3

I'm trying the new request verification process for Slack API on AWS Lambda but I can't produce a valid signature from a request.

  1. The example showed in https://api.slack.com/docs/verifying-requests-from-slack is for a slash command but I'm using for an event subscription, especially, a subscription to a bot event (app_mention). Does the new process support event subscriptions as well?

  2. If so, am I missing something?

Mapping template for Integration request in API Gateway. I can't get a raw request as the slack documentation says but did my best like this:

{
  "body" : $input.body,
  "headers": {
    #foreach($param in $input.params().header.keySet())
    "$param": "$util.escapeJavaScript($input.params().header.get($param))" #if($foreach.hasNext),#end

    #end  
  }
}

My function for verification:

def is_valid_request(headers, body):
   logger.info(f"DECODED_SECRET: {DECODED_SECRET}")
   logger.info(f"DECRYPTED_SECRET: {DECRYPTED_SECRET}")

   timestamp   = headers.get(REQ_KEYS['timestamp'])
   logger.info(f"timestamp: {timestamp}")

   encoded_body = urlencode(body)
   logger.info(f"encoded_body: {encoded_body}")

   base_str    = f"{SLACK_API_VER}:{timestamp}:{encoded_body}"
   logger.info(f"base_str: {base_str}")

   base_b      = bytes(base_str, 'utf-8')
   dgst_str    = hmac.new(DECRYPTED_SECRET, base_b, digestmod=sha256).hexdigest()

   sig_str     = f"{SLACK_API_VER}={dgst_str}"
   logger.info(f"signature: {sig_str}")

   req_sig = headers.get(REQ_KEYS['sig'])
   logger.info(f"req_sig: {req_sig}")

   logger.info(f"comparing: {hmac.compare_digest(sig_str, req_sig)}")
   return hmac.compare_digest(sig_str, req_sig)

Lambda Log in CloudWatch. I can't show the values for security reasons but it seems like each variable/constant has a reasonable value:

DECODED_SECRET: ...
DECRYPTED_SECRET: ...
timestamp: 1532011621
encoded_body: ...
base_str: v0:1532011621:token= ... &team_id= ... &api_app_id= ...
signature: v0=3 ...
req_sig: v0=1 ...
comparing: False

signature should match with req_sig but it doesn't. I guess there is something wrong with base_str = f"{SLACK_API_VER}:{timestamp}:{encoded_body}". I mean, the concatination or urlencoding of the request body, but I'm not sure. Thank you in advance!

kskkskksk
  • 91
  • 2
  • 6

0 Answers0