fix: reject empty signingSecret to prevent involuntary signature bypass

[WilliamBergamin]

Summary

• Reject empty signingSecret ('') at initialization across all receivers and in the request verification layer to prevent accidental verification bypass
• Add a shared verifySigningSecret() helper that validates the signing secret is a non-empty string when signature verification is enabled
• Add comprehensive unit tests for the new validation across App, HTTPReceiver, ExpressReceiver, AwsLambdaReceiver, verifyRequest, and verifySigningSecret

Motivation

Previously, passing an empty string ('') as signingSecret did not trigger an error, the value is truthy enough to pass === undefined checks but propagates to createHmac("sha256", ""), which produces a valid HMAC keyed with an empty secret. This would bypass the request verification without warning the user.

The proper way to disable signature verification is by setting signatureVerification: false

Reproduction

Server with issue (app.js):

import { App } from '@slack/bolt';

const app = new App({
  signingSecret: '',
  port: 3000,
  authorize: async () => ({ botToken: 'xoxb-fake', botId: 'B000', botUserId: 'U000' }),
});

app.event('app_mention', async ({ event }) => {
  console.log(`Received app_mention from ${event.user}: ${event.text}`);
});

await app.start();
console.log('Vulnerable server listening on :3000');

Forged request:

TIMESTAMP=$(date +%s) && \
BODY='{"type":"url_verification","challenge":"bypass-confirmed"}' && \
curl -X POST http://localhost:3000/slack/events \
  -H "Content-Type: application/json" \
  -H "x-slack-request-timestamp: $TIMESTAMP" \
  -H "x-slack-signature: v0=$(printf "v0:${TIMESTAMP}:${BODY}" | openssl dgst -sha256 -hmac '' | awk '{print $NF}')" \
  -d "$BODY"

With this fix applied, the App constructor now throws an AppInitializationError and receivers throw a ReceiverInitializationError, preventing the server from starting with an empty signing secret.

Requirements

• I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.

[changeset-bot]

🦋 Changeset detected

Latest commit: 28d09d8

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@slack/bolt	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[zimeg]

🧪 Taking a look at failing E2E tests now but the failure seems unrelated to these changes.

[zimeg]

@WilliamBergamin Such huge thanks for getting this fix set to release 🏁

I left a comment on the Express receiver implementation but that's covered well in testing so we might decide to follow up with changes. For now let's get this merged 🚢 💨

[zimeg]

🌟 praise: Fan of the generic false checks!

[zimeg]

🔬 question: Is this alright as a best effort check? I'm wondering if we should follow up with an addition that handles the function case?

🗣️ ramble: I notice the empty string case from "function" inputs is caught with more confidence in buildVerificationBodyParserMiddleware so don't consider this a blocker! I'm hoping to mirror implementations across receivers however with these checks all together near the start of this constructor!

[zimeg]

🧪 praise: More explicit test cases like this are nice!

[zimeg]

🧪 The failing E2E tests are hoped to resolve on main but I'll follow up if changes are needed more!