feat: add Slack webhook validator

Yizack · Yizack · commit 5e782158179d · 2025-12-09T13:28:58.000-05:00
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ A simple nuxt module that works on the edge to easily validate incoming webhooks
 
 ## Features
 
-- 20 [Webhook validators](#supported-webhook-validators)
+- 21 [Webhook validators](#supported-webhook-validators)
 - Works on the edge
 - Exposed [Server utils](#server-utils)
 
@@ -95,6 +95,7 @@ Go to [playground/.env.example](./playground/.env.example) or [playground/nuxt.c
 - Polar
 - Resend
 - Shopify
+- Slack
 - Stripe
 - Svix
 - Twitch
diff --git a/playground/.env.example b/playground/.env.example
@@ -45,6 +45,9 @@ NUXT_WEBHOOK_RESEND_SECRET_KEY=
 # Shopify Validator
 NUXT_WEBHOOK_SHOPIFY_SECRET_KEY=
 
+# Slack Validator
+NUXT_WEBHOOK_SLACK_SECRET_KEY=
+
 # Stripe Validator
 NUXT_WEBHOOK_STRIPE_SECRET_KEY=
 
diff --git a/playground/nuxt.config.ts b/playground/nuxt.config.ts
@@ -57,6 +57,9 @@ export default defineNuxtConfig({
       shopify: {
         secretKey: '',
       },
+      slack: {
+        secretKey: '',
+      },
       stripe: {
         secretKey: '',
       },
diff --git a/playground/server/api/webhooks/slack.post.ts b/playground/server/api/webhooks/slack.post.ts
@@ -0,0 +1,13 @@
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event)
+
+  if (body.challenge) {
+    return body.challenge
+  }
+
+  const isValidWebhook = await isValidSlackWebhook(event)
+
+  if (!isValidWebhook) throw createError({ statusCode: 401, message: 'Unauthorized: webhook is not valid' })
+
+  return { isValidWebhook }
+})
diff --git a/src/module.ts b/src/module.ts
@@ -82,6 +82,10 @@ export default defineNuxtModule<ModuleOptions>({
     runtimeConfig.webhook.shopify = defu(runtimeConfig.webhook.shopify, {
       secretKey: '',
     })
+    // Slack Webhook
+    runtimeConfig.webhook.slack = defu(runtimeConfig.webhook.slack, {
+      secretKey: '',
+    })
     // Stripe Webhook
     runtimeConfig.webhook.stripe = defu(runtimeConfig.webhook.stripe, {
       secretKey: '',
diff --git a/src/runtime/server/lib/validators/slack.ts b/src/runtime/server/lib/validators/slack.ts
@@ -0,0 +1,34 @@
+import { type H3Event, getRequestHeaders, readRawBody } from 'h3'
+import { computeSignature, HMAC_SHA256, ensureConfiguration } from '../helpers'
+
+const SLACK_SIGNATURE = 'X-Slack-Signature'.toLowerCase()
+const SLACK_TIMESTAMP = 'X-Slack-Request-Timestamp'.toLowerCase()
+const DEFAULT_TOLERANCE = 300 // 5 minutes
+
+/**
+ * Validates Slack webhooks on the Edge
+ * @see {@link https://docs.slack.dev/authentication/verifying-requests-from-slack/}
+ * @param event H3Event
+ * @returns {boolean} `true` if the webhook is valid, `false` otherwise
+ */
+export const isValidSlackWebhook = async (event: H3Event): Promise<boolean> => {
+  const config = ensureConfiguration('slack', event)
+
+  const headers = getRequestHeaders(event)
+  const body = await readRawBody(event)
+
+  const fullSignature = headers[SLACK_SIGNATURE]
+  const timestamp = headers[SLACK_TIMESTAMP]
+
+  if (!body || !fullSignature || !timestamp) return false
+
+  // Validate the timestamp to avoid replay attacks
+  const now = Math.floor(Date.now() / 1000)
+  if (now - Number.parseInt(timestamp) > DEFAULT_TOLERANCE) return false
+
+  const [signatureVersion, webhookSignature] = fullSignature.split('=')
+  const payload = `${signatureVersion}:${timestamp}:${body}`
+
+  const computedHash = await computeSignature(config.secretKey, HMAC_SHA256, payload)
+  return computedHash === webhookSignature
+}
diff --git a/test/events.ts b/test/events.ts
@@ -11,6 +11,7 @@ export { simulateTwitchEvent } from './simulations/twitch'
 export { simulatePaypalEvent } from './simulations/paypal'
 export { simulateResendEvent } from './simulations/resend'
 export { simulateShopifyEvent } from './simulations/shopify'
+export { simulateSlackEvent } from './simulations/slack'
 export { simulateStripeEvent } from './simulations/stripe'
 export { simulateSvixEvent } from './simulations/svix'
 export { simulateNuxthubEvent } from './simulations/nuxthub'
diff --git a/test/fixtures/basic/nuxt.config.ts b/test/fixtures/basic/nuxt.config.ts
@@ -56,6 +56,9 @@ export default defineNuxtConfig({
       shopify: {
         secretKey: 'testShopifySecretKey',
       },
+      slack: {
+        secretKey: 'testSlackSecretKey',
+      },
       stripe: {
         secretKey: 'testStripeSecretKey',
       },
diff --git a/test/simulations/slack.ts b/test/simulations/slack.ts
@@ -0,0 +1,29 @@
+import { subtle } from 'node:crypto'
+import { Buffer } from 'node:buffer'
+import { $fetch } from '@nuxt/test-utils/e2e'
+import { encoder, HMAC_SHA256 } from '../../src/runtime/server/lib/helpers'
+import nuxtConfig from '../fixtures/basic/nuxt.config'
+
+const body = { data: 'testBody' }
+const secretKey = nuxtConfig.runtimeConfig?.webhook?.slack?.secretKey
+const signatureVersion = 'v0'
+
+export const simulateSlackEvent = async () => {
+  const timestamp = Math.floor(Date.now() / 1000)
+  const signingPayload = `${signatureVersion}:${timestamp}:${JSON.stringify(body)}`
+  const signature = await subtle.importKey('raw', encoder.encode(secretKey), HMAC_SHA256, false, ['sign'])
+  const hmac = await subtle.sign(HMAC_SHA256.name, signature, encoder.encode(signingPayload))
+  const computedHash = Buffer.from(hmac).toString('hex')
+  const validSignature = `${signatureVersion}=${computedHash}`
+
+  const headers = {
+    'X-Slack-Signature': validSignature,
+    'X-Slack-Request-Timestamp': timestamp.toString(),
+  }
+
+  return $fetch<{ isValidWebhook: boolean }>('/api/webhooks/slack', {
+    method: 'POST',
+    headers,
+    body,
+  })
+}
