-
Notifications
You must be signed in to change notification settings - Fork 5
Add support for Slack shared secret message signing #30
Conversation
DeprecationWarning: Deprecated, use aiohttp_server fixture instead DeprecationWarning: Deprecated, use aiohttp_client fixture instead
@@ -74,8 +124,8 @@ def find_bot_id_query(): | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Travis black
failure is coming from line 117, which isn't even changed in my commit:
- "updated": 1502138686,
+ "updated": 1_502_138_686,
(This issue didn't show up when running tox
locally)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't recall black formatting number that way. It's probably due to a newer version.
Travis succeeded for everything except Python 2.6, however that matches the pattern from the Travis run a few days ago on commit 10656ed: The error specifically has to do with a failure to |
Looks very good. Thanks for this. I'll take a deeper look & do some tests as soon as possible. The failure is due to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Two small things and then we can
else: | ||
verification_token = slack.verify | ||
event = Event.from_http(payload, verification_token=verification_token) | ||
except (FailedVerification, InvalidSlackSignature, InvalidTimestamp): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That code is used in multiple endpoint. I would be best to take it out in a function, something like
try:
validate_request(request, slack.signing_secret)
event = Event.from_http(payload, verification_token=slack.verify)
except (FailedVerification, InvalidSlackSignature, InvalidTimestamp):
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I chose to explicitly keep verification_token
as a new variable so the token we're passing into Event
is explicitly None
when the signing_secret
is set. This way we're not relying on the initialization behavior in slack/plugin.py
. If we wanted to rely on no one tampering with the slack.verify
parameter then we could just call validate_request_signature
rather than wrapping it in a validate_request
function.
Disables verification tokens if provided.
* This failure didn't show up locally, just on Travis
Support was added to the underlying Slack library in pyslackers/slack-sansio#41
It is the recommended way to verify requests from Slack now:
https://api.slack.com/docs/verifying-requests-from-slack
Also when running the tests I ran into aio-libs/aiohttp#2578 so I fixed those deprecation warnings.