Skip to content

gverni/validate-slack-request

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Build Status JavaScript Style Guide

validate-slack-request

A simple module to validate Slack requests based on this article. The module requires a valid expressJS request object as defined here. See more about that in the API section

Disclaimer: this module is not developed nor endorsed by Slack

Installation

To install use:

$ npm install validate-slack-request

Since Slack is sending requests using a POST with application/x-www-form-urlencoded encoded payload, the express.urlencoded module needs to be enabled in Express in order to parse the POST payload. To enable it, add the following to your main express script (e.g. app.js or server.js)

app.use(express.urlencoded({ extended: true })) // for parsing application/x-www-form-urlencoded

API

validateSlackRequest (slackAppSigningSecret, httpReq, logging)

Where:

  • slackAppSigningSecret: this is the Slack Signing Secret assigned to the app when created. This can be accessed from the Slack app settings under "Basic Information". Look for "Signing secret".
  • httpReq: Express request object as defined here. If this module is used outside Express, make sure that httpreq exposes the following:
    • get(): used to retrieve HTTP request headers (e.g. httpReq.get('Content-Type'))
    • .body : JSON object representing the body of the HTTP POST request.
  • logging: Optional parameter (default value is false) to print log information to console.

Example

In express it can be added to your route using:

const slackValidateRequest = require('validate-slack-request')

... 

router.post('/', function (req, res, next) {
  if (validateSlackRequest(process.env.SLACK_APP_SIGNING_SECRET, req)) {
    // Valid request - Send appropriate response 
    res.send(...)
  }
  ...
}

Above example assumes that the signing secret is stored in environment variable SLACK_APP_SIGNING_SECRET (hardcoding of this variable is not advised)

Errors

Following errors are thrown when invalid arguments are passed:

  • Invalid slack app signing secret: this error is thrown when the slack app signing secret (slackAppSigningSecret) is not a non-empty string. There is no check on actual validity of the app secret
  • Invalid type for logging. Provided ..., expected boolean: this error is thrown when logging argument is not a boolean