fix: Require signatures for ssl_check request verification

[homanp]

Summary

• stop RequestVerification from skipping HMAC validation solely because a form body contains ssl_check=1
• keep the existing Socket Mode verification skip
• add regression coverage for sync, async, and WSGI dispatch paths

Why

When ssl_check_enabled=False, the SSL-check middleware does not intercept ssl_check=1 requests. Request verification still needs to authenticate those HTTP requests before they can reach normal middleware or slash command listeners.

Fixes #1494.

Testing

• ./scripts/run_tests.sh "tests/slack_bolt/middleware/request_verification/test_request_verification.py tests/slack_bolt_async/middleware/request_verification/test_request_verification.py tests/scenario_tests/test_slash_command.py tests/scenario_tests_async/test_slash_command.py tests/adapter_tests/wsgi/test_wsgi_http.py"
• ./scripts/lint.sh --no-install
• ./scripts/run_mypy.sh --no-install

[salesforce-cla]

Thanks for the contribution! Before we can merge this, we need @homanp to sign the Salesforce Inc. Contributor License Agreement.

[homanp]

CLA was signed but not showing up here.

[homanp]

@WilliamBergamin found this as well, not sure if this was "by-design" or not but worth taking a look.

[WilliamBergamin]

This is another awesome find 💯 🚀

Reproducing this locally and testing it out took me longer then I want to admit, but changes look good to me 🥇 thanks for adding these unit tests, they will prevent us form introducing similar behavior in the future

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.30%. Comparing base (b0eda44) to head (e6ebdbb).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1495   +/-   ##
=======================================
  Coverage   91.30%   91.30%           
=======================================
  Files         228      228           
  Lines        7271     7271           
=======================================
  Hits         6639     6639           
  Misses        632      632           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[WilliamBergamin]

This might of been by design to allows users that disable SslCheck middleware to somehow handle these requests manually through a handler 🤔 this feel like a super edge case that leaves the door wide open

User that want to handle their own ssl check logic are able to do so in a global middleware

Its also safe to assume that users that disable SslCheck middleware are dealing with advanced use cases and know what they are doing

[homanp]

This might of been by design to allows users that disable SslCheck middleware to somehow handle these requests manually through a handler 🤔 this feel like a super edge case that leaves the door wide open

User that want to handle their own ssl check logic are able to do so in a global middleware

Its also safe to assume that users that disable SslCheck middleware are dealing with advanced use cases and know what they are doing

Hmm, do you have those use cases?

[homanp]

This is another awesome find 💯 🚀

Reproducing this locally and testing it out took me longer then I want to admit, but changes look good to me 🥇 thanks for adding these unit tests, they will prevent us form introducing similar behavior in the future

Happy to help