Merge pull request #71 from ianwsperber/feature/export-verify-request-signature

Export verifyRequestSignature

Author: aoberoi

docs/reference.md

@@ -19,6 +19,19 @@ If `options.includeHeaders` is truthy, then the SlackEventAdapter will emit an a
 with the event that has the parsed headers of the HTTP request. See SlackEventAdapter for more
 details.
 
+#### verifyRequestSignature([_params_])
+
+A helper method for verifying a request signature according to the docs here: https://api.slack.com/docs/verifying-requests-from-slack
+
+The `params.signingSecret` is a required string parameter which you can find in your Slack app's Basic
+Information.
+
+The `params.requestSignature` is a required string parameter taken from the 'x-slack-signature' header of the request.
+
+The `params.requestTimestamp` is a required numeric parameter taken from the 'x-slack-request-timestamp' header of the request.
+
+The `params.body` is a required string parameter for the raw, unparsed request body. If your application automatically parses JSON request you may need to retrieve the raw body prior to parsing.
+
 ### SlackEventAdapter
 
 This object is responsible for consuming HTTP requests from the Slack Events API (via a request handler or

src/http-handler.js

@@ -17,6 +17,44 @@ const responseStatuses = {
 
 const debug = debugFactory('@slack/events-api:http-handler');
 
+/**
+ * Method to verify signature of requests
+ *
+ * @param {string} signingSecret - Signing secret used to verify request signature
+ * @param {string} requestSignature - Signature from request 'x-slack-signature' header
+ * @param {number} requestTimestamp - Timestamp from request 'x-slack-request-timestamp' header
+ * @param {string} body - Raw body string
+ * @returns {boolean} Indicates if request is verified
+ */
+export function verifyRequestSignature({
+  signingSecret, requestSignature, requestTimestamp, body,
+}) {
+  // Divide current date to match Slack ts format
+  // Subtract 5 minutes from current time
+  const fiveMinutesAgo = Math.floor(Date.now() / 1000) - (60 * 5);
+
+  if (requestTimestamp < fiveMinutesAgo) {
+    debug('request is older than 5 minutes');
+    const error = new Error('Slack request signing verification failed');
+    error.code = errorCodes.REQUEST_TIME_FAILURE;
+    throw error;
+  }
+
+  const hmac = crypto.createHmac('sha256', signingSecret);
+  const [version, hash] = requestSignature.split('=');
+  hmac.update(`${version}:${requestTimestamp}:${body}`);
+
+  if (hash !== hmac.digest('hex')) {
+    debug('request signature is not valid');
+    const error = new Error('Slack request signing verification failed');
+    error.code = errorCodes.SIGNATURE_VERIFICATION_FAILURE;
+    throw error;
+  }
+
+  debug('request signing verification success');
+  return true;
+}
+
 export function createHTTPHandler(adapter) {
   const poweredBy = packageIdentifier();
 
@@ -96,46 +134,6 @@ export function createHTTPHandler(adapter) {
     }
   }
 
-  /**
-   * Method to verify signature of requests
-   *
-   * @param {string} signingSecret - Signing secret used to verify request signature
-   * @param {Object} requestHeaders - Request headers
-   * @param {string} body - Raw body string
-   * @returns {boolean} Indicates if request is verified
-   */
-  function verifyRequestSignature(signingSecret, requestHeaders, body) {
-    // Request signature
-    const signature = requestHeaders['x-slack-signature'];
-    // Request timestamp
-    const ts = requestHeaders['x-slack-request-timestamp'];
-
-    // Divide current date to match Slack ts format
-    // Subtract 5 minutes from current time
-    const fiveMinutesAgo = Math.floor(Date.now() / 1000) - (60 * 5);
-
-    if (ts < fiveMinutesAgo) {
-      debug('request is older than 5 minutes');
-      const error = new Error('Slack request signing verification failed');
-      error.code = errorCodes.REQUEST_TIME_FAILURE;
-      throw error;
-    }
-
-    const hmac = crypto.createHmac('sha256', signingSecret);
-    const [version, hash] = signature.split('=');
-    hmac.update(`${version}:${ts}:${body}`);
-
-    if (hash !== hmac.digest('hex')) {
-      debug('request signature is not valid');
-      const error = new Error('Slack request signing verification failed');
-      error.code = errorCodes.SIGNATURE_VERIFICATION_FAILURE;
-      throw error;
-    }
-
-    debug('request signing verification success');
-    return true;
-  }
-
   /**
    * Request listener used to handle Slack requests and send responses and
    * verify request signatures
@@ -153,7 +151,12 @@ export function createHTTPHandler(adapter) {
       .then((r) => {
         const rawBody = r.toString();
 
-        if (verifyRequestSignature(adapter.signingSecret, req.headers, rawBody)) {
+        if (verifyRequestSignature({
+          signingSecret: adapter.signingSecret,
+          requestSignature: req.headers['x-slack-signature'],
+          requestTimestamp: req.headers['x-slack-request-timestamp'],
+          body: rawBody,
+        })) {
           // Request signature is verified
           // Parse raw body
           const body = JSON.parse(rawBody);

src/index.js

@@ -1,5 +1,6 @@
 import { errorCodes as adapterErrorCodes, SlackEventAdapter } from './adapter';
 
+export { verifyRequestSignature } from './http-handler';
 export const errorCodes = adapterErrorCodes;
 
 export function createEventAdapter(signingSecret, options) {

test/unit/test-http-handler.js

@@ -7,114 +7,145 @@ var systemUnderTest = proxyquire('../../dist/http-handler', {
   'raw-body': getRawBodyStub
 });
 var createHTTPHandler = systemUnderTest.createHTTPHandler;
+var verifyRequestSignature = systemUnderTest.verifyRequestSignature;
 
 // fixtures
 var correctSigningSecret = 'SIGNING_SECRET';
 var correctRawBody = '{"type":"event_callback","event":{"type":"reaction_added",' +
 '"user":"U123","item":{"type":"message","channel":"C123"}}}';
 
-describe('createHTTPHandler', function () {
+describe('http-handler', function () {
   beforeEach(function () {
-    this.emit = sinon.stub();
-    this.res = sinon.stub({
-      setHeader: function () { },
-      send: function () { },
-      end: function () { }
-    });
-    this.next = sinon.stub();
     this.correctDate = Math.floor(Date.now() / 1000);
-    this.requestListener = createHTTPHandler({
-      signingSecret: correctSigningSecret,
-      emit: this.emit
-    });
   });
 
-  it('should verify a correct signing secret', function (done) {
-    var emit = this.emit;
-    var res = this.res;
-    var req = createRequest(correctSigningSecret, this.correctDate, correctRawBody);
-    emit.resolves({ status: 200 });
-    getRawBodyStub.resolves(correctRawBody);
-    res.end.callsFake(function () {
-      assert.equal(res.statusCode, 200);
-      done();
+  describe('verifyRequestSignature', function () {
+    it('should return true for a valid request', function () {
+      var req = createRequest(correctSigningSecret, this.correctDate, correctRawBody);
+      var isVerified = verifyRequestSignature({
+        signingSecret: correctSigningSecret,
+        requestTimestamp: req.headers['x-slack-request-timestamp'],
+        requestSignature: req.headers['x-slack-signature'],
+        body: req.body
+      });
+
+      assert.isTrue(isVerified);
     });
-    this.requestListener(req, res);
-  });
 
-  it('should fail request signing verification with an incorrect signing secret', function (done) {
-    var res = this.res;
-    var req = createRequest('INVALID_SECRET', this.correctDate, correctRawBody);
-    getRawBodyStub.resolves(correctRawBody);
-    res.end.callsFake(function () {
-      assert.equal(res.statusCode, 404);
-      done();
+    it('should throw for a request signed with a different secret', function () {
+      var req = createRequest(correctSigningSecret, this.correctDate, correctRawBody);
+      assert.throws(() => verifyRequestSignature({
+        signingSecret: 'INVALID_SECRET',
+        requestTimestamp: req.headers['x-slack-request-timestamp'],
+        requestSignature: req.headers['x-slack-signature'],
+        body: req.body
+      }), 'Slack request signing verification failed');
     });
-    this.requestListener(req, res);
   });
 
-  it('should fail request signing verification with old timestamp', function (done) {
-    var res = this.res;
-    var sixMinutesAgo = Math.floor(Date.now() / 1000) - (60 * 6);
-    var req = createRequest(correctSigningSecret, sixMinutesAgo, correctRawBody);
-    getRawBodyStub.resolves(correctRawBody);
-    res.end.callsFake(function () {
-      assert.equal(res.statusCode, 404);
-      done();
+  describe('createHTTPHandler', function () {
+    beforeEach(function () {
+      this.emit = sinon.stub();
+      this.res = sinon.stub({
+        setHeader: function () { },
+        send: function () { },
+        end: function () { }
+      });
+      this.next = sinon.stub();
+      this.correctDate = Math.floor(Date.now() / 1000);
+      this.requestListener = createHTTPHandler({
+        signingSecret: correctSigningSecret,
+        emit: this.emit
+      });
     });
-    this.requestListener(req, res);
-  });
 
-  it('should handle unexpected error', function (done) {
-    var res = this.res;
-    var req = createRequest(correctSigningSecret, this.correctDate, correctRawBody);
-    getRawBodyStub.rejects(new Error('test error'));
-    res.end.callsFake(function (result) {
-      assert.equal(res.statusCode, 500);
-      assert.isUndefined(result);
-      done();
+    it('should verify a correct signing secret', function (done) {
+      var emit = this.emit;
+      var res = this.res;
+      var req = createRequest(correctSigningSecret, this.correctDate, correctRawBody);
+      emit.resolves({ status: 200 });
+      getRawBodyStub.resolves(correctRawBody);
+      res.end.callsFake(function () {
+        assert.equal(res.statusCode, 200);
+        done();
+      });
+      this.requestListener(req, res);
     });
-    this.requestListener(req, res);
-  });
 
-  it('should provide message with unexpected errors in development', function (done) {
-    var res = this.res;
-    var req = createRequest(correctSigningSecret, this.correctDate, correctRawBody);
-    process.env.NODE_ENV = 'development';
-    getRawBodyStub.rejects(new Error('test error'));
-    res.end.callsFake(function (result) {
-      assert.equal(res.statusCode, 500);
-      assert.equal(result, 'test error');
-      delete process.env.NODE_ENV;
-      done();
+    it('should fail request signing verification with an incorrect signing secret', function (done) {
+      var res = this.res;
+      var req = createRequest('INVALID_SECRET', this.correctDate, correctRawBody);
+      getRawBodyStub.resolves(correctRawBody);
+      res.end.callsFake(function () {
+        assert.equal(res.statusCode, 404);
+        done();
+      });
+      this.requestListener(req, res);
     });
-    this.requestListener(req, res);
-  });
 
-  it('should set an identification header in its responses', function (done) {
-    var emit = this.emit;
-    var res = this.res;
-    var req = createRequest(correctSigningSecret, this.correctDate, correctRawBody);
-    emit.resolves({ status: 200 });
-    getRawBodyStub.resolves(correctRawBody);
-    res.end.callsFake(function () {
-      assert(res.setHeader.calledWith('X-Slack-Powered-By'));
-      done();
+    it('should fail request signing verification with old timestamp', function (done) {
+      var res = this.res;
+      var sixMinutesAgo = Math.floor(Date.now() / 1000) - (60 * 6);
+      var req = createRequest(correctSigningSecret, sixMinutesAgo, correctRawBody);
+      getRawBodyStub.resolves(correctRawBody);
+      res.end.callsFake(function () {
+        assert.equal(res.statusCode, 404);
+        done();
+      });
+      this.requestListener(req, res);
+    });
+
+    it('should handle unexpected error', function (done) {
+      var res = this.res;
+      var req = createRequest(correctSigningSecret, this.correctDate, correctRawBody);
+      getRawBodyStub.rejects(new Error('test error'));
+      res.end.callsFake(function (result) {
+        assert.equal(res.statusCode, 500);
+        assert.isUndefined(result);
+        done();
+      });
+      this.requestListener(req, res);
+    });
+
+    it('should provide message with unexpected errors in development', function (done) {
+      var res = this.res;
+      var req = createRequest(correctSigningSecret, this.correctDate, correctRawBody);
+      process.env.NODE_ENV = 'development';
+      getRawBodyStub.rejects(new Error('test error'));
+      res.end.callsFake(function (result) {
+        assert.equal(res.statusCode, 500);
+        assert.equal(result, 'test error');
+        delete process.env.NODE_ENV;
+        done();
+      });
+      this.requestListener(req, res);
+    });
+
+    it('should set an identification header in its responses', function (done) {
+      var emit = this.emit;
+      var res = this.res;
+      var req = createRequest(correctSigningSecret, this.correctDate, correctRawBody);
+      emit.resolves({ status: 200 });
+      getRawBodyStub.resolves(correctRawBody);
+      res.end.callsFake(function () {
+        assert(res.setHeader.calledWith('X-Slack-Powered-By'));
+        done();
+      });
+      this.requestListener(req, res);
     });
-    this.requestListener(req, res);
-  });
 
-  it('should respond to url verification requests', function (done) {
-    var res = this.res;
-    var emit = this.emit;
-    var urlVerificationBody = '{"type":"url_verification","challenge": "TEST_CHALLENGE"}';
-    var req = createRequest(correctSigningSecret, this.correctDate, urlVerificationBody);
-    getRawBodyStub.resolves(urlVerificationBody);
-    res.end.callsFake(function () {
-      assert(emit.notCalled);
-      assert.equal(res.statusCode, 200);
-      done();
+    it('should respond to url verification requests', function (done) {
+      var res = this.res;
+      var emit = this.emit;
+      var urlVerificationBody = '{"type":"url_verification","challenge": "TEST_CHALLENGE"}';
+      var req = createRequest(correctSigningSecret, this.correctDate, urlVerificationBody);
+      getRawBodyStub.resolves(urlVerificationBody);
+      res.end.callsFake(function () {
+        assert(emit.notCalled);
+        assert.equal(res.statusCode, 200);
+        done();
+      });
+      this.requestListener(req, res);
     });
-    this.requestListener(req, res);
   });
 });

test/unit/test-index.js

@@ -0,0 +1,18 @@
+'use strict';
+
+var assert = require('chai').assert;
+var library = require('../../dist');
+
+describe('@slack/events-api', function () {
+  it('should export "verifyRequestSignature"', function () {
+    assert.property(library, 'verifyRequestSignature');
+  });
+
+  it('should export "createEventAdapter"', function () {
+    assert.property(library, 'createEventAdapter');
+  });
+
+  it('should export "errorCodes"', function () {
+    assert.property(library, 'errorCodes');
+  });
+});