Slack Commands cause InvalidSignature

[dombarnes]

Slack Command POSTs get sent as form-urlencoded content, which when read by Rack are then converted to params. Once body is read by rack, its empty. As per https://github.com/slack-ruby/slack-ruby-bot-server-events/blob/master/lib/slack-ruby-bot-server/api/endpoints.rb, this expects a json format, and as a result of the urlencoded params being stripped from the body and set as params, body is nil, so when the verify! is called, its producing a mismatching HMAC signature.

I've monkey-patched this with the following (I'm not using the Request class for anything else on my project so its no concern it breaks other uses - yeah its terribly hacky), taking params and re-encoding it then passing that for validation From https://github.com/slack-ruby/slack-ruby-client/blob/master/lib/slack/events/request.rb

module Slack
  module Events
    class Request
      def valid?
        raise MissingSigningSecret unless signing_secret

        digest = OpenSSL::Digest.new('SHA256')
        params = URI.encode_www_form(http_request.params)
        signature_basestring = [version, timestamp, params].join(':').encode('utf-8')
        hex_hash = OpenSSL::HMAC.hexdigest(digest, signing_secret, signature_basestring)
        computed_signature = [version, hex_hash].join('=')
        computed_signature == signature
      end
    end
  end
end

[artrybalko]

I just ran into this too. The sample app works out of the box and has no issues with signature verification. As soon as I tried upgrading slack-ruby-bot-server version in that app to the latest 2.x from the original 1.x it started failing.

[dedman]

This issue was fixed for me by upgrading to slack-ruby-client 2.3.0. See related issue here https://github.com/slack-ruby/slack-ruby-client/issues/506 :)