verifyRequestSignature does not consider body-parser's req.rawBody #85
Comments
|
Thanks for raising this issue. I’m hoping you can help clarify something for me. When you say that GCP pre-parses the request body before the application handles it, are you saying that it uses the I think we could check for |
|
Okay I think I understand now. GCP pre-parses the request body (it doesn’t matter how) and then places the raw Buffer on the The issue doesn’t really have anything to do with the body-parser middleware. It’s just that we should look for a rawBody before failing. |
|
@aoberoi The parsing method that GCP uses is indeed irrelevant for a solution; only the fact that the raw body is available under |
|
#90 addressed this! |
|
Hi, I think I just had trouble with a similar issue with Serverless and AWS Lamda. On Lambda, res.body is populated but it's actually the raw body, so this part fails: if (req.body && !req.rawBody) { We may need to check the type of req.body to make sure it's not parsed JSON. |
|
@anthonysapien thanks for catching this. can you help point me to some documentation from Serverless or AWS Lambda where I can find details about how the i think we can then create a separate issue (in the new repo for this project) as an |
|
Hi @aoberoi I'm pretty new to both. Here are some docs related to both Serverless and AWS Lambda: It looks like in this setup, the request.body is actually the rawBody. I.e., it's not JSON. Your example should run into the issue: Unfortunately, I don't have insight into why Serverless or AWS have set it up that way. I suspect AWS because everything works with a local Serverless environment. I think your check's intention is to make sure that the request.body is not already parsed JSON, so checking if (typeof req.body === "object" && !req.rawBody) might fix the problem. |
Description
The current implementation of verifying the request signature does not take into account that body-parser package does expose a raw body as the
request.rawBodyvariable.Currently, both the node-slack-events-api and the node-slack-interactive-messages api use the same code. I've tried using both API's with Google Cloud Functions (and Firebase Functions, built on top of that service). Unfortunately, the request is pre-parsed before it even reaches the Cloud Function. This causes the slack middleware to deny attaching the listener. (adapter.js L75).
The
raw-bodypackage is used in both node-slack-events-api and the node-slack-interactive-messages api, which takes the request object as a parameter. This package does not work with body-parser'srequest.rawBody.Perhaps make use of body-parser's ability to provide a raw body and check if it's there. If not, only then use the
raw-bodypackage? This will allow developers to use body-parser in their code, but won't break any existing code depending onnode-slack-events-apiandnode-slack-interactive-messages.It will also allow Google Cloud Functions (and Firebase Functions) to be used, which probably opens up some interesting opportunities for Slack API.
What type of issue is this? (place an
xin one of the[ ])Requirements (place an
xin each of the[ ])Reproducible in:
@slack/events-apiversion: 2.1.1 (latest)node version: any
OS version(s): any
Attachments:
https://stackoverflow.com/questions/18710225/node-js-get-raw-request-body-using-express
https://stackoverflow.com/questions/42950561/how-can-i-get-the-raw-request-body-in-a-google-cloud-function
https://cloud.google.com/functions/docs/writing/http#handling_content_types
https://cloud.google.com/functions/docs/writing/http#parsing_http_requests
The text was updated successfully, but these errors were encountered: