Handle either signing secrets

app/controllers/sailors_log/slack_controller.rb

@@ -41,11 +41,24 @@ class SailorsLog::SlackController < ApplicationController
     # Skip verification in development
     return true if Rails.env.development?
 
-    slack_signing_secret = ENV["SAILORS_LOG_SLACK_SIGNING_SECRET"]
     sig_basestring = "v0:#{timestamp}:#{request.raw_post}"
-    my_signature = "v0=" + OpenSSL::HMAC.hexdigest("SHA256", slack_signing_secret, sig_basestring)
 
-    unless ActiveSupport::SecurityUtils.secure_compare(my_signature, signature)
+    # Try both signing secrets
+    sailors_log_signature = "v0=" + OpenSSL::HMAC.hexdigest(
+      "SHA256",
+      ENV["SAILORS_LOG_SLACK_SIGNING_SECRET"],
+      sig_basestring
+    )
+
+    harbor_signature = "v0=" + OpenSSL::HMAC.hexdigest(
+      "SHA256",
+      ENV["SLACK_SIGNING_SECRET"],
+      sig_basestring
+    )
+
+    # Check if the request matches either signature
+    unless ActiveSupport::SecurityUtils.secure_compare(sailors_log_signature, signature) ||
+           ActiveSupport::SecurityUtils.secure_compare(harbor_signature, signature)
       head :unauthorized
       nil
     end

slack_manifest_harbor.yml

@@ -1,6 +1,15 @@
 # from https://app.slack.com/app-settings/T0266FRGM/A08EJ0W7N82/app-manifest
 display_information:
   name: harbor
+features:
+  bot_user:
+    display_name: harbor
+    always_online: false
+  slash_commands:
+    - command: /timedump
+      url: https://timedump.hackclub.com/timedump/slack/commands
+      description: check your time dump!
+      should_escape: false
 oauth_config:
   redirect_urls:
     - http://localhost:3000/auth/slack/callback