authorize function doesn't get triggered

[goldylucks]

Description

I provided an authorize function to the app and it doesn't get called and I get signature errors.

What type of issue is this? (place an x in one of the [ ])

• bug
• enhancement (feature request)
• question
• documentation related
• example code related
• testing related
• discussion

Requirements (place an x in each of the [ ])

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

---

Bug Report

Filling out the following details about bugs will help us solve your issue sooner.

Reproducible in:

package version:

node version: 16

OS version(s): macOS monterey 12.2.1

Steps to reproduce:

const { App, ExpressReceiver } = require("@slack/bolt")

const receiver = new ExpressReceiver({
  signingSecret: process.env.SLACK_SIGNING_SECRET,
})

  const app = new App({
    receiver,
    authorize,
  })

app.start(3000)

app.message(someFn)

async function authorize() {
  console.log('authorize been called')
  return {
      botToken: "junk test token",
      botId: "junk bot id",
      botUserId: "junk bot user id",
    }
}

then make a request to /slack/events and see no console message and this:

Request verification failed (code: slack_bolt_receiver_authenticity_error, message: Slack request signing verification failed. Some headers are missing.)

I also tried to implement the headers myself based on the docs:

const hmacSHA256 = require("crypto-js/hmac-sha256")
const Base64 = require("crypto-js/enc-base64")
const { initApp, receiver } = require("../../../init-app")
const request = require("supertest")
const db = require("../../../db/db")

let app

beforeEach(async () => {
  app = await initApp()
})

afterEach(async () => {
  app.stop()
})

it("works", async () => {
  const timestamp = Date.now()
  const strToHash = `v0:${timestamp}:command=/weather`
  const hashed = hmacSHA256(strToHash, process.env.SLACK_SIGNING_SECRET)
  const hashed64 = Base64.stringify(hashed)
  const response = await request(receiver.app)
    .post("/slack/events")
    .send("command=/weather")
    .set("Accept", "application/json")
    .set("X-Slack-Request-Timestamp", timestamp)
    .set("X-Slack-Signature", hashed64)
  // console.log(response)
})

but then I see signature mismatch error

Expected result:

see the console log and be authorized to make requests.

Actual result:

auth error

[seratch]

Hi @goldylucks, thanks for asking the question!

I've verified if I can see the same situation on my end but my bolt-js app works without this error.

The error message you've faced indicates that your SLACK_SIGNING_SECRET value is incorrect. It may not be the one of the Slack app that you're running. Otherwise, your env variable may not be exactly the same with the correct one on https://api.slack.com/apps .

Can you make sure if your app are using the valid signing secret again?

[goldylucks]

Thanks for the prompt response!

1. the signing secret is indeed correct, it's the same one I use for production and it works (here I'm trying to run tests)
2. in anyway, the console log doesn't get called, and the authorize method doesn't work, cuz I'm overriding it so it shouldn't care about the secret anyway no?

[goldylucks]

basically I'm trying to mimic a slack interaction/msg/event from a test, so any way to make it work is fine with me

[seratch]

The built-in signature verification is done before your authorize. If invalid data is detected, bolt-js skips running the rest of the middleware. This is why you don't see your console outputs.

mimic a slack interaction/msg/event from a test

As for testing, one of other maintainers already answered here, writing tests to pass event payloads to your App instance with mock objects (for WebClient etc.) is the current recommendation. We are planning to work on better testing tool support sometime soon but we cannot tell when the module will be available yet.

I hope you will find a reasonable solution for your app testing.

By the way, your original question here is:

authorize function doesn't get triggered

I believe that the first sentence in this response should be the answer for it. Do we have anything further to discuss here?

[goldylucks]

yes I saw the other response but it's for unit testing and I prefer E2E, i.e. trigger the http call itself.

can you tell me what I'm doing wrong in my function to generate the signature?

[filmaj]

@goldylucks a few things:

• For your code doing manual request signature verification, the timestamp returned by Date.now() returns the number of milliseconds from Jan 1, 1970. In the step-by-step walkthrough of request verification documentation, it seems like timestamps in the X-Slack-Request-Timestamp header are described by number of seconds since epoch. So you probably want to use something like Math.floor(Date.now() / 1000) instead.
• Have you tried setting signatureVerification to false in your ExpressReceiver constructor? Perhaps that could help you short circuit the entire verification process. If not and you wish to continue reverse-engineering the request verification process, I would suggest you trace the code through ExpressReceiver's buildVerificationBodyParserMiddleware method to see how it is all done, and your test script can perhaps work backwards from that.

Hope this is helpful. If there is nothing else in this issue to address, please kindly close the issue. Otherwise, we are here to help.

[goldylucks]

yes yes, the boolean works perfectly! ❤️