Verify Slack Requests in Rails

Slack signs its requests so you can verify they’re authentic.

Here’s a method you can use in your Rails controllers for it.

def request_verified?
  timestamp = request.headers["X-Slack-Request-Timestamp"]
  signature = request.headers["X-Slack-Signature"]
  signing_secret = ENV.fetch("SLACK_SIGNING_SECRET")

  if < 5.minutes.ago
    return false # expired

  basestring = "v0:#{timestamp}:#{}"
  my_signature = "v0=#{OpenSSL::HMAC.hexdigest("SHA256", signing_secret, basestring)}"

  ActiveSupport::SecurityUtils.secure_compare(my_signature, signature)


Published September 14, 2018

You might also enjoy

A Short Guide to Metrics

Backsolving in Ruby

The Safely Pattern

All code examples are public domain.
Use them however you’d like (licensed under CC0).