def test_is_valid(self):
verifier = SignatureVerifier(
signing_secret=self.signing_secret,
clock=MockClock(),
)
self.assertTrue(
verifier.is_valid(self.body, self.timestamp, self.valid_signature)
)
self.assertTrue(verifier.is_valid(self.body, 1531420618, self.valid_signature))
def wrapper_verify_slack_signature(request, *args, **kwargs):
signature_verifier = SignatureVerifier(
signing_secret=settings.SLACK_SIGNING_SECRET)
if not signature_verifier.is_valid(
body=request.body,
timestamp=request.headers.get("X-Slack-Request-Timestamp"),
signature=request.headers.get("X-Slack-Signature"),
):
return HttpResponseForbidden()
return func(request, *args, **kwargs)
def test_is_valid_none(self):
verifier = SignatureVerifier(
signing_secret=self.signing_secret,
clock=MockClock(),
)
self.assertFalse(verifier.is_valid(None, self.timestamp, self.valid_signature))
self.assertFalse(verifier.is_valid(self.body, None, self.valid_signature))
self.assertFalse(verifier.is_valid(self.body, self.timestamp, None))
self.assertFalse(verifier.is_valid(None, None, self.valid_signature))
self.assertFalse(verifier.is_valid(None, self.timestamp, None))
self.assertFalse(verifier.is_valid(self.body, None, None))
self.assertFalse(verifier.is_valid(None, None, None))
class RequestVerification(Middleware): # type: ignore
def __init__(self, signing_secret: str):
"""Verifies an incoming request by checking the validity of
`x-slack-signature`, `x-slack-request-timestamp`, and its body data.
Refer to https://api.slack.com/authentication/verifying-requests-from-slack for details.
Args:
signing_secret: The signing secret
"""
self.verifier = SignatureVerifier(signing_secret=signing_secret)
self.logger = get_bolt_logger(RequestVerification)
def process(
self,
*,
req: BoltRequest,
resp: BoltResponse,
next: Callable[[], BoltResponse],
) -> BoltResponse:
if self._can_skip(req.mode, req.body):
return next()
body = req.raw_body
timestamp = req.headers.get("x-slack-request-timestamp", ["0"])[0]
signature = req.headers.get("x-slack-signature", [""])[0]
if self.verifier.is_valid(body, timestamp, signature):
return next()
else:
self._debug_log_error(signature, timestamp, body)
return self._build_error_response()
# -----------------------------------------
@staticmethod
def _can_skip(mode: str, body: Dict[str, Any]) -> bool:
return mode == "socket_mode" or (body is not None
and body.get("ssl_check") == "1")
@staticmethod
def _build_error_response() -> BoltResponse:
return BoltResponse(status=401, body={"error": "invalid request"})
def _debug_log_error(self, signature, timestamp, body) -> None:
self.logger.info(
"Invalid request signature detected "
f"(signature: {signature}, timestamp: {timestamp}, body: {body})")
class RequestVerification(Middleware): # type: ignore
def __init__(self, signing_secret: str):
self.verifier = SignatureVerifier(signing_secret=signing_secret)
self.logger = get_bolt_logger(RequestVerification)
def process(
self,
*,
req: BoltRequest,
resp: BoltResponse,
next: Callable[[], BoltResponse],
) -> BoltResponse:
if self._can_skip(req.payload):
return next()
body = req.body
timestamp = req.headers.get("x-slack-request-timestamp", ["0"])[0]
signature = req.headers.get("x-slack-signature", [""])[0]
if self.verifier.is_valid(body, timestamp, signature):
return next()
else:
self._debug_log_error(signature, timestamp, body)
return self._build_error_response()
# -----------------------------------------
@staticmethod
def _can_skip(payload: Dict[str, Any]) -> bool:
return payload is not None and payload.get("ssl_check", None) == "1"
@staticmethod
def _build_error_response() -> BoltResponse:
return BoltResponse(status=401, body={"error": "invalid request"})
def _debug_log_error(self, signature, timestamp, body) -> None:
self.logger.info(
"Invalid request signature detected "
f"(signature: {signature}, timestamp: {timestamp}, body: {body})")