feat(HTTPReceiver): add invalidRequestSignatureHandler callback

[mvanhorn]

Adds invalidRequestSignatureHandler to HTTPReceiver.

Why this matters

PR #2154 added this callback to AwsLambdaReceiver. HTTPReceiver was missing it. Now HTTP apps can hook into signature verification failures too.

Changes

• HTTPReceiver.ts: New HTTPReceiverInvalidRequestSignatureHandlerArgs interface. New option in HTTPReceiverOptions. Constructor wiring with noop default. Fires in the signature-verification catch block with rawBody, signature header, and timestamp.

ExpressReceiver support can follow in a separate PR.

Testing

Codex ran npm test against the change. All existing tests pass.

Refs #2156

This contribution was developed with AI assistance (Claude Code).

[mwbrooks]

Hey @mvanhorn 👋🏻 This sounds like a reasonable enhancement and thank you the explaining the motivation related to the AwsLambdaReceiver.

I'll add a few maintainers to review this PR 👏🏻

In the meantime, can you please add tests for the new changes? I imagine that'll be one of the first requests from the reviewers as well. 🙇🏻

[salesforce-cla]

Thanks for the contribution! Unfortunately we can't verify the commit author(s): Matt Van Horn <m***@m***.local>. One possible solution is to add that email to your GitHub account. Alternatively you can change your commits to another email and force push the change. After getting your commits associated with your GitHub account, sign the Salesforce Inc. Contributor License Agreement and this Pull Request will be revalidated.

[mvanhorn]

Added tests in b8d77a0 - three cases covering: custom handler receives correct args on signature failure, default noop handler doesn't throw, and missing headers pass undefined for signature/ts. Full suite passes (407 tests).

[zimeg]

@mvanhorn Super amazing changes more 🧪 ✨

The most recent commit author might've been configured strange - would it be possible to force push changes with an author that can sign the CLA? 🏛️

Rambles now but slackapi/node-slack-sdk#1135 becomes most curious 👾

[mvanhorn]

Fixed the commit author in 4aa2f01 — both commits now use my GitHub-linked noreply address. CLA should pass on recheck. All 407 tests still passing.

Re: node-slack-sdk#1135 — interesting, hadn't seen that. The invalidRequestSignatureHandler pattern here could serve as a stepping stone toward that kind of unified request validation.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.00%. Comparing base (29167c5) to head (436ae8d).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2827      +/-   ##
==========================================
+ Coverage   93.59%   94.00%   +0.41%     
==========================================
  Files          44       44              
  Lines        7855     7892      +37     
  Branches      687      698      +11     
==========================================
+ Hits         7352     7419      +67     
+ Misses        498      468      -30     
  Partials        5        5              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[changeset-bot]

🦋 Changeset detected

Latest commit: 468f0bd

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@slack/bolt	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[zimeg]

@mvanhorn Thanks for the updates to authorship and quick responses! 🎆

I think this approach moves things in a solid direction and want to leave a few comments that might be useful toward slackapi/node-slack-sdk#1135 in immediate improvement 👾

In quick reference:

• Required ts and signature values might be easier to reference in application code but I understand values from unexpected requests might be missing
• The HTTP interface name might or might not match the AWS interface? I'm curious toward an eventual shared interface 👻
• The placeholder logs might be nice to move into the default implementation so overriding handlers have control of this output?

A note for documentation might also be nice to include, and brings up a callout that we could surface this as a top-level App option as well:

HTTPReceiver options can be passed into the App constructor, just like the Bolt app options.

I'm curious to your thoughts for all of these behaviors! Thanks for bringing this feature so far already too.

[zimeg]

🐣 note: Here are findings of the adjacent implementation:

bolt-js/src/receivers/AwsLambdaReceiver.ts

Lines 51 to 57 in a8b7880

	export interface ReceiverInvalidRequestSignatureHandlerArgs {
	rawBody: string;
	signature: string;
	ts: number;
	awsEvent: AwsEvent;
	awsResponse: Promise<AwsResponse>;
	}

[zimeg]

Suggested change

	export interface HTTPReceiverInvalidRequestSignatureHandlerArgs {
	rawBody: string;
	signature: string | undefined;
	ts: number | undefined;
	}
	export interface HTTPReceiverInvalidRequestSignatureHandlerArgs {
	rawBody: string;
	signature: string;
	ts: number;
	}

👁️‍🗨️ thought: I'd be curious to use default values here and perhaps matching the adjacent interface name, but I'm less confident about the second point...

[zimeg]

Suggested change

	signature: req.headers['x-slack-signature'] as string | undefined,
	ts: req.headers['x-slack-request-timestamp'] ? Number(req.headers['x-slack-request-timestamp']) : undefined,
	signature: req.headers['x-slack-signature'] as string,
	ts: Number(req.headers['x-slack-request-timestamp']),

👾 suggestion: This might bring more strict typing?

[zimeg]

📚 suggestion: While it's not shared in other options right now we might add @jsdoc to this?

Let's also surface this in documentation here:

🔗 https://docs.slack.dev/tools/bolt-js/reference#receiver-options

[mvanhorn]

Thanks for the careful review @zimeg. Pushed 3c1f24c addressing most of the feedback:

Interface shape (HTTPReceiverInvalidRequestSignatureHandlerArgs):

• signature: string (default '' when the header is missing) and ts: number (default 0), matching the ReceiverInvalidRequestSignatureHandlerArgs shape on the AWS receiver so override handlers don't have to keep narrowing string | undefined.
• Added logger: Logger to the args so overrides can emit their own output using the receiver's configured logger.

Default handler behavior:

• Moved the default warn log into defaultInvalidRequestSignatureHandler so overriding handlers can fully suppress/replace it. Format mirrors the AWS receiver's default: Invalid request signature detected (X-Slack-Signature: ..., X-Slack-Request-Timestamp: ...).
• Stricter header extraction at the call site ((req.headers['x-slack-signature'] as string) ?? '', Number(req.headers['x-slack-request-timestamp']) || 0).

Docs:

• Added jsdoc on the invalidRequestSignatureHandler option describing the 401 contract and the override behavior. Happy to also PR the reference doc update at https://docs.slack.dev/tools/bolt-js/reference#receiver-options - let me know if you'd like that here or as a follow-up.

Held off on:

• Renaming HTTPReceiverInvalidRequestSignatureHandlerArgs to match the AWS ReceiverInvalidRequestSignatureHandlerArgs or unifying them. Unifying makes sense but would touch the AWS awsEvent / awsResponse fields, which feels like scope creep on this PR. Happy to do it as a follow-up if you'd prefer.
• Surfacing as a top-level App option. Also a follow-up candidate - the App constructor currently lets HTTPReceiver options pass through via receiverOptions, so users can opt in today.

Updated the two existing tests that asserted undefined signature/ts to check the new defaults and the logger. npm test green (467 passing), biome clean, typecheck clean.

[zimeg]

@mvanhorn Thank you for bringing this to a great place! I'm requesting another change for a scoped PR but am hoping we can extend this more in follow ups as needed after landing this 🎁

[zimeg]

Suggested change

logger: Logger;

🪓 quibble: I'm curious for adding this too but perhaps it's better to revisit in a follow up PR to match for AwsLambdaReceiver as well? This motivates slackapi/node-slack-sdk#1135 more for me!

🔬 note: Please do let me know if implementations without it find error or strange patterns, either in calling code or this package! I'm curious for examples that we can support as well.

[mvanhorn]

@zimeg done in 468f0bd. Dropped logger: Logger from HTTPReceiverInvalidRequestSignatureHandlerArgs so the interface matches ReceiverInvalidRequestSignatureHandlerArgs on AwsLambdaReceiver. The default handler now reaches for this.logger.warn directly (same pattern AwsLambdaReceiver uses in its defaultInvalidRequestSignatureHandler).

Leaves the eventual shared-interface refactor to the follow-up PR you mentioned in #1135.

Verified: npm test passes (build + biome + tsd + 20 HTTPReceiver unit tests including the 3 invalidRequestSignatureHandler cases, updated to assert logger is no longer present on args).