feat(HTTPReceiver): add invalidRequestSignatureHandler callback

[mvanhorn]

Adds invalidRequestSignatureHandler to HTTPReceiver.

Why this matters

PR #2154 added this callback to AwsLambdaReceiver. HTTPReceiver was missing it. Now HTTP apps can hook into signature verification failures too.

Changes

• HTTPReceiver.ts: New HTTPReceiverInvalidRequestSignatureHandlerArgs interface. New option in HTTPReceiverOptions. Constructor wiring with noop default. Fires in the signature-verification catch block with rawBody, signature header, and timestamp.

ExpressReceiver support can follow in a separate PR.

Testing

Codex ran npm test against the change. All existing tests pass.

Refs #2156

This contribution was developed with AI assistance (Claude Code).

[mwbrooks]

Hey @mvanhorn 👋🏻 This sounds like a reasonable enhancement and thank you the explaining the motivation related to the AwsLambdaReceiver.

I'll add a few maintainers to review this PR 👏🏻

In the meantime, can you please add tests for the new changes? I imagine that'll be one of the first requests from the reviewers as well. 🙇🏻

[salesforce-cla]

Thanks for the contribution! Unfortunately we can't verify the commit author(s): Matt Van Horn <m***@m***.local>. One possible solution is to add that email to your GitHub account. Alternatively you can change your commits to another email and force push the change. After getting your commits associated with your GitHub account, sign the Salesforce Inc. Contributor License Agreement and this Pull Request will be revalidated.

[mvanhorn]

Added tests in b8d77a0 - three cases covering: custom handler receives correct args on signature failure, default noop handler doesn't throw, and missing headers pass undefined for signature/ts. Full suite passes (407 tests).

[zimeg]

@mvanhorn Super amazing changes more 🧪 ✨

The most recent commit author might've been configured strange - would it be possible to force push changes with an author that can sign the CLA? 🏛️

Rambles now but slackapi/node-slack-sdk#1135 becomes most curious 👾

[mvanhorn]

Fixed the commit author in 4aa2f01 — both commits now use my GitHub-linked noreply address. CLA should pass on recheck. All 407 tests still passing.

Re: node-slack-sdk#1135 — interesting, hadn't seen that. The invalidRequestSignatureHandler pattern here could serve as a stepping stone toward that kind of unified request validation.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.99%. Comparing base (80cf13f) to head (5c78be9).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2827      +/-   ##
==========================================
+ Coverage   93.59%   93.99%   +0.39%     
==========================================
  Files          44       44              
  Lines        7855     7878      +23     
  Branches      687      697      +10     
==========================================
+ Hits         7352     7405      +53     
+ Misses        498      468      -30     
  Partials        5        5              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5c78be9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR