GitLab for Slack app slash commands endpoint should verify Slack request
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
About
The existing API endpoint that handles slash commands for the GitLab for Slack app integration currently authenticates the Slack request using a token param, which is a method of authenticating Slack requests that Slack has deprecated.
From the Slack docs:
We'll continue allowing apps to use verification tokens for now. However, we will retire them completely in coming months. We strongly recommend switching to request signing as soon as possible.
Instead, we should verify the Slack request using the new method of computing a request signature, using the same Slack::Concerns::VerifiesRequest module
that is being used in specific API endpoints that receive GitLab for Slack app requests (see example of use).
All GitLab instances that have the GitLab for Slack app configured will have the required slack_app_signing_secret configured because it's required, and is used for some other GitLab for Slack app endpoints currently.
The change should be feature-flagged first our of caution.