create middlewares: protectReplyAttack

packages/slack/src/middlewares/protect-reply-attack.ts

@@ -0,0 +1,26 @@
+import { createHmac, timingSafeEqual } from 'crypto';
+import { stringify } from 'qs';
+
+export const protectReplyAttack = (req, res, next) => {
+// protect against replay attacks
+
+  // take out slackSignature and timestamp from header
+  const slackSignature = req.headers['x-slack-signature'];
+  const timestamp = req.headers['x-slack-request-timestamp'];
+  const time = Math.floor(new Date().getTime() / 1000);
+  if (Math.abs(time - timestamp) > 300) {
+    return res.send('Verification failed.');
+  }
+
+  // generate growi signature
+  const sigBaseString = `v0:${timestamp}:${stringify(req.body, { format: 'RFC1738' })}`;
+  const hasher = createHmac('sha256', req.signingSecret);
+  hasher.update(sigBaseString, 'utf8');
+  const hashedSigningSecret = hasher.digest('hex');
+  const growiSignature = `v0=${hashedSigningSecret}`;
+
+  // compare growiSignature and slackSignature
+  if (timingSafeEqual(Buffer.from(growiSignature, 'utf8'), Buffer.from(slackSignature, 'utf8'))) {
+    return next();
+  }
+};

packages/slack/src/utils/verifying-is-slack-request.ts

@@ -1,6 +1,5 @@
-import { createHmac, timingSafeEqual } from 'crypto';
-import { stringify } from 'qs';
 import { Request, Response, NextFunction } from 'express';
+import { protectReplyAttack } from '../middlewares/protect-reply-attack';
 /**
    * Verify if the request came from slack
    * See: https://api.slack.com/authentication/verifying-requests-from-slack
@@ -16,32 +15,33 @@ export const verifyingIsSlackRequest = (req : Request & signingSecretType, res:R
     return res.send('No signing secret.');
   }
 
-  // take out slackSignature and timestamp from header
-  const slackSignature = req.headers['x-slack-signature'];
-  const timestamp = req.headers['x-slack-request-timestamp'];
-
-  if (slackSignature == null || timestamp == null) {
-    return res.send('Verification failed');
-  }
-
-  // protect against replay attacks
-  const time = Math.floor(new Date().getTime() / 1000);
-  if (Math.abs(time - timestamp) > 300) {
-    return res.send('Verification failed.');
-  }
+  protectReplyAttack(req, res, next);
 
-  // generate growi signature
-  const sigBaseString = `v0:${timestamp}:${stringify(req.body, { format: 'RFC1738' })}`;
-  const hasher = createHmac('sha256', req.signingSecret);
-  hasher.update(sigBaseString, 'utf8');
-  const hashedSigningSecret = hasher.digest('hex');
-  const growiSignature = `v0=${hashedSigningSecret}`;
-
-  // compare growiSignature and slackSignature
-  if (timingSafeEqual(Buffer.from(growiSignature, 'utf8'), Buffer.from(slackSignature, 'utf8'))) {
-    return next();
-
-  }
+  // take out slackSignature and timestamp from header
+  // const slackSignature = req.headers['x-slack-signature'];
+  // const timestamp = req.headers['x-slack-request-timestamp'];
+
+  // if (slackSignature == null || timestamp == null) {
+  //   return res.send('Verification failed');
+  // }
+
+  // // protect against replay attacks
+  // const time = Math.floor(new Date().getTime() / 1000);
+  // if (Math.abs(time - timestamp) > 300) {
+  //   return res.send('Verification failed.');
+  // }
+
+  // // generate growi signature
+  // const sigBaseString = `v0:${timestamp}:${stringify(req.body, { format: 'RFC1738' })}`;
+  // const hasher = createHmac('sha256', req.signingSecret);
+  // hasher.update(sigBaseString, 'utf8');
+  // const hashedSigningSecret = hasher.digest('hex');
+  // const growiSignature = `v0=${hashedSigningSecret}`;
+
+  // // compare growiSignature and slackSignature
+  // if (timingSafeEqual(Buffer.from(growiSignature, 'utf8'), Buffer.from(slackSignature, 'utf8'))) {
+  //   return next();
+  // }
 
   return res.send('Verification failed');
 };