-
Notifications
You must be signed in to change notification settings - Fork 37
Decouples Express and adds request signing verification support #59
Conversation
Codecov Report
@@ Coverage Diff @@
## master #59 +/- ##
==========================================
+ Coverage 94.26% 95.48% +1.22%
==========================================
Files 4 4
Lines 122 133 +11
==========================================
+ Hits 115 127 +12
+ Misses 7 6 -1
Continue to review full report at Codecov.
|
README.md
Outdated
@@ -127,6 +125,8 @@ http.createServer(app).listen(port, () => { | |||
}); | |||
``` | |||
|
|||
> ⚠️ As of `v2.0.0`, the Events API adapter parses raw request bodies while performing request signing verification. This means developers no longer need to use `body-parser` middleware to parse urlencoded requests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
last few words -> parse JSON-encoded requests
@@ -1,6 +1,6 @@ | |||
{ | |||
"parser": "babel-eslint", | |||
"extends": [ "airbnb" ], | |||
"extends": [ "airbnb-base" ], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
YAAAS
src/http-handler.js
Outdated
import { packageIdentifier } from './util'; | ||
|
||
export const errorCodes = { | ||
NO_BODY_PARSER: 'SLACKEVENTMIDDLEWARE_NO_BODY_PARSER', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this
src/http-handler.js
Outdated
|
||
export const errorCodes = { | ||
NO_BODY_PARSER: 'SLACKEVENTMIDDLEWARE_NO_BODY_PARSER', | ||
SIGNATURE_VERIFICATION_FAILURE: 'SLACKMESSAGEMIDDLEWARE_REQUEST_SIGNATURE_VERIFICATION_FAILURE', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SLACKMESSAGEMIDDLEWARE
-> SLACKHTTPHANDLER
for consistency
src/http-handler.js
Outdated
const debug = debugFactory('@slack/events-api:http-handler'); | ||
|
||
export function createHTTPHandler(adapter) { | ||
// Removed middlewareOptions because no next() -- is this okay? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i think yes, because propogateErrors
is no longer an option, so it doesn't have a purpose. can be introduced later in a backwards-compatible way.
try { | ||
if (adapter.waitForResponse) { | ||
adapter.emit('error', error, respond); | ||
} else if (process.env.NODE_ENV === 'development') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good call!
.end(function (err, res) { | ||
assert(err instanceof Error); | ||
assert.equal(res.statusCode, 500); | ||
assert.equal(res.statusCode, 404); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good call again!
fixes #36 |
// *** Initialize event adapter using verification token from environment variables *** | ||
const slackEvents = slackEventsApi.createSlackEventAdapter(process.env.SLACK_VERIFICATION_TOKEN, { | ||
// *** Initialize event adapter using signing secret from environment variables *** | ||
const slackEvents = slackEventsApi.createSlackEventAdapter(process.env.SIGNING_SECRET, { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should also update the package.json
of this example to reference the yet-to-be-published v2.0.0 so that this actually runs.
package.json
Outdated
@@ -33,7 +32,7 @@ | |||
"babel-plugin-system-import-transformer": "^2.4.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should prob remove this and the devDep above it. we're no longer using system import or dynamic import anywhere, right?
f12d763
to
a599948
Compare
Summary
Addresses #57 and decouples the adapter from express.
Creates a breaking change that adds support for signing secrets (https://api.slack.com/docs/verifying-requests-from-slack) over legacy verification tokens.
This also decouples the adapter from express, which includes adding parsing on the adapter level and refactoring express-middleware.js into http-handler.
Requirements (place an
x
in each[ ]
)