From e8718e7bfb0d4a49c3eb373717aa4d7513de0acd Mon Sep 17 00:00:00 2001
From: Max Wofford <max@maxwofford.com>
Date: Thu, 5 Jun 2025 13:55:25 -0400
Subject: [PATCH] Attempt to fix slack signing secret always passing

---
 app/controllers/slack_controller.rb | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/app/controllers/slack_controller.rb b/app/controllers/slack_controller.rb
index d68f57b..be1b86b 100644
--- a/app/controllers/slack_controller.rb
+++ b/app/controllers/slack_controller.rb
@@ -50,7 +50,7 @@ class SlackController < ApplicationController
 
   def verify_slack_request
     timestamp = request.headers["X-Slack-Request-Timestamp"]
-    signature = request.headers["X-Slack-Signature"]
+    received_signature = request.headers["X-Slack-Signature"]
 
     # Skip verification in development
     return true if Rails.env.development?
@@ -61,15 +61,14 @@ class SlackController < ApplicationController
 
     sig_basestring = "v0:#{timestamp}:#{request.raw_post}"
 
-    # Try both signing secrets
-    signature = "v0=" + OpenSSL::HMAC.hexdigest(
+    computed_signature = "v0=" + OpenSSL::HMAC.hexdigest(
       "SHA256",
       signing_secret,
       sig_basestring
     )
 
     # Check if the request matches signature
-    unless ActiveSupport::SecurityUtils.secure_compare(signature, signature)
+    unless ActiveSupport::SecurityUtils.secure_compare(received_signature, computed_signature)
       head :unauthorized
       nil
     end