Verify Slack webhooks in Laravel

SlackActionController.php

<?php

namespace App\Http\Controllers\Slack;

use App\Slack\Webhook;
use App\Http\Controllers\Controller;

use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;

class SlackActionController extends Controller
{
    public function action(Request $request)
    {
        Log::info('slack action', $request->all());

        if (! Webhook::verified($request)) {
            return abort(400);
        }

        if ($request->type == 'url_verification') {
            return [
                'challenge' => $request->challenge,
            ];
        }
    }
}

Webhook.php

<?php

namespace App\Slack;


use Illuminate\Http\Request;
use Illuminate\Support\Facades\Log;

class Webhook
{
    /**
     * Verify Slack webhook
     * @link https://api.slack.com/authentication/verifying-requests-from-slack
     */
    public static function verified(Request $request): bool
    {
        $version = explode("=", $request->header('x-slack-signature'))[0];
        $requestTimestamp = $request->header('x-slack-request-timestamp');

        // Check for replay attacks
        $allowedTimeDelta = 60 * 5; // 5 minutes
        if (now()->timestamp - $requestTimestamp > $allowedTimeDelta) {
            Log::warning("Possible replay attack, Slack webhook older than ".$allowedTimeDelta." seconds");
            return false;
        }

        // Check request signature
        $rawBody = $request->getContent();

        $hash_signature = hash_hmac(
            'sha256', 
            "$version:$requestTimestamp:$rawBody", 
            config('services.slack.webhooks.signing_secret')
        );

        if (! hash_equals($request->header('x-slack-signature'), "v0=$hash_signature")){
            Log::warning("Slack webhook signature did not match", [
                "ours" => $hash_signature,
                "theirs" => $request->header('x-slack-signature'),
            ]);
            return false;
        }

        return true;
    }
}