From 7c5a28849950d8518641a963ded3ea47a655366f Mon Sep 17 00:00:00 2001
From: Max Wofford <max@maxwofford.com>
Date: Sat, 1 Mar 2025 10:07:18 -0600
Subject: [PATCH] Handle either signing secrets

---
 .../sailors_log/slack_controller.rb           | 19 ++++++++++++++++---
 slack_manifest_harbor.yml                     |  9 +++++++++
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/app/controllers/sailors_log/slack_controller.rb b/app/controllers/sailors_log/slack_controller.rb
index 4570ae8..b2d9c09 100644
--- a/app/controllers/sailors_log/slack_controller.rb
+++ b/app/controllers/sailors_log/slack_controller.rb
@@ -41,11 +41,24 @@ class SailorsLog::SlackController < ApplicationController
     # Skip verification in development
     return true if Rails.env.development?
 
-    slack_signing_secret = ENV["SAILORS_LOG_SLACK_SIGNING_SECRET"]
     sig_basestring = "v0:#{timestamp}:#{request.raw_post}"
-    my_signature = "v0=" + OpenSSL::HMAC.hexdigest("SHA256", slack_signing_secret, sig_basestring)
 
-    unless ActiveSupport::SecurityUtils.secure_compare(my_signature, signature)
+    # Try both signing secrets
+    sailors_log_signature = "v0=" + OpenSSL::HMAC.hexdigest(
+      "SHA256",
+      ENV["SAILORS_LOG_SLACK_SIGNING_SECRET"],
+      sig_basestring
+    )
+
+    harbor_signature = "v0=" + OpenSSL::HMAC.hexdigest(
+      "SHA256",
+      ENV["SLACK_SIGNING_SECRET"],
+      sig_basestring
+    )
+
+    # Check if the request matches either signature
+    unless ActiveSupport::SecurityUtils.secure_compare(sailors_log_signature, signature) ||
+           ActiveSupport::SecurityUtils.secure_compare(harbor_signature, signature)
       head :unauthorized
       nil
     end
diff --git a/slack_manifest_harbor.yml b/slack_manifest_harbor.yml
index faa86d3..f3cdc6e 100644
--- a/slack_manifest_harbor.yml
+++ b/slack_manifest_harbor.yml
@@ -1,6 +1,15 @@
 # from https://app.slack.com/app-settings/T0266FRGM/A08EJ0W7N82/app-manifest
 display_information:
   name: harbor
+features:
+  bot_user:
+    display_name: harbor
+    always_online: false
+  slash_commands:
+    - command: /timedump
+      url: https://timedump.hackclub.com/timedump/slack/commands
+      description: check your time dump!
+      should_escape: false
 oauth_config:
   redirect_urls:
     - http://localhost:3000/auth/slack/callback