Issues signing incoming slash command requests (Flask)

[wooddar]

Description

I have been trying to use the verify_signature function from the events server to securely authenticate slash command requests. The issue here is that the Flask request body is coming up as empty bytes for a slash command b'' where the actual slash command data is form encoded.

It would be great to have some guidance as to how to verify the signature of incoming slash command requests in Flask as I am currently having to rely on token authentication. Please let me know if anymore details are required.

@aoberoi

What type of issue is this? (place an x in one of the [ ])

• bug
• enhancement (feature request)
• question
• documentation related
• testing related
• discussion

Requirements

• I've read and understood the Contributing guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.
• I've searched for any related issues and avoided creating a duplicate issue.

Reproducible in:

slackeventsapi version: latest
Flask version: 1.0.2
OS version(s): N/A

Steps to reproduce:

1. Call the verify_signature function from a slash command request context

Expected result:

Signed secret successfully reproduced from the request body

Actual result:

Error is raised as request content/json is blank

[andrew-langdon]

Hey wooddar, I'm running into this issue too. Did you figure anything out?

[shaydewael]

@wooddar @andrew-langdon I just opened a PR that should fix this. In case you're curious, the request body is held in request.form instead of request.data for slash command POST requests. Since signature verification relies on the raw request body, this was where the verify_signature function was failing you.

If you need a quick fix before we get the next release out, you can set request.data = request.get_data() when you're handling your flask route (more info in #44). Here was my workaround that I used to test the functionality:

@app.route("/command", methods=['GET', 'POST'])
def test():
  ts = request.headers.get('X-Slack-Request-Timestamp')
  sig = request.headers.get('X-Slack-Signature')
  request.data = request.get_data()
  result = slack_events_adapter.server.verify_signature(ts, sig)
  print(result)

Hopefully this helps - let me know if you're having any more issues with it 🎉

[kedarv]

Thanks for the fix @shanedewael!

If anyone stumbles across this in the future and sees request.get_data() is empty (ie. in your python debugger), make sure that you access and store request.get_data() before you access form data normally. For whatever reason, Flask consumes request data, and request.get_data() will be empty after accessing via request.form (or similar methods): https://stackoverflow.com/questions/10999990/get-raw-post-body-in-python-flask-regardless-of-content-type-header