HMAC SHA256 signatures in Python and Flask.

November 6, 2019. python (59), slack (6)

I’m playing around a bit with theSlack API, which I’ll have a longer post on in a bit. One part of the integration requiresgenerating an HMAC SHA256 signature to verify requests are from Slack. There weren’t too many helpful search results, and some of them like thehmac module docsdon’t include examples. Here are some quick notes for folks in future attempting the same thing.

h/t toJoe Kampschmidt’s postwhich covers signing well.

First step is to instrument your test application is capturing the full headers and raw body from a response so you can verify you implementation.

If you’re usingFlaskfor your server, getting at the raw request body turns out to be slightly complicated, as it’ll helpfully attempt to convert data with content-type ofapplication/x-www-form-urlencoded成一个字典,而不是原始的string. This conversion into a dictionary masks most obvious ways to access to the raw string.

Fortunately you can useRequest.get_datato get the raw bodyas long as you do it before callingRequest.form. Itdoeswork fine to callRequest.get_dataand then laterRequest.form, so be careful to sequence them correctly.

def recall_post(request): # must not call request.form here headers = request.headers() data = request.get_data() print(headers) print(data) # calling request.form is fine now request.form return "%s %s" % (headers, data)

Once you have thoes headers and data, you’ll be able to do a test run of generating the signature and comparing it against the sent signature. The values you need to extract from the inbound request are:

timestamp = request.headers['X-Slack-Request-Timestamp'] expected_sig = request.headers['X-Slack-Signature']

You’ll also need to go to your Application page within the Slack dashboard to get your Signing Secret. Once you have these pieces along with the raw POST body retrieved viaRequest.get_data, then you can use those components to test generating your own signature.

import hmac, hashlib body = b'token=etc&team_id=etc&...' timestamp = b'100000000000' base = 'v0:%s:%s' % (timestamp.decode('utf-8'), body.decode('utf-8')) secret = b'1234' computed = hmac.new(secret, base.encode('utf-8'), digestmod=hashlib.sha256).hexdigest() sig = 'v0=%s' % (computed,) print(sig)

If you use real values, this should match exactly the signature from Slack signature in theX-Slack-Signatureheader.

Pulling this all together, the server function will look like:

def verify(request,secret): body = request.get_data() timestamp = request.headers['X-Slack-Request-Timestamp'] sig_basestring = 'v0:%s:%s' % (timestamp, body.decode('utf-8')) computed_sha = hmac.new(secret, sig_basestring.encode('utf-8'), digestmod=hashlib.sha256).hexdigest() my_sig = 'v0=%s' % (computed_sha,) slack_sig = request.headers['X-Slack-Signature'] if my_sig != slack_sig: err_str = "my_sig %s does not equal slack_sig %s" % \ (my_sig, slack_sig)) raise Exception(err_str) def recall_post(request): signing_secret = b'your secret from some config tool' verify(request, signing_secret) return "Signatures match, yay."

Now as long as you callverifyin your handlers, you can be confident that the incoming requests are indeed from Slack. Hopefully this will save someone a few minutes!