我想验证 slack APIS 命令和交互式端点,我遵循此处的文档https://api.slack.com/authentication/verifying-requests-from-slack 并尝试将其转换为 C# 代码和这个函数
private bool VerifySlackRequest(HttpRequest request, IHeaderDictionary headers,
StringValues slackSignatureHeader)
{
string SlackSigningSecret = ConfigurationHelper.SlackSigningSecret;
DateTime timestamp = DateTimeOffset.FromUnixTimeSeconds(timestampUnix).UtcDateTime;
DateTime currentTimestamp = DateTime.UtcNow;
if (Math.Abs((currentTimestamp - timestamp).TotalSeconds) > 60 * 5)
{
// The request timestamp is more than five minutes from local time.
// It could be a replay attack, so let's ignore it.
return false;
}
// Get the request body as a URL-encoded string
string requestBody = string.Join("&", request.Form.Select(kvp => $"{kvp.Key}={kvp.Value}"));
var encoding = new UTF8Encoding();
using (var hmac = new HMACSHA256(encoding.GetBytes(SlackSigningSecret)))
{
var hash = hmac.ComputeHash(encoding.GetBytes($"v0:{headers["X-Slack-Request-Timestamp"]}:{requestBody}"));
var hashString = $"v0={BitConverter.ToString(hash).Replace("-", "").ToLower(CultureInfo.InvariantCulture)}";
if (hashString.Equals(slackSignatureHeader)) return true;
else return false;
}
}
这是我调用该函数的方式
bool isValidRequest = VerifySlackRequest(Request, Request.Headers, slackSignatureHeader);
if (!isValidRequest)
{
return Unauthorized("Invalid request signature");
}
我确定 SlackSigningSecret 但 slackSignatureHeader 和 hashString 总是不匹配
问题是我如何获取请求正文
string requestBody = string.Join("&", request.Form.Select(kvp => $"{kvp.Key}={kvp.Value}"));
当我通过缓冲得到它时,效果很好
string rawRequestBody = string.Empty;
request.EnableBuffering();
using (var reader = new StreamReader(request.Body))
{
rawRequestBody = await reader.ReadToEndAsync();
Request.Body.Position = 0;
}
如果您遇到同样的问题并且 rawRequestBody 始终为空,请将其添加到 Startup.cs 中
app.Use((context, next) =>
{
context.Request.EnableBuffering();
return next();
});
我写了一篇关于它的中等文章,如果有人尝试 Slack 签名验证,你可以找到它这里