires_in
       end
 
       # Returns true if the signature coming from Slack is valid.
       def valid?
-        raise MissingSigningSecret unless Slack::Events.config.signing_secret
+        raise MissingSigningSecret unless signing_secret
 
         digest = OpenSSL::Digest::SHA256.new
         signature_basestring = [version, timestamp, body].join(':')
-        hex_hash = OpenSSL::HMAC.hexdigest(digest, Slack::Events.config.signing_secret, signature_basestring)
+        hex_hash = OpenSSL::HMAC.hexdigest(digest, signing_secret, signature_basestring)
         computed_signature = [version, hex_hash].join('=')
         computed_signature == signature
       end

spec/slack/events/request_spec.rb

@@ -3,10 +3,11 @@
 RSpec.describe Slack::Events::Request do
   before do
     Slack::Events.configure do |config|
-      config.signing_secret = 'ade6ca762ade4db0e7d31484cd616b9c'
+      config.signing_secret = signing_secret
       config.signature_expires_in = 30
     end
   end
+  let(:signing_secret) { 'ade6ca762ade4db0e7d31484cd616b9c' }
   let(:signature) { 'v0=91177eea054d65de0fc0f9b4ec57714307bc0ce2c5f3bf0d28b1b720c8f92ba2' }
   let(:timestamp) { '1547933148' }
   let(:body) { '{"token":"X34FAqCu8tmGEkEEpoDncnja","challenge":"P7sFXA4o3HV2hTx4zb4zcQ9yrvuQs8pDh6EacOxmMRj0tJaXfQFF","type":"url_verification"}' }
@@ -115,6 +116,33 @@
       end
     end
   end
+  context 'without global config' do
+    before do
+      Slack::Events.config.reset
+    end
+    context 'without a signing secret parameter' do
+      subject do
+        Slack::Events::Request.new(http_request)
+      end
+      it 'raises MissingSigningSecret' do
+        expect { subject.valid? }.to raise_error Slack::Events::Request::MissingSigningSecret
+      end
+    end
+    context 'with a signing secret parameter' do
+      subject do
+        Slack::Events::Request.new(http_request,
+                                   signing_secret: signing_secret,
+                                   signature_expires_in: 30)
+      end
+      before do
+        Timecop.freeze(Time.at(timestamp.to_i))
+      end
+      it 'is valid and not expired' do
+        expect(subject).to be_valid
+        expect(subject).to_not be_expired
+      end
+    end
+  end
   after do
     Slack::Events.config.reset
   end