Option to disable signature verification

[meetmangukiya]

Description

Option to disable signature verification. This will be particularly useful for running tests and should be used only for tests. Since signature verification in production is a security feature.

What type of issue is this? (place an x in one of the [ ])

• bug
• enhancement (feature request)
• question
• documentation related
• testing related
• discussion

Requirements (place an x in each of the [ ])

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Example usage:

import chaiHttp from 'chai-http'
import App from './app'
import chai from 'chai'
import sinon from 'sinon';
import sinonChai from 'sinon-chai';

chai.use(chaiHttp);
chai.use(sinonChai);

const dummyData = {};

describe('slack message test', () => {
  it('should say hey', async () => {
    const fake = sinon.fake.resolves({ ok: true, ...otherResponseProps });
    sinon.replace(App.client, 'postMessage', fake);
    await chai.request(App.receiver.app).post('/slack/events').send({...dummyData});
    expect(fake).to.have.been.calledWith(...);
  })
})

This currently doesn't work since the verification middleware wouldn't call the next middleware since the verification would fail. And I wasn't able to replace the verifySignatureAndParseRawBody with a fake. I will give some more tries. But maybe it is just easier to allow disabling this middleware from app options?

[meetmangukiya]

Wasn't able to replace it. Ended up computing the signature and sending that header.

Need to add headers x-slack-request-timestamp(unix timestamp in seconds, should be within last 5 minutes for successful verification) and x-slack-signature. Signature can be computed as

const computeSignature = (
  version: string,
  data: string,
  timestamp: number,
  signingSecret: string
) => {
  const hmac = crypto.createHmac('sha256', signingSecret);
  hmac.update(`${version}:${timestamp}:${data}`);
  return `${version}=${hmac.digest('hex')}`;
};

Current version is v0 it seems. data has to be the request body. JSON data, but stringified.

[seratch]

Wasn't able to replace it. Ended up computing the signature and sending that header.

Yes, currently it's not possible to replace/disable the logic from ExpressReceiver. The only way to write valid tests is, as you did, to have some code populating x-slack-signature header in requests.

Also, I agree that this project can improve the module structure to support better and easier ways to write unit tests.

[seratch]

Recently, we've implemented the feature to turn the verification off in the Java SDK.

• Allow removing default middleware in Bolt java-slack-sdk#689
• Fix #689 by adding flags in AppConfig java-slack-sdk#690
• https://slack.dev/java-slack-sdk/guides/bolt-basics#customize-the-built-in-middleware-list

We can consider adding something similar in Bolt for JS too.