search

slackapi / bolt-python

A framework to build Slack apps using Python
https://slack.dev/bolt-python/
MIT License
1.03k stars 237 forks source link

Socket Mode and Signing Secret required? #1010

Closed RScicomp closed 6 months ago

RScicomp commented 6 months ago

Hi! new to slack-bolt I had a general question about Socket Mode and Signing Secrets:

When reading the code behind app.py using Socket Mode I saw the comment:

 `RequestVerification` is a built-in middleware that verifies the signature in HTTP Mode requests.
                Make sure if it's safe enough when you turn a built-in middleware off.
                We strongly recommend using RequestVerification for better security.
                If you have a proxy that verifies request signature in front of the Bolt app,
                it's totally fine to disable RequestVerification to avoid duplication of work.
                Don't turn it off just for easiness of development.

Does this mean that Signing secrets aren't used in SocketMode? In general i see in examples that there are no requestverification / SignatureVerification calls - can i assume that slack bolt takes care of that when you declare an App Class?

Another question i have is say i do:

@app.message(".*")
def message_handler(client, ack, message,  say):
   say("hi")

Is the middleware checking if the sender is actually slack using the signature each time this function runs?

If not is there a way to do so, in particular with socketmode?

seratch commented 6 months ago

Hi @RScicomp, thanks for asking questions!

Does this mean that Signing secrets aren't used in SocketMode?

Yes, it does. With Socket Mode, your app communicates with Slack over a securely established WebSocket connection. So, unlike the HTTP requests to a publicly accessible endpoint, no need to verify a request signature. You can still pass signing secret string when initializing an app but actually it won't be used as you observed.

Is the middleware checking if the sender is actually slack using the signature each time this function runs? If not is there a way to do so, in particular with socketmode?

Yes, it is for Request URL style. As for Socket Mode, you don't need to worry about it for the above reason.

I hope this clarifies.

RScicomp commented 6 months ago

Yes that helps alot thanks for the clarification!