Slack Request Verification

Slack has deprecated the previous method of comparing the verification token to the request's verification token. The below snippet implements the new signing secret method in JavaScript.

import { createHmac } from 'crypto'

// pull out the slack request timestamp and signature to compare against
const timestamp = headers['X-Slack-Request-Timestamp']
const actual = headers['X-Slack-Signature']

// use the **raw** body of the request here before middleware parses it (if necessary)
const rawBody = ctx.request.body.raw

// combine the requred fields
const baseString = ['v0', timestamp, rawBody].join(':')

// hash them together
const hash = createHmac('sha256', "YOUR_SLACK_SIGNING_SECRET")
  .update(baseString)
  .digest('hex')

// prepend the version
const computed = `v0=${hash}`

// make the comparison
if (computed !== actual) {
  // failed to verify - exit here
  return
}

// succesfully verified - continue

Links

Slack Docs: Verifying requests from Slack

Content properties

Type: Note
Category: JavaScript
Tags: backend, javascript, slack
Custom slug: None

This is a preview of a simpler page design that I'm working on over the next little bit. I've finally added a (click it!) but there's still a few pages left to be converted so don't worry if things don't look quite right just yet 🙏

Content on blog pages use the CC-BY-SA license. The source code and notes use the MIT license. Unsure? Mention me on Mastodon.