Add flag to AwsLambdaReceiver to enable/disable signature verification

[noah-guillory]

Summary

Resolves #2104

This adds a flag to the AwsLambdaReceiver so that signature verification can be disabled, similar to the HTTPReceiver. This allows callers to disable signature verification if they already have something upstream of their Lambda function using the Bolt SDK performing signature verification.

Requirements (place an x in each [ ])

• I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.

[filmaj]

Really appreciate you sending this PR @noah-guillory !

Had some issues this morning with some tests failing due to some transient dependency versions floating around, but those failures on main should be resolve now. If you rebase or merge the latest main into this branch (I think you just did that!) then we should see the tests passing.

[noah-guillory]

Really appreciate you sending this PR @noah-guillory !

Had some issues this morning with some tests failing due to some transient dependency versions floating around, but those failures on main should be resolve now. If you rebase or merge the latest main into this branch (I think you just did that!) then we should see the tests passing.

No problem! And yeah I noticed that my fork was out of date so I did merge in main. Looks like most of the CI is working now too, other than the Node 20 failing on the upload to Codecov step.

[filmaj]

Looks great! Left a few comments about property optionality and documenting the interface properties.

Also, don't worry about the node v20 tests failing - seems like that is due to this PR coming from your fork and that somehow not jiving with the codecov coverage upload reporting (i'll try to figure out how to avoid that problem when I have time this week)

[filmaj]

Hmm, in the interest of keeping it consistent with the HTTPReceiver, let's not make this property optional. FWIW I agree with your approach - if you turn off signature verification, there's no point in storing the signing secret - but there's a more accurate and exact approach we can use to express this in TypeScript, though it will be a breaking change (which we should wait for bolt v4; I was thinking we could use a union expressing different sets of options when signatureVerification is true vs. false).

Anywho, that's just musings for the future. In the mean time, let's just keep it consistent with HTTPReceiver and keep this property as required. I think this also reduces the chance that someone accidentally forgets to add their signing secret and they end up hitting the "Invalid Signature" error at runtime.

[noah-guillory]

Sure thing, made it required in 3fd0b3d.

I was thinking we could use a union expressing different sets of options when signatureVerification is true vs. false).

Yeah I think that would be a great approach too. As a consumer, I'd only want to be able to represent a single state of how I want signature verification configured. I've been on this kind of kick lately after reading this article on HN the other day: https://geeklaunch.io/blog/make-invalid-states-unrepresentable/

[filmaj]

Damn that is an awesome post, this part particularly resonated with me:

In order to reduce bugs, we therefore need to minimize this gap, and to do that, we can either:

increase the number of cases handled by the code, or,
decrease the number of representable states.
Increasing the number of cases handled by the code tends to increase its complexity, and complex code also has a high tendency to be buggy if you’re not careful. Therefore, in this post, we’re covering the latter strategy: decreasing the number of representable states.

I love the way this is framed: reducing complexity by decreasing the number of representable states. 🤯

[filmaj]

While we're here, do you mind adding some JSDoc descriptors for what these properties mean? Would be a nice touch for developers to see that as they edit their code in their IDEs supporting autocomplete.

You don't have to do it for all the properties here, but at least for the ones you are changing, that would be much appreciated ❤️

[noah-guillory]

I took a stab at adding JSDocs for everything. Let me know if any of them aren't quite correct!

[filmaj]

Let's remove this default as well. This should be explicitly set by the dev, even if the intention is to disable verification. Disabling signature verification is very dangerous, as then outsiders could maliciously spoof Slack events.

[noah-guillory]

Ah yeah, sure thing. Removed!

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 82.03%. Comparing base (06b0f61) to head (dd5bf1d).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2107      +/-   ##
==========================================
+ Coverage   81.99%   82.03%   +0.03%     
==========================================
  Files          18       18              
  Lines        1533     1536       +3     
  Branches      440      442       +2     
==========================================
+ Hits         1257     1260       +3     
  Misses        178      178              
  Partials       98       98              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[filmaj]

So good! Thanks a lot 🙇
Will merge as soon as the tests pass.