Skip to content

fix(slack): replace deprecated @slack/events-api with native crypto validation#4313

Merged
angelcaamal merged 11 commits into
mainfrom
fix/remove-deprecated-slack-api
Jun 3, 2026
Merged

fix(slack): replace deprecated @slack/events-api with native crypto validation#4313
angelcaamal merged 11 commits into
mainfrom
fix/remove-deprecated-slack-api

Conversation

@angelcaamal
Copy link
Copy Markdown
Contributor

@angelcaamal angelcaamal commented May 11, 2026
edited
Loading

Description

This PR refactors the Slack function sample to remove the deprecated @slack/events-api library. The request validation has been rewritten to use manual signature verification with the native Node.js crypto module.

Additionally, the test suite has been updated to reflect these changes and ensure stability in the CI pipeline.

Changes included:

  • Security & Webhook Verification: Removed the deprecated @slack/events-api dependency. Implemented native webhook verification using the crypto module. This includes protection against replay attacks (by enforcing a 5-minute request timestamp window) and timing attacks (using crypto.timingSafeEqual).
  • Async/Await Modernization: Refactored the @googleapis/kgsearch client calls to use native async/await instead of outdated callback patterns (new Promise wrappers).
  • Code Cleanup: Removed dangling/unnecessary promise returns at the end of the Cloud Function HTTP handler.
  • Test Suite Updates: Updated Sinon mocks in test/unit.test.js to correctly use .resolves() and .rejects() to match the new Promise-based API calls, replacing the old .yields() callback stubs.

Fixes Internal: b/414440396

Note: Before submitting a pull request, please open an issue for discussion if you are not associated with Google.

Checklist

  • I have followed guidelines from CONTRIBUTING.MD and Samples Style Guide
  • Tests pass: npm test (see Testing)
  • Lint pass: npm run lint (see Style)
  • Required CI tests pass (see CI testing)
  • These samples need a new API enabled in testing projects to pass (let us know which ones)
  • These samples need a new/updated env vars in testing projects set to pass (let us know which ones)
  • This pull request is from a branch created directly off of GoogleCloudPlatform/nodejs-docs-samples. Not a fork.
  • This sample adds a new sample directory, and I updated the CODEOWNERS file with the codeowners for this sample
  • This sample adds a new sample directory, and I created GitHub Actions workflow for this sample
  • This sample adds a new Product API, and I updated the Blunderbuss issue/PR auto-assigner with the codeowners for this sample
  • Please merge this PR for me once it is approved

Note: Any check with (dev), (experimental), or (legacy) can be ignored and should not block your PR from merging (see CI testing).

@angelcaamal angelcaamal added api: cloudfunctions Issues related to the Cloud Run functions API. samples Issues that are directly related to samples. labels May 11, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request replaces the @slack/events-api dependency with a manual implementation of Slack webhook signature verification using the Node.js crypto module. The changes include a new verifyWebhook function and updated integration and unit tests to support the manual signing process. Feedback was provided to enhance security by implementing replay attack protection via timestamp verification, adding explicit checks for the signing secret, and optimizing the HMAC calculation process.

Comment thread functions/slack/index.js
@angelcaamal angelcaamal marked this pull request as ready for review May 12, 2026 18:54
@angelcaamal angelcaamal requested review from a team as code owners May 12, 2026 18:54
XrossFox
XrossFox reviewed May 13, 2026
View reviewed changes
Comment thread functions/slack/test/integration.test.js
Comment thread functions/slack/test/unit.test.js
@angelcaamal angelcaamal requested a review from XrossFox May 13, 2026 20:37
@XrossFox
Copy link
Copy Markdown

XrossFox commented May 13, 2026

LGTM

@angelcaamal
Copy link
Copy Markdown
Contributor Author

angelcaamal commented May 18, 2026

Changes included:

  • Security & Webhook Verification: Removed the deprecated @slack/events-api dependency. Implemented native webhook verification using the crypto module. This includes protection against replay attacks (by enforcing a 5-minute request timestamp window) and timing attacks (using crypto.timingSafeEqual).
  • Async/Await Modernization: Refactored the @googleapis/kgsearch client calls to use native async/await instead of outdated callback patterns (new Promise wrappers).
  • Code Cleanup: Removed dangling/unnecessary promise returns at the end of the Cloud Function HTTP handler.
  • Test Suite Updates: Updated Sinon mocks in test/unit.test.js to correctly use .resolves() and .rejects() to match the new Promise-based API calls, replacing the old .yields() callback stubs.

@angelcaamal angelcaamal merged commit 0d39cce into main Jun 3, 2026
20 of 21 checks passed
@angelcaamal angelcaamal deleted the fix/remove-deprecated-slack-api branch June 3, 2026 18:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iennae iennae iennae approved these changes

@XrossFox XrossFox Awaiting requested review from XrossFox

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

api: cloudfunctions Issues related to the Cloud Run functions API. samples Issues that are directly related to samples.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@angelcaamal @XrossFox @iennae