System-End/hackatime
1
0
Fork 0
mirror of https://github.com/System-End/hackatime.git synced 2026-04-19 19:55:16 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Attempt to fix slack signing secret always passing

Browse source
This commit is contained in:
Max Wofford 2025-06-05 13:55:25 -04:00
parent c8115f1386
commit e8718e7bfb
1 changed files with 3 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
app/controllers/slack_controller.rb
View file

@ -50,7 +50,7 @@ class SlackController < ApplicationController
def verify_slack_request
timestamp = request.headers["X-Slack-Request-Timestamp"]
signature = request.headers["X-Slack-Signature"]
received_signature = request.headers["X-Slack-Signature"]
# Skip verification in development
return true if Rails.env.development?
@ -61,15 +61,14 @@ class SlackController < ApplicationController
sig_basestring = "v0:#{timestamp}:#{request.raw_post}"
# Try both signing secrets
signature = "v0=" + OpenSSL::HMAC.hexdigest(
computed_signature = "v0=" + OpenSSL::HMAC.hexdigest(
"SHA256",
signing_secret,
sig_basestring
)
# Check if the request matches signature
unless ActiveSupport::SecurityUtils.secure_compare(signature, signature)
unless ActiveSupport::SecurityUtils.secure_compare(received_signature, computed_signature)
head :unauthorized
nil
end