Skip to content

Add volunteer-near slash address #70

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
daniel-j-pease wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add volunteer-near slash address #70

daniel-j-pease wants to merge 2 commits into from

Conversation

@daniel-j-pease
Copy link

@daniel-j-pease daniel-j-pease commented Sep 26, 2020

Feedback very extremely welcome!

ktomanelli
ktomanelli reviewed Sep 27, 2020
View reviewed changes
Copy link
Collaborator

@ktomanelli ktomanelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Only thing I'd say is to add a check to verify the post request is coming from slack and not someone else.

You can verify with this function:
const slackConf = req => { const reqBody = qs.stringify(req.body, { format: 'RFC1738' }); const timeStamp = req.headers['x-slack-request-timestamp']; const slackSig = req.headers['x-slack-signature']; if (Math.abs(Math.floor(Date.now() / 1000) - timeStamp) > 300) { return false; } const baseString = v0:${timeStamp}:${reqBody}; const mySecret = v0=${crypto
.createHmac('sha256', slackSecret)
.update(baseString)
.digest('hex')}`;

if (
crypto.timingSafeEqual(
Buffer.from(mySecret, 'utf8'),
Buffer.from(slackSig, 'utf8')
)
) {
return true;
}
return false;
};`
You'll need to require crypto, and qs as well as have the slack signing secret and slack token.

Here's the doc page I used to make it a while ago: https://api.slack.com/authentication/verifying-requests-from-slack.

@daniel-j-pease
Copy link
Author

daniel-j-pease commented Sep 30, 2020

Looks good! Only thing I'd say is to add a check to verify the post request is coming from slack and not someone else.

You can verify with this function:
const slackConf = req => { const reqBody = qs.stringify(req.body, { format: 'RFC1738' }); const timeStamp = req.headers['x-slack-request-timestamp']; const slackSig = req.headers['x-slack-signature']; if (Math.abs(Math.floor(Date.now() / 1000) - timeStamp) > 300) { return false; } const baseString = v0:${timeStamp}:${reqBody}; const mySecret = v0=${crypto
.createHmac('sha256', slackSecret)
.update(baseString)
.digest('hex')}`;

if (
crypto.timingSafeEqual(
Buffer.from(mySecret, 'utf8'),
Buffer.from(slackSig, 'utf8')
)
) {
return true;
}
return false;
};`
You'll need to require crypto, and qs as well as have the slack signing secret and slack token.

Here's the doc page I used to make it a while ago: https://api.slack.com/authentication/verifying-requests-from-slack.

Makes sense thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ktomanelli ktomanelli ktomanelli left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@daniel-j-pease @ktomanelli