Revert receiver refactor

slackapi · Mar 13, 2020 · 2313c46 · 2313c46
1 parent 8faa0b5
commit 2313c46
Show file tree

Hide file tree

Showing 8 changed files with 108 additions and 231 deletions.
diff --git a/src/App.spec.ts b/src/App.spec.ts
@@ -5,8 +5,7 @@ import { assert } from 'chai';
 import { Override, mergeOverrides, createFakeLogger, delay } from './test-helpers';
 import rewiremock from 'rewiremock';
 import { ErrorCode, UnknownError } from './errors';
-import { SayFn, NextMiddleware } from './types';
-import { Receiver, ReceiverEvent } from './receiver';
+import { Receiver, ReceiverEvent, SayFn, NextMiddleware } from './types';
 import { ConversationStore } from './conversation-store';
 import { LogLevel } from '@slack/logger';
 import App, { ViewConstraints } from './App';

diff --git a/src/App.ts b/src/App.ts
@@ -41,10 +41,11 @@ import {
   BlockAction,
   InteractiveMessage,
   SlackViewAction,
+  Receiver,
+  ReceiverEvent,
   RespondArguments,
 } from './types';
 import { IncomingEventType, getTypeAndConversation, assertNever } from './helpers';
-import { Receiver, ReceiverEvent } from './receiver';
 import {
   CodedError,
   asCodedError,

diff --git a/src/ExpressReceiver.ts b/src/ExpressReceiver.ts
@@ -1,8 +1,11 @@
+import { AnyMiddlewareArgs, Receiver, ReceiverEvent } from './types';
 import { createServer, Server } from 'http';
 import express, { Request, Response, Application, RequestHandler, NextFunction } from 'express';
 import rawBody from 'raw-body';
+import querystring from 'querystring';
+import crypto from 'crypto';
+import tsscmp from 'tsscmp';
 import App from './App';
-import { verifySignatureAndParseBody, Receiver, ReceiverEvent } from './receiver';
 import { ReceiverAuthenticityError } from './errors';
 import { Logger, ConsoleLogger } from '@slack/logger';
 
@@ -195,3 +198,87 @@ function logError(logger: Logger, message: string, error: any): void {
     : `${message} (error: ${error})`;
   logger.warn(logMessage);
 }
+
+function verifyRequestSignature(
+    signingSecret: string,
+    body: string,
+    signature: string | undefined,
+    requestTimestamp: string | undefined,
+): void {
+  if (signature === undefined || requestTimestamp === undefined) {
+    throw new ReceiverAuthenticityError(
+        'Slack request signing verification failed. Some headers are missing.',
+    );
+  }
+
+  const ts = Number(requestTimestamp);
+  if (isNaN(ts)) {
+    throw new ReceiverAuthenticityError(
+        'Slack request signing verification failed. Timestamp is invalid.',
+    );
+  }
+
+  // Divide current date to match Slack ts format
+  // Subtract 5 minutes from current time
+  const fiveMinutesAgo = Math.floor(Date.now() / 1000) - (60 * 5);
+
+  if (ts < fiveMinutesAgo) {
+    throw new ReceiverAuthenticityError(
+        'Slack request signing verification failed. Timestamp is too old.',
+    );
+  }
+
+  const hmac = crypto.createHmac('sha256', signingSecret);
+  const [version, hash] = signature.split('=');
+  hmac.update(`${version}:${ts}:${body}`);
+
+  if (!tsscmp(hash, hmac.digest('hex'))) {
+    throw new ReceiverAuthenticityError(
+        'Slack request signing verification failed. Signature mismatch.',
+    );
+  }
+}
+
+/**
+ * This request handler has two responsibilities:
+ * - Verify the request signature
+ * - Parse request.body and assign the successfully parsed object to it.
+ */
+function verifySignatureAndParseBody(
+    signingSecret: string,
+    body: string,
+    headers: Record<string, any>,
+): AnyMiddlewareArgs['body'] {
+  // *** Request verification ***
+  const {
+    'x-slack-signature': signature,
+    'x-slack-request-timestamp': requestTimestamp,
+    'content-type': contentType,
+  } = headers;
+
+  verifyRequestSignature(
+      signingSecret,
+      body,
+      signature,
+      requestTimestamp,
+  );
+
+  return parseRequestBody(body, contentType);
+}
+
+function parseRequestBody(
+    stringBody: string,
+    contentType: string | undefined,
+): any {
+  if (contentType === 'application/x-www-form-urlencoded') {
+    const parsedBody = querystring.parse(stringBody);
+
+    if (typeof parsedBody.payload === 'string') {
+      return JSON.parse(parsedBody.payload);
+    }
+
+    return parsedBody;
+  }
+
+  return JSON.parse(stringBody);
+}
diff --git a/src/index.ts b/src/index.ts
@@ -21,7 +21,6 @@ export {
 
 export * from './errors';
 export * from './middleware/builtin';
-export * from './receiver';
 export * from './types';
 
 export {

diff --git a/src/receiver.spec.ts b/src/receiver.spec.ts
diff --git a/src/receiver.ts b/src/receiver.ts
diff --git a/src/types/index.ts b/src/types/index.ts
@@ -5,3 +5,4 @@ export * from './command';
 export * from './events';
 export * from './options';
 export * from './view';
+export * from './receiver';
diff --git a/src/types/receiver.ts b/src/types/receiver.ts
@@ -0,0 +1,16 @@
+import App from '../App';
+import { AckFn } from '../types';
+import { StringIndexed } from './helpers';
+
+export interface ReceiverEvent {
+  body: StringIndexed;
+  // TODO: there should maybe be some more help for implementors of Receiver to know what kind of argument the AckFn
+  // is expected to deal with.
+  ack: AckFn<any>;
+}
+
+export interface Receiver {
+  init(app: App): void;
+  start(...args: any[]): Promise<unknown>;
+  stop(...args: any[]): Promise<unknown>;
+}