Last active
December 16, 2019 21:07
-
-
Save Arunmainthan/def4062d1d21c32e4ad5046e766ba51f to your computer and use it in GitHub Desktop.
slack signature verification
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| verifySignature(slackSignature, slackTimestamp, body) { | |
| const slackSigningSecret = process.env.SLACK_SIGNING_SECRET; | |
| console.log('slackTimestamp: ', slackTimestamp); | |
| console.log('slackSignature: ', slackSignature); | |
| const timestamp = slackTimestamp; | |
| const time = Math.floor(new Date().getTime()/1000); | |
| if (Math.abs(time - timestamp) > 300) { | |
| throw new Error('Ignore this request.'); | |
| } | |
| if (!slackSigningSecret) { | |
| throw new Error('Slack signing secret is empty.'); | |
| } | |
| const sigBasestring = `v0:${timestamp}:${body}`; | |
| console.log('sigBasestring: ', sigBasestring); | |
| const cryptoHMac = crypto.createHmac('sha256', slackSigningSecret).update(sigBasestring, 'utf8').digest('hex'); | |
| console.log('cryptoHMac: ', cryptoHMac); | |
| const mySignature = `v0=${cryptoHMac}`; | |
| console.log('mySignature: ', mySignature); | |
| if (!crypto.timingSafeEqual(Buffer.from(mySignature, 'utf8'), Buffer.from(slackSignature, 'utf8'))) { | |
| throw new Error('Verification failed'); | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import json | |
| import hashlib | |
| import hmac | |
| def create_signature(secret, timestamp, data): | |
| newdata =json.dumps(data, separators=(',', ':')) | |
| req = ('v0:' + str(timestamp) + ':' + newdata).encode() | |
| print('sigBaseString: ', req) | |
| request_signature= 'v0='+hmac.new( | |
| str.encode(secret), | |
| req, hashlib.sha256 | |
| ).hexdigest() | |
| return request_signature | |
| data = {} | |
| currentSignature = create_signature('secret', timestamp, data['body']) | |
| print('currentSignature: ', currentSignature) | |
| expected_signature = 'v0=something' | |
| print('expected_signature: ', expected_signature) | |
| print('matching=', hmac.compare_digest(currentSignature, expected_signature)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment