search

slackapi / java-slack-sdk

Slack Developer Kit (including Bolt for Java) for any JVM language
https://slack.dev/java-slack-sdk/
MIT License
568 stars 210 forks source link

Add documentation for using the `SlackSignature` verifier from `app_backend` with specific Java requirements #1290

Open vigenere23 opened 4 months ago

vigenere23 commented 4 months ago
  1. There seems to be no documentation about how to verify requests using the Java SDK. The only documentation found is the general info.
  2. When trying to verify a Slack incoming request, we need to pass in the full URL-encoded body. However, the Java standard library does not URL-encode the aterix character *, thus resulting in an automatic failure if present in the payload. A notice or warning about how to correctly handle that would save some time.

The page URLs

No pages - to add in a new example or page.

Requirements

  1. Indicate that the app_backend module contains a helper to validate incoming Slack requests
  2. For Spring use, indicate that receiving a ContentCachingRequestWrapper allows for reading a raw request body, else it will be automatically deserialized.
  3. When calling the SlackSignature.Verifier method, indicate that the payload must be url-encoded, including for asterix, and that there may be a need to encode the * character manually (to %2A).
seratch commented 4 months ago

Hi @vigenere23, thanks for taking the time to share this feedback! This is why we recommend going with a simple WebServlet even in a Spring Boot app like this: https://slack.dev/java-slack-sdk/guides/supported-web-frameworks#spring-boot However, the document page does not clearly mention why the example is a simple servlet. We will update the page with clearer information soon. Thanks again for writing in!

vigenere23 commented 4 months ago

In the provided example, when and how is the request validated? I think that too could be shown too.