Opened 6 weeks ago
Last modified 6 weeks ago
#8120 new enhancement
Slack Apps: Switch from Token verification to Signed Request validation
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | low | |
| Component: | Communication (Matrix, Slack, IRC) | Keywords: | |
| Cc: |
Description
Slack has deprecated the Token validation for it's API / apps and added signature validation methods:
https://docs.slack.dev/authentication/verifying-requests-from-slack/
At the time of our slack integrations, signed requests weren't available, and so we're still using the token verification process.
It appears the slack signing uses hmac + sha256.
We should update this, as Slack may remove this functionality in the future, and signature validation is more secure all round.
This is a hardening issue, not a security vulnerability.
Note: See
TracTickets for help on using
tickets.
This isn't available for a bunch of our integrations, as we're not using Slack Apps for most things, but rather direct deprecated integrations (Incoming/Outgoing webhooks and Slash commands).
See also [14583].