Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add volunteer-near slash address #70

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add volunteer-near slash address #70

wants to merge 2 commits into from

Conversation

daniel-j-pease
Copy link

Feedback very extremely welcome!

ktomanelli
ktomanelli reviewed Sep 27, 2020
View reviewed changes
Copy link
Collaborator

@ktomanelli ktomanelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Only thing I'd say is to add a check to verify the post request is coming from slack and not someone else.

You can verify with this function:
const slackConf = req => { const reqBody = qs.stringify(req.body, { format: 'RFC1738' }); const timeStamp = req.headers['x-slack-request-timestamp']; const slackSig = req.headers['x-slack-signature']; if (Math.abs(Math.floor(Date.now() / 1000) - timeStamp) > 300) { return false; } const baseString = v0:${timeStamp}:${reqBody}; const mySecret = v0=${crypto
.createHmac('sha256', slackSecret)
.update(baseString)
.digest('hex')}`;

if (
crypto.timingSafeEqual(
Buffer.from(mySecret, 'utf8'),
Buffer.from(slackSig, 'utf8')
)
) {
return true;
}
return false;
};`
You'll need to require crypto, and qs as well as have the slack signing secret and slack token.

Here's the doc page I used to make it a while ago: https://api.slack.com/authentication/verifying-requests-from-slack.

@daniel-j-pease
Copy link
Author

Looks good! Only thing I'd say is to add a check to verify the post request is coming from slack and not someone else.

You can verify with this function:
const slackConf = req => { const reqBody = qs.stringify(req.body, { format: 'RFC1738' }); const timeStamp = req.headers['x-slack-request-timestamp']; const slackSig = req.headers['x-slack-signature']; if (Math.abs(Math.floor(Date.now() / 1000) - timeStamp) > 300) { return false; } const baseString = v0:${timeStamp}:${reqBody}; const mySecret = v0=${crypto
.createHmac('sha256', slackSecret)
.update(baseString)
.digest('hex')}`;

if (
crypto.timingSafeEqual(
Buffer.from(mySecret, 'utf8'),
Buffer.from(slackSig, 'utf8')
)
) {
return true;
}
return false;
};`
You'll need to require crypto, and qs as well as have the slack signing secret and slack token.

Here's the doc page I used to make it a while ago: https://api.slack.com/authentication/verifying-requests-from-slack.

Makes sense thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ktomanelli ktomanelli ktomanelli left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daniel-j-pease @ktomanelli