Add support for request signing #57
Comments
just wanted to drop a proposal for the concrete implementation changes we could do to add this feature, and to address #31.
|
another question is how we'd change the constructor's signature in order to support request signing. i believe the currently favored approach looks like the following: using request signing (preferred): const slackInteractions = createMessageAdapter(signingSecret, { verificationMethod: 'requestSignature' }); using a verification token (legacy): const slackInteractions = createMessageAdapter(verificationToken); in the legacy version, leaving out the const slackInteractions = createMessageAdapter(verificationToken, { verificationMethod: 'token' }); i'd like to propose an alternative to the above. using request signing (preferred): const slackInteractions = createMessageAdapter({ signingSecret }); using a verification token (legacy): const slackInteractions = createMessageAdapter(verificationToken); in the legacy version, using a string as the first argument is equivalent to passing in an object with the key const slackInteractions = createMessageAdapter({ verificationToken }); i think the latter proposal is a little more concise and clear. the first argument always completely describes the verification technique, and its required. in fact, there's room (although i'm not sure theres a motivation) to support using both request signing and verification token but simply setting both keys. |
@Roach and I discussed another possibility for allowing the signing secret: keep the first parameter as a string, then create an optional flag const slackInteractions = createMessageAdapter(signingSecret, { disallowVerificationToken: true }); In this case, we would first attempt to verify the signature with the passed string, assuming it's a signing secret. This step is always done. If the verification fails, then we check if the optional flag is set. If If I'm okay with the other proposal you sent, but it seems weird for the default verification method to be in an object, and forces us to keep that constructor signature even after verification tokens are deprecated in the future. |
as far as i can tell, that proposal is roughly equivalent to the first proposal except:
IMHO, both of these have negative consequences that make the solution worse. using a boolean means there's only two discrete values, while i think the last proposal is still roughly equivalent to the first, i think my second proposal still has some strengths over both.
|
okay lets put some names on these proposals so we can talk about them. proposal a: the one with proposal b: the one with proposal c: the one with while we're enumerating ideas, here's another one to put on the table. proposal YOLO: major version bump and only accept the signing secret! also gives us a chance to rename |
Addressed with v1.0.0 🎉 |
Description
Request signing went live and we should add support into our SDKs. https://api.slack.com/docs/verifying-requests-from-slack
What type of issue is this? (place an
x
in one of the[ ]
)Requirements
The text was updated successfully, but these errors were encountered: