Invalid signature error when using singing secret about bolt-js HOT 9 CLOSED

Interesting, I'll try and dig into this a bit later today. Thanks for the detailed description. Are you getting that invalid signature on pretty much any slack event that comes in (i.e. actions, events, commands etc.)?

from bolt-js.

I'm getting it on slack events and commands. Didn't test it for actions and options

from bolt-js.

I'm seeing the same issue. I modified parse-command middleware and it seems bodyParser verify function is never firing.

  return [
    (req, res, next) => {
      console.log('pre body parse', req.rawBody)
      next()
    },
    bodyParser.urlencoded({ extended: true, verify }),
    (req, res, next) => {
      console.log('post body parse', req.rawBody)
      next()
    },
    function parseCommand (req, res, next) {

Prints

pre body parse undefined
post body parse undefined
slapp:error Invalid signature

from bolt-js.

I think @curtisallen and I figured out what it was yesterday. I believe you're seeing the error because you have another body parser middleware (perhaps running at our app level? app.use(bodyParser.json()) or something). What ends up happening is that first body parser you register on your server ends up capturing the data & end events on the request stream, so the body parsers that slapp sets up for each of the event routes are missing at the minimum, the end event, which is why the verify function isn't being called.

The immediate solution is to avoid having 2 body parsers for those slapp registered routes, which can be done by not registering a body parser across your entire app, and either limiting it to sub routers or routes that explicitly need it. Then when slapp sets up it's event routes, it's body parser will be the only ones registered for those routes.

I'm struggling to find a better solution that doesn't impose this restriction on your http server, but for now, that at least explains what's going on, and how to avoid it.

from bolt-js.

Hmm... So, I can fix it by adding verify function to my bodyParsers:

const verify = (req, res, buffer, encoding) => {
  if (req.path.includes('/api/slack')) {
    req.rawBody = buffer.toString()
  }
}

But I still hope it can be resolved on your side somehow 🤞

from bolt-js.

I've just thought if my app use bodyParser and Slapp too, then Slapp's will never run. And I've noticed, that you have bodyParser.urlencoded({ extended: true }) and we have { extended: false }. It works for three of our apps, but I wonder if it ever can cause a bug 🤔

from bolt-js.

I think it’s pretty likely there could be body parsing bugs if there are multiple body parsing middleware functions running on the same request. One of the reasons we explicitly put them in the routes slapp adds is that there is nuance to what format Slack sends each of the events in, i.e, json vs url encoded etc.

I’d definitely suggest scoping any body parsers for your app in a way that doesn’t run in the slack event routes as well.

from bolt-js.

@selfcontained I've excluded Slack related routes where I'm registering my bodyParsers and now it works. Thanks! I think we can close this issue.
What do you think, should this case be reflected in the documentation?

from bolt-js.

Yes, at a minimum we should make it very clear that conflicting body parsers can cause this type of issue.

from bolt-js.