Decouples Express and adds request signing verification support #59
Conversation
Codecov Report
@@ Coverage Diff @@
## master #59 +/- ##
==========================================
+ Coverage 94.26% 95.48% +1.22%
==========================================
Files 4 4
Lines 122 133 +11
==========================================
+ Hits 115 127 +12
+ Misses 7 6 -1
Continue to review full report at Codecov.
|
README.md
Outdated
| @@ -127,6 +125,8 @@ http.createServer(app).listen(port, () => { | |||
| }); | |||
| ``` | |||
|
|
|||
| > ⚠️ As of `v2.0.0`, the Events API adapter parses raw request bodies while performing request signing verification. This means developers no longer need to use `body-parser` middleware to parse urlencoded requests. | |||
There was a problem hiding this comment.
last few words -> parse JSON-encoded requests
| @@ -1,6 +1,6 @@ | |||
| { | |||
| "parser": "babel-eslint", | |||
| "extends": [ "airbnb" ], | |||
| "extends": [ "airbnb-base" ], | |||
src/http-handler.js
Outdated
| import { packageIdentifier } from './util'; | ||
|
|
||
| export const errorCodes = { | ||
| NO_BODY_PARSER: 'SLACKEVENTMIDDLEWARE_NO_BODY_PARSER', |
src/http-handler.js
Outdated
|
|
||
| export const errorCodes = { | ||
| NO_BODY_PARSER: 'SLACKEVENTMIDDLEWARE_NO_BODY_PARSER', | ||
| SIGNATURE_VERIFICATION_FAILURE: 'SLACKMESSAGEMIDDLEWARE_REQUEST_SIGNATURE_VERIFICATION_FAILURE', |
There was a problem hiding this comment.
SLACKMESSAGEMIDDLEWARE -> SLACKHTTPHANDLER for consistency
src/http-handler.js
Outdated
| const debug = debugFactory('@slack/events-api:http-handler'); | ||
|
|
||
| export function createHTTPHandler(adapter) { | ||
| // Removed middlewareOptions because no next() -- is this okay? |
There was a problem hiding this comment.
i think yes, because propogateErrors is no longer an option, so it doesn't have a purpose. can be introduced later in a backwards-compatible way.
| try { | ||
| if (adapter.waitForResponse) { | ||
| adapter.emit('error', error, respond); | ||
| } else if (process.env.NODE_ENV === 'development') { |
| .end(function (err, res) { | ||
| assert(err instanceof Error); | ||
| assert.equal(res.statusCode, 500); | ||
| assert.equal(res.statusCode, 404); |
|
fixes #36 |
| // *** Initialize event adapter using verification token from environment variables *** | ||
| const slackEvents = slackEventsApi.createSlackEventAdapter(process.env.SLACK_VERIFICATION_TOKEN, { | ||
| // *** Initialize event adapter using signing secret from environment variables *** | ||
| const slackEvents = slackEventsApi.createSlackEventAdapter(process.env.SIGNING_SECRET, { |
There was a problem hiding this comment.
we should also update the package.json of this example to reference the yet-to-be-published v2.0.0 so that this actually runs.
package.json
Outdated
| @@ -33,7 +32,7 @@ | |||
| "babel-plugin-system-import-transformer": "^2.4.0", | |||
There was a problem hiding this comment.
should prob remove this and the devDep above it. we're no longer using system import or dynamic import anywhere, right?
shaydewael
force-pushed
the
express_decoupling
branch
from
f12d763
to
a599948
Compare
Summary
Addresses #57 and decouples the adapter from express.
Creates a breaking change that adds support for signing secrets (https://api.slack.com/docs/verifying-requests-from-slack) over legacy verification tokens.
This also decouples the adapter from express, which includes adding parsing on the adapter level and refactoring express-middleware.js into http-handler.
Requirements (place an
xin each[ ])