Slack App Slash Command - Invalid Signature Detected (401 Unauthorized)

Question

Ok, let's set the stage.

I'm trying to build a slack app using Java JDK 14, with gradle and ngrok. (and Slack's SDK module, Bolt)

So far, I've been able to include the dependencies required very easily and my issues don't seem at all associated with my dependency management. It builds. At the very least, it builds.

The slack command configuration:

---

Some notes, because I can't organize my thoughts for some reason.

I make sure to change the request URL each time I refresh ngrok.

I've verified that my slack bot token and my slack signing secret are correct.

The main program code:

package SlackApp;

import com.slack.api.bolt.App;
import com.slack.api.bolt.jetty.SlackAppServer;

public class Program {

    public static void main(String[] args) throws Exception {
        App app = new App();

        app.command("/echo", (req, ctx) -> {
            return ctx.ack(":wave: testing");
        });

        SlackAppServer server = new SlackAppServer(app);
        
        server.start();
    }
}

For some reason, whenever I use the slash command in my development workspace (I haven't started doing oAuth for multiple workspaces, I'm just testing stuff) the logger displays this information (which I have googled and haven't found any appropriate solution for):

INFO com.slack.api.bolt.middleware.builtin.RequestVerification - Invalid signature detected 
- v0=ee1b7da78a098a8b974c119873b1782c843b8bef1dce192b68ea0df4ccf86b23

This is where I am. Slack's documentation says the process of building a slack app is the following:

All your app needs to do to handle slash command requests are:

1. Verify requests from Slack

2. Parse the request body and check if the command is the one you’d like to handle

3. Build a reply message or do whatever you want to do

4. Respond to the Slack API server with 200 OK as an acknowledgment

I'm not actually verifying requests from slack, but I don't think it's necessary doing so if I'm just playing around. Can you offer some insight?

Answer 1

I was facing the exact same issue and this worked for me:

If you are running the project in an IDE, you have to figure out how to set runtime environment variables in your IDE.

I used intelliJ. To set environment variable:

1. From the main menu, select Run | Edit Configurations or choose Edit Configurations from the run/debug configurations selector on the toolbar.
2. From the main menu, select Run | Edit Configurations or choose Edit Configurations from the run/debug configurations selector on the toolbar.
3. In the Run/Debug Configurations dialog, select a configuration where you want to add the environment variables.Type the variable name and value: =.
4. If you want to add several variables, they should be separated with semicolons. In this case it'll be SLACK_BOT_TOKEN=xoxb.....;SLACK_SIGNING_SECRET=xxxxx

And no, you dont need to actually verify requests etc, because the Bolt Middleware does it for you as a builtin Request Verification class

Your app need not return any response manually, everything is taken care of by Bolt itself. Just setting the Env variable should be enough!

Hope this helps!

Answer 2

Adding onto the answer from @deepika-karanji, this error appears when the expected signing secret isn't present when a request is received. To fix this, collect variables from https://api.slack.com/apps. The signing secret is found under Settings > Basic Information > App Credentials and the bot token is under Features > OAuth & Permissions.

Without an IDE these variables can be exported from the command line with the following commands before running your app:

$ export SLACK_BOT_TOKEN=xoxb-example-token
$ export SLACK_SIGNING_SECRET=examplesecret

You can verify these are found while running your app with a few print statements:

package SlackApp;

import com.slack.api.bolt.App;
import com.slack.api.bolt.jetty.SlackAppServer;

public class Program {
    public static void main(String[] args) throws Exception {  
        String token = System.getenv("SLACK_BOT_TOKEN");
        String secret = System.getenv("SLACK_SIGNING_SECRET");
        System.out.println("Token value: " + token);
        System.out.println("Secret value: " + secret);

        // App expects the following environment variables: 
        //   SLACK_BOT_TOKEN
        //   SLACK_SIGNING_SECRET
        App app = new App();
        app.command("/echo", (req, ctx) -> {
            return ctx.ack(":wave: testing");
        });
        SlackAppServer server = new SlackAppServer(app);
        server.start();
    }
}

Reference: https://slack.dev/java-slack-sdk/guides/getting-started-with-bolt#start-the-app-with-two-env-variables