From 6a6524692ab313f6dc41686258098218bd71bc74 Mon Sep 17 00:00:00 2001
From: Bel LaPointe <153096461+breel-render@users.noreply.github.com>
Date: Thu, 11 Apr 2024 17:11:43 -0600
Subject: [PATCH] POST /api/v1/events/slack asserts .token==$SLACK_TOKEN

---
 config.go |  1 +
 main.go   | 15 +++++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/config.go b/config.go
index 3d9c31a..67b624e 100644
--- a/config.go
+++ b/config.go
@@ -13,6 +13,7 @@ import (
 type Config struct {
 	Port            int
 	InitializeSlack bool
+	SlackToken      string
 }
 
 func newConfig() (Config, error) {
diff --git a/main.go b/main.go
index d79eb5e..e33faf6 100644
--- a/main.go
+++ b/main.go
@@ -84,6 +84,7 @@ func handlerPostAPIV1EventsSlackInitialize(w http.ResponseWriter, r *http.Reques
 	}
 	if err := json.Unmarshal(b, &challenge); err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
 	}
 
 	json.NewEncoder(w).Encode(map[string]any{"challenge": challenge.Challenge})
@@ -91,6 +92,20 @@ func handlerPostAPIV1EventsSlackInitialize(w http.ResponseWriter, r *http.Reques
 
 func _newHandlerPostAPIV1EventsSlack(cfg Config) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		b, _ := io.ReadAll(r.Body)
+		r.Body = io.NopCloser(bytes.NewReader(b))
+
+		var token struct {
+			Token string
+		}
+		if err := json.Unmarshal(b, &token); err != nil {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		} else if token.Token != cfg.SlackToken {
+			http.Error(w, "invalid .token", http.StatusForbidden)
+			return
+		}
+
 		http.Error(w, "not impl", http.StatusNotImplemented)
 	}
 }