PyPI - langchain-trigger-server - Versions diffs - 0.2.6rc2__tar.gz → 0.2.6rc4__tar.gz - Mend

langchain-trigger-server 0.2.6rc2tar.gz → 0.2.6rc4tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of langchain-trigger-server might be problematic. Click here for more details.

Files changed (19) hide show

{langchain_trigger_server-0.2.6rc2 → langchain_trigger_server-0.2.6rc4}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: langchain-trigger-server
-Version: 0.2.6rc2
+Version: 0.2.6rc4
 Summary: Generic event-driven triggers framework
 Project-URL: Homepage, https://github.com/langchain-ai/open-agent-platform
 Project-URL: Repository, https://github.com/langchain-ai/open-agent-platform

{langchain_trigger_server-0.2.6rc2 → langchain_trigger_server-0.2.6rc4}/langchain_triggers/app.py RENAMED Viewed

@@ -16,6 +16,12 @@ from .decorators import TriggerTemplate
 from .database import create_database, TriggerDatabaseInterface
 from .cron_manager import CronTriggerManager
 from .triggers.cron_trigger import CRON_TRIGGER_ID
+from .auth.slack_hmac import (
+    verify_slack_signature,
+    get_slack_signing_secret,
+    extract_slack_headers,
+    SlackSignatureVerificationError,
+)
 logger = logging.getLogger(__name__)
@@ -486,11 +492,21 @@ class TriggerServer:
     ) -> Dict[str, Any]:
         """Handle an incoming request with a handler function."""
         try:
-            # Parse request data
             if request.method == "POST":
                 if request.headers.get("content-type", "").startswith("application/json"):
-                    payload = await request.json()
+                    # Read body once for both auth and parsing
+                    body_bytes = await request.body()
+                    body_str = body_bytes.decode("utf-8")
+                    if self._is_slack_trigger(trigger):
+                        await self._verify_slack_webhook_auth_with_body(request, body_str)
+                    import json
+                    payload = json.loads(body_str)
+                    if payload.get("type") == "url_verification" and "challenge" in payload:
+                        logger.info(f"Responding to Slack URL verification challenge")
+                        return {"challenge": payload["challenge"]}
                 else:
                     # Handle form data or other content types
                     body = await request.body()
@@ -592,6 +608,149 @@ class TriggerServer:
                 logger.error(f"Error invoking agent {agent_id}: {e}")
                 raise
+    def _is_slack_trigger(self, trigger: TriggerTemplate) -> bool:
+        """Check if a trigger is from Slack and requires HMAC signature verification."""
+        return (
+            trigger.provider.lower() == "slack" or
+            "slack" in trigger.id.lower()
+        )
+    async def _verify_slack_webhook_auth(self, request: Request) -> None:
+        """Verify Slack HMAC signature for webhook requests.
+        Slack uses HMAC-SHA256 signatures to verify webhook authenticity.
+        The signature is computed from the timestamp, body, and signing secret.
+        Args:
+            request: The FastAPI request object
+        Raises:
+            HTTPException: If authentication fails
+        """
+        try:
+            signing_secret = get_slack_signing_secret()
+            if not signing_secret:
+                logger.error("SLACK_SIGNING_SECRET environment variable not set")
+                raise HTTPException(
+                    status_code=500,
+                    detail="Slack signing secret not configured on server"
+                )
+            headers_dict = dict(request.headers)
+            signature, timestamp = extract_slack_headers(headers_dict)
+            if not signature:
+                logger.error("Missing X-Slack-Signature header")
+                raise HTTPException(
+                    status_code=401,
+                    detail="Missing X-Slack-Signature header. Slack webhooks require signature verification."
+                )
+            if not timestamp:
+                logger.error("Missing X-Slack-Request-Timestamp header")
+                raise HTTPException(
+                    status_code=401,
+                    detail="Missing X-Slack-Request-Timestamp header. Slack webhooks require timestamp."
+                )
+            body = await request.body()
+            body_str = body.decode('utf-8')
+            try:
+                verify_slack_signature(
+                    signing_secret=signing_secret,
+                    timestamp=timestamp,
+                    body=body_str,
+                    signature=signature
+                )
+                logger.info(f"Successfully verified Slack webhook signature. Timestamp: {timestamp}")
+            except SlackSignatureVerificationError as e:
+                logger.error(f"Slack signature verification failed: {e}")
+                raise HTTPException(
+                    status_code=401,
+                    detail=f"Slack signature verification failed: {str(e)}"
+                )
+            # Store verification info in request state
+            request.state.slack_verified = True
+            request.state.slack_timestamp = timestamp
+        except HTTPException:
+            raise
+        except Exception as e:
+            logger.error(f"Unexpected error during Slack webhook authentication: {e}")
+            raise HTTPException(
+                status_code=500,
+                detail=f"Authentication error: {str(e)}"
+            )
+    async def _verify_slack_webhook_auth_with_body(self, request: Request, body_str: str) -> None:
+        """Verify Slack HMAC signature for webhook requests using pre-read body.
+        Slack uses HMAC-SHA256 signatures to verify webhook authenticity.
+        The signature is computed from the timestamp, body, and signing secret.
+        Args:
+            request: The FastAPI request object
+            body_str: The request body as a string (already read)
+        Raises:
+            HTTPException: If authentication fails
+        """
+        try:
+            signing_secret = get_slack_signing_secret()
+            if not signing_secret:
+                logger.error("SLACK_SIGNING_SECRET environment variable not set")
+                raise HTTPException(
+                    status_code=500,
+                    detail="Slack signing secret not configured on server"
+                )
+            headers_dict = dict(request.headers)
+            signature, timestamp = extract_slack_headers(headers_dict)
+            if not signature:
+                logger.error("Missing X-Slack-Signature header")
+                raise HTTPException(
+                    status_code=401,
+                    detail="Missing X-Slack-Signature header. Slack webhooks require signature verification."
+                )
+            if not timestamp:
+                logger.error("Missing X-Slack-Request-Timestamp header")
+                raise HTTPException(
+                    status_code=401,
+                    detail="Missing X-Slack-Request-Timestamp header. Slack webhooks require timestamp."
+                )
+            try:
+                verify_slack_signature(
+                    signing_secret=signing_secret,
+                    timestamp=timestamp,
+                    body=body_str,
+                    signature=signature
+                )
+                logger.info(f"Successfully verified Slack webhook signature. Timestamp: {timestamp}")
+            except SlackSignatureVerificationError as e:
+                logger.error(f"Slack signature verification failed: {e}")
+                raise HTTPException(
+                    status_code=401,
+                    detail=f"Slack signature verification failed: {str(e)}"
+                )
+            # Store verification info in request state
+            request.state.slack_verified = True
+            request.state.slack_timestamp = timestamp
+        except HTTPException:
+            raise
+        except Exception as e:
+            logger.error(f"Unexpected error during Slack webhook authentication: {e}")
+            raise HTTPException(
+                status_code=500,
+                detail=f"Authentication error: {str(e)}"
+            )
     def get_app(self) -> FastAPI:
         """Get the FastAPI app instance."""
         return self.app

langchain_trigger_server-0.2.6rc4/langchain_triggers/auth/__init__.py ADDED Viewed

@@ -0,0 +1,16 @@
+"""Authentication utilities for trigger webhooks."""
+from .slack_hmac import (
+    verify_slack_signature,
+    get_slack_signing_secret,
+    extract_slack_headers,
+    SlackSignatureVerificationError,
+)
+__all__ = [
+    "verify_slack_signature",
+    "get_slack_signing_secret",
+    "extract_slack_headers",
+    "SlackSignatureVerificationError",
+]

langchain_trigger_server-0.2.6rc4/langchain_triggers/auth/slack_hmac.py ADDED Viewed

@@ -0,0 +1,95 @@
+"""Slack HMAC signature verification for webhook authentication.
+Slack uses HMAC-SHA256 signatures to verify webhook authenticity.
+Each request includes an X-Slack-Signature header that must be verified
+against your app's signing secret.
+"""
+from __future__ import annotations
+import hashlib
+import hmac
+import logging
+import os
+import time
+from typing import Optional
+logger = logging.getLogger(__name__)
+class SlackSignatureVerificationError(Exception):
+    """Exception raised when Slack signature verification fails."""
+    pass
+def verify_slack_signature(
+    signing_secret: str,
+    timestamp: str,
+    body: str,
+    signature: str,
+    max_age_seconds: int = 300
+) -> bool:
+    try:
+        # Verify timestamp to prevent replay attacks
+        current_time = int(time.time())
+        request_time = int(timestamp)
+        if abs(current_time - request_time) > max_age_seconds:
+            logger.error(
+                f"Slack request timestamp too old. "
+                f"Current: {current_time}, Request: {request_time}, "
+                f"Diff: {abs(current_time - request_time)}s"
+            )
+            raise SlackSignatureVerificationError(
+                f"Request timestamp is too old (>{max_age_seconds}s). Possible replay attack."
+            )
+        # Format: v0:{timestamp}:{body}
+        sig_basestring = f"v0:{timestamp}:{body}"
+        # Create HMAC-SHA256 hash
+        my_signature = 'v0=' + hmac.new(
+            signing_secret.encode(),
+            sig_basestring.encode(),
+            hashlib.sha256
+        ).hexdigest()
+        if not hmac.compare_digest(my_signature, signature):
+            logger.error(
+                f"Slack signature mismatch. "
+                f"Expected: {my_signature}, Got: {signature}"
+            )
+            raise SlackSignatureVerificationError("Signature verification failed")
+        logger.info("Successfully verified Slack webhook signature")
+        return True
+    except ValueError as e:
+        logger.error(f"Invalid timestamp format: {e}")
+        raise SlackSignatureVerificationError(f"Invalid timestamp: {str(e)}")
+    except Exception as e:
+        logger.error(f"Unexpected error during Slack signature verification: {e}")
+        raise SlackSignatureVerificationError(f"Verification error: {str(e)}")
+def get_slack_signing_secret() -> Optional[str]:
+    """Get Slack signing secret from SLACK_SIGNING_SECRET environment variable."""
+    secret = os.getenv("SLACK_SIGNING_SECRET")
+    if not secret:
+        logger.warning("SLACK_SIGNING_SECRET environment variable not set")
+    return secret
+def extract_slack_headers(headers: dict) -> tuple[Optional[str], Optional[str]]:
+    """Extract Slack signature and timestamp from request headers."""
+    signature = (
+        headers.get('x-slack-signature') or
+        headers.get('X-Slack-Signature')
+    )
+    timestamp = (
+        headers.get('x-slack-request-timestamp') or
+        headers.get('X-Slack-Request-Timestamp')
+    )
+    return signature, timestamp

{langchain_trigger_server-0.2.6rc2 → langchain_trigger_server-0.2.6rc4}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 [project]
 name = "langchain-trigger-server"
-version = "0.2.6rc2"
+version = "0.2.6rc4"
 description = "Generic event-driven triggers framework"
 readme = "README.md"
 requires-python = ">=3.9"