rack-slack_request_verification 0.1.0 → 1.0.0.pre

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 62381da5d7fb58f307747f07e786e8ab2146a56128e18edcdff142ae007a2896
-  data.tar.gz: cbad6d1cf50520166b7e82e6a9ff13b1346b78a1e5cb55f06d43317b4bab9b93
+  metadata.gz: b6e156fb4a05f816479e935037c56af58d079f706da577c5d7935cc952195784
+  data.tar.gz: e5f5ccc958eb4458935bfb5ac405381ba7723097aec1206d3287741b4f899f61
 SHA512:
-  metadata.gz: 5c9884a7729394cfefcf3dba9550a57d3c92986d1b3e7dba68fa844ef58c3d8105cd005d035fa5f0e29405e7b89221eaf92e5fa6188de574e5d04f64546fe5e4
-  data.tar.gz: 6aa11e0045975efefab53246b074dca2f962cc28c2821ec6743935c76cab7e8c1a4561c5dfbeb00c61944c9da57434a6bb8caf5dae10c0d49c15e169b6498608
+  metadata.gz: 67664cd0e4d1b6a22c316a2c6189d075de516cad1616cae2f46ca4131c9e6965c82a907b61130915a1e244d50a17dbf5be20499df2d9ce211cf5813f4bbe7d6d
+  data.tar.gz: bfbda6a18fbdd5990e25eb881223b2f45a0538cae8aefe342f1e44290be8b23f515f7138472db16b04789d4a363fb1173e86d67758b1ecbf18b30636a00032de

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rack-slack_request_verification (0.1.0)
+    rack-slack_request_verification (1.0.0.pre)
 
 GEM
   remote: https://rubygems.org/

data/README.md

@@ -61,6 +61,10 @@ use Rack::SlackRequestVerification, {
     # process each request once
     max_staleness_in_secs: 60 * 5,
 
+    # The entire request body must be loaded into memory to compute the hash.
+    # To prevent a DDoS attack, the request body is limited to 1MB
+    request_body_limit_in_bytes: 1024 ** 2,
+
     # Where to log error messages
     logger: Logger.new($stdout),
 

data/lib/rack/slack_request_verification.rb

@@ -1,12 +1,18 @@
+require 'forwardable'
+
 module Rack
   module SlackRequestVerification
-    class Error < StandardError; end
-
-    def self.new(*args)
-      Middleware.new(*args)
+    def self.new(app, *args)
+      config = Configuration.new(*args)
+      Middleware.new(app, config)
     end
   end
 end
 
 require "rack/slack_request_verification/version"
+require "rack/slack_request_verification/errors"
 require "rack/slack_request_verification/middleware"
+require "rack/slack_request_verification/configuration"
+require "rack/slack_request_verification/request"
+require "rack/slack_request_verification/headers"
+require "rack/slack_request_verification/computed_signature"

data/lib/rack/slack_request_verification/computed_signature.rb

@@ -0,0 +1,33 @@
+require 'openssl'
+require 'forwardable'
+
+module Rack::SlackRequestVerification
+  class ComputedSignature
+    extend Forwardable
+    def_delegators :@config, :signing_key, :signing_version
+    def_delegators :@request, :body, :timestamp
+
+    def initialize(request)
+      @request = request
+      @config = request.config
+    end
+
+    def to_s
+      [signing_version, digest].join('=')
+    end
+
+    def ==(other)
+      other == to_s
+    end
+
+    private
+
+    def signature_base_string
+      [signing_version, timestamp, body].join(':')
+    end
+
+    def digest
+      OpenSSL::HMAC.hexdigest("SHA256", signing_key, signature_base_string)
+    end
+  end
+end

data/lib/rack/slack_request_verification/configuration.rb

@@ -0,0 +1,58 @@
+require 'logger'
+
+module Rack::SlackRequestVerification
+  class Configuration
+    attr_reader *%i(
+      signing_key
+      path_pattern
+      signing_version
+      timestamp_header
+      signature_header
+      logger
+      max_staleness_in_secs
+      request_body_limit_in_bytes
+    )
+
+    def initialize(
+      # A regular expression used to determine which requests to verify
+      path_pattern:,
+
+      # You can provide a signing key directly, set a SLACK_SIGNING_KEY env var
+      # or customise the env var to something else
+      signing_key: nil,
+      signing_key_env_var: 'SLACK_SIGNING_KEY',
+
+      # Mitigates replay attacks by verifying the request was sent recently –
+      # a better strategy is to record the signature header to ensure you only
+      # process each request once
+      max_staleness_in_secs: 60 * 5,
+
+      # The entire request body must be loaded into memory to compute the hash.
+      # To prevent a DDoS attack, the request body is limited to 1MB
+      request_body_limit_in_bytes: 1024 ** 2,
+
+      # Where to log error messages
+      logger: Logger.new($stdout),
+
+      signing_version: 'v0',
+      timestamp_header: 'X-Slack-Request-Timestamp',
+      signature_header: 'X-Slack-Signature'
+    )
+      @path_pattern = path_pattern
+      @signing_version = signing_version
+      @timestamp_header = timestamp_header
+      @signature_header = signature_header
+      @logger = logger
+      @max_staleness_in_secs = max_staleness_in_secs
+      @request_body_limit_in_bytes = request_body_limit_in_bytes
+
+      @signing_key = signing_key || ENV.fetch(signing_key_env_var) do
+        fail Error, "#{signing_key_env_var} env var not set, please configure a signing key"
+      end
+    end
+
+    def minimum_timestamp
+      Time.now.to_i - max_staleness_in_secs
+    end
+  end
+end

data/lib/rack/slack_request_verification/errors.rb

@@ -0,0 +1,4 @@
+module Rack::SlackRequestVerification
+  Error = Class.new(StandardError)
+  RequestBodyTooLarge = Class.new(Error)
+end

data/lib/rack/slack_request_verification/headers.rb

@@ -0,0 +1,39 @@
+module Rack::SlackRequestVerification
+  class Headers
+    extend Forwardable
+    def_delegators :@config, :signature_header, :timestamp_header
+    attr_reader :request, :to_h
+
+    def initialize(request)
+      @request = request
+      @config = request.config
+
+      @to_h = {
+        signature_header => read(signature_header),
+        timestamp_header => read(timestamp_header)&.to_i
+      }
+    end
+
+    def signed_signature
+      to_h.fetch(signature_header)
+    end
+
+    def timestamp
+      to_h.fetch(timestamp_header)
+    end
+
+    def missing
+      to_h.select { |_, value| value.nil? }.keys
+    end
+
+    def missing?
+      !missing.empty?
+    end
+
+    private
+
+    def read(header)
+      request.env["HTTP_" + header.gsub('-', '_').upcase]
+    end
+  end
+end

data/lib/rack/slack_request_verification/middleware.rb

@@ -1,99 +1,48 @@
 require 'logger'
 require 'openssl'
+require 'forwardable'
 
 module Rack::SlackRequestVerification
-  class Middleware
-    attr_reader *%i(
-      signing_key
-      path_pattern
-      signing_version
-      timestamp_header
-      signature_header
-      logger
-      max_staleness_in_secs
-    )
+  class Middleware < SimpleDelegator
+    attr_reader :app, :config
 
-    def initialize(app,
-      # A regular expression used to determine which requests to verify
-      path_pattern:,
-
-      # You can provide a signing key directly, set a SLACK_SIGNING_KEY env var
-      # or customise the env var to something else
-      signing_key: nil,
-      signing_key_env_var: 'SLACK_SIGNING_KEY',
-
-      # Mitigates replay attacks by verifying the request was sent recently –
-      # a better strategy is to record the signature header to ensure you only
-      # process each request once
-      max_staleness_in_secs: 60 * 5,
-
-      # Where to log error messages
-      logger: Logger.new($stdout),
-
-      signing_version: 'v0',
-      timestamp_header: 'X-Slack-Request-Timestamp',
-      signature_header: 'X-Slack-Signature'
-    )
+    def initialize(app, config)
       @app = app
-      @path_pattern = path_pattern
-      @signing_version = signing_version
-      @timestamp_header = timestamp_header
-      @signature_header = signature_header
-      @logger = logger
-      @max_staleness_in_secs = max_staleness_in_secs
-
-      @signing_key = signing_key || ENV.fetch(signing_key_env_var) do
-        fail Error, "#{signing_key_env_var} env var not set, please configure a signing key"
-      end
+      @config = config
+      super(config)
     end
 
     def call(env)
-      if !path_pattern.match?(env['PATH_INFO'])
-        @app.call(env)
-      else
-        headers = {
-          signature_header => env["HTTP_" + signature_header.gsub('-', '_').upcase],
-          timestamp_header => env["HTTP_" + timestamp_header.gsub('-', '_').upcase]&.to_i
-        }
-
-        missing_headers = headers.select { |_, value| value.nil? }.keys
-
-        if !missing_headers.empty?
-          logger.error "Slack verification failed: missing #{missing_headers.join(', ')}"
-          return [401, {}, "Not authorized"]
+      request = Request.new(env, config)
+
+      begin
+        if path_pattern.match?(request.path)
+          if request.headers.missing?
+            logger.error "Slack verification failed: missing #{request.headers.missing.join(', ')}"
+            return respond_with(401)
+          end
+
+          if request.timestamp < minimum_timestamp
+            logger.error "Slack verification failed: #{timestamp_header} is #{request.timestamp}, only #{minimum_timestamp} or later is allowed"
+            return respond_with(401)
+          end
+
+          if request.computed_signature != request.signed_signature
+            logger.error "Slack verification failed: #{signature_header} does not match the signature"
+            return respond_with(401)
+          end
         end
+      rescue RequestBodyTooLarge
+        logger.error "Slack verification failed: request exceeded limit of #{request_body_limit_in_bytes} bytes"
+        return respond_with(413)
+      end
 
-        timestamp = headers[timestamp_header]
-        signature = headers[signature_header]
-
-        minimum_timestamp = Time.now.to_i - max_staleness_in_secs
-
-        if timestamp < minimum_timestamp
-          logger.error "Slack verification failed: #{timestamp_header} is #{timestamp}, only #{minimum_timestamp} or later is allowed"
-          return [401, {}, "Not authorized"]
-        end
-
-        body = env['rack.input']
-
-        signature_base_string = [
-          signing_version,
-          timestamp,
-          body.read
-        ].join(':')
-
-        body.rewind
-
-        digest = OpenSSL::HMAC.hexdigest("SHA256", signing_key, signature_base_string)
-
-        computed_signature = [signing_version, digest].join('=')
-
-        if computed_signature != signature
-          logger.error "Slack verification failed: #{signature_header} does not match the signature"
-          return [401, {}, "Not authorized"]
-        end
+      app.call(env)
+    end
 
-        @app.call(env)
-      end
+    def respond_with(code)
+      body = Rack::Utils::HTTP_STATUS_CODES.fetch(code)
+      [code, {}, [body]]
     end
   end
 end

data/lib/rack/slack_request_verification/request.rb

@@ -0,0 +1,40 @@
+module Rack::SlackRequestVerification
+  class Request
+    extend Forwardable
+    attr_reader :env, :config
+    def_delegators :headers, :signed_signature, :timestamp
+    def_delegators :config, :request_body_limit_in_bytes
+
+    def initialize(env, config)
+      @env = env
+      @config = config
+    end
+
+    def path
+      env.fetch('PATH_INFO')
+    end
+
+    def headers
+      @headers ||= Headers.new(self)
+    end
+
+    def body
+      input_rack_io = env.fetch('rack.input')
+      bytes = input_rack_io.read(request_body_limit_in_bytes)
+
+      # Attempt to read one more byte
+      reading_is_complete = input_rack_io.read(1).nil?
+
+      # Rewind for the next middleware
+      input_rack_io.rewind
+
+      fail RequestBodyTooLarge unless reading_is_complete
+
+      bytes
+    end
+
+    def computed_signature
+      @computed_signature ||= ComputedSignature.new(self)
+    end
+  end
+end

data/lib/rack/slack_request_verification/version.rb

@@ -1,5 +1,5 @@
 module Rack
   module SlackRequestVerification
-    VERSION = "0.1.0"
+    VERSION = "1.0.0.pre"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-slack_request_verification
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 1.0.0.pre
 platform: ruby
 authors:
 - Pete Nicholls
@@ -99,7 +99,12 @@ files:
 - bin/console
 - bin/setup
 - lib/rack/slack_request_verification.rb
+- lib/rack/slack_request_verification/computed_signature.rb
+- lib/rack/slack_request_verification/configuration.rb
+- lib/rack/slack_request_verification/errors.rb
+- lib/rack/slack_request_verification/headers.rb
 - lib/rack/slack_request_verification/middleware.rb
+- lib/rack/slack_request_verification/request.rb
 - lib/rack/slack_request_verification/version.rb
 - rack-slack_request_verification.gemspec
 homepage: https://github.com/Aupajo/rack-slack_request_verification
@@ -117,9 +122,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.0.3
 signing_key: