alexa-app doesn't provide certificate validation about alexa-app HOT 32 CLOSED

also might be helpful for verifying the certificate contents https://github.com/es128/ssl-utils/blob/master/lib/verify.js

from alexa-app.

I use the following code (all you need is the alexaApp.pre call. You'll have to replace Config.applicationName and Config.applicationId with something appropriate.

// Define an alexa-app
var alexaApp = new Alexa.app(Config.applicationName);

// Ensure it is our intended application sending the requests
alexaApp.pre = function (request, response, type) {
    if (request.sessionDetails.application.applicationId !== Config.applicationId) {
        // Fail ungracefully
        throw 'Invalid applicationId: ' + request.sessionDetails.application.applicationId;
    }
};

from alexa-app.

@rickwargo I already had that, but got flagged as needing to do more validation, as per: https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/developing-an-alexa-skill-as-a-web-service#Verifying%20that%20the%20Request%20was%20Sent%20by%20Alexa

from alexa-app.

@mreinstein Oh. I'm guessing your app is not hosted in AWS Lambda. I chose that path to make this easier.

from alexa-app.

correct, it's a hosted web app. They make you jump through more hoops for non-lambda. Unfortunately my service is doing some peculiar things on the backend and I needed more flexibility than lambda provides. So it has to be a web service. :(

from alexa-app.

Couldn't you still hook up whatever verifying logic you need in the pre() call?
When I first wrote this module, my goal was to use it to serve up multiple Alexa Skills from my own web site. Since then, I've abandoned that idea and concluded that Lambda was the way to go. So I don't have much desire to keep this up to date with Amazon's shifting skill requirements. If anyone wants to submit a PR to address this issue I will merge it in.

from alexa-app.

+1 with Matt, I get the sense that Amazon really wants Alexa skills hosted in Lambda, so it makes sense for alexa-app to follow suit.

from alexa-app.

Couldn't you still hook up whatever verifying logic you need in the pre() call?

I tried that initially, but the validation requires access to several request headers and the full post body, and those aren't exposed in the pre() call.

If anyone wants to submit a PR to address this issue I will merge it in.

Yeah, didn't mean to imply that I expected you to go off and implement this. I mostly dumped this information here with the expectation that I'd get something working myself, and send a PR with updated instructions. I think the solution is to provide some small module that handles all the verification, and gets installed as a middleware, and then add some documentation. The validation may not be appropriate in this module because access to the headers and body are dependent on the web server handling the request.

I get the sense that Amazon really wants Alexa skills hosted in Lambda, so it makes
sense for alexa-app to follow suit.

The amazon alexa team doesn't have a preference. It just happens to be the case that most people messing around with skills won't have their own production web server running, and won't want to go through the hassle of setting it up just to something working. I also don't think it's implied that alexa-app favors one method or the other; nowhere in the documentation or the API it exposes does it make any assumptions about running on lambda or a regular web server.

from alexa-app.

@matt-kruse I've got an initial version of this ready. Still needs more testing, which I aim to do later today. Would love any feedback if you have time/interest:

https://www.npmjs.com/package/alexa-verifier

Assuming this looks right I'll add some information to the README related to using alexa-app with a self-hosted web service.

from alexa-app.

my skill was just approved using alexa-verifier. I'll create that PR now.

from alexa-app.

Updating the code sample from @rickwargo for verifying the applicationId in alexa-app-server.

var applicationId = 'your-amazon-skill-application-id';

appServer.start({
  port: process.env.PORT || 3000,
  debug: true,
  preRequest: function (json, request, response) {
    if (json.session.application.applicationId !== applicationId) {
        // Fail ungracefully.
        throw 'Invalid applicationId: ' + json.session.application.applicationId;
    }
  }
});

from alexa-app.

closing this issue since https://www.npmjs.com/package/alexa-verifier already solves this in a reasonable way.

from alexa-app.

Anyone have an example of using alexa-verifier and alexa-app together? I thought mine was setup correctly but i got my skill rejected.

Here's what I tried:

alexaApp.express(app, "/alexa/");
app.use(function(req, res, next) {
    console.log('in here..............');
  if (!req.headers.signaturecertchainurl) {
    return next();
  }

  // mark the request body as already having been parsed so it's ignored by
  // other body parser middlewares
  req._body = true;
  req.rawBody = '';
  req.on('data', function(data) {
    return req.rawBody += data;
  });
  req.on('end', function() {
    var cert_url, er, error, requestBody, signature;
    try {
      req.body = JSON.parse(req.rawBody);
    } catch (error) {
      er = error;
      req.body = {};
    }
    cert_url = req.headers.signaturecertchainurl;
    signature = req.headers.signature;
    requestBody = req.rawBody;
    alexaVerifier(cert_url, signature, requestBody, function(er) {
      if (er) {
        console.error('error validating the alexa cert:', er);
        res.status(400).json({ status: 'the request did NOT come from an Alexa. failure', reason: er , message: 'Bad Request: Verification Failure', error: er });
      } else {
        next();
      }
    });
  });
});

but my console out message "in here...." is never called...

from alexa-app.

@cpup22 I'm having trouble reading your code snippet as there is no indentation or highlighting. You can mark that text as a code block, like this:

function doesSomething(a, b) {
  // do some stuff
  return a + b
}

I don't mean to nitpick. With a couple of lines of code it wouldn't be a big deal but with > 10ish this helps with readability a lot.

https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet#code has some good examples on how to do this.

from alexa-app.

no sure why it didn't take my code block. i just updated... look now. no worries about nitpicking :)

from alexa-app.

Also, i copied the alexa json payload and tried from postman to see what i get and I do get an error, it's a 500 "Server Error" though. Not the 400 that the Alexa team says should be thrown.

from alexa-app.

much better! thanks. :)

I think the reason why this isn't working is because the express middlewares are evaluated in order, and you've declared app.use(... after the alexa-app route is setup. The middleware that parses out the request body needs to happen before the alexa-app route is set up.

from alexa-app.

moved it around, and now it's being called... but my sample logic still isn't working because it never gets into the req.on('end' code block.

btw, using the example code from https://github.com/mreinstein/alexa-verifier

from alexa-app.

it never gets into the req.on('end' code block.

@cpup22 I think this is because your test invocation of the endpoint doesnt include a signaturecertchainurl HTTP request header

from alexa-app.

i'm testing from alexa as well and getting the same issue where it never makes it into the req.on('end' block.

Alexa tells me "The requested skill is taking too long to respond" ... which makes sense since it never gets into that block. debugging...

from alexa-app.

also never gets into req.on('data'....

from alexa-app.

@cpup22 are you setting up any other request middleware prior to app.use(.. ?

from alexa-app.

just

var app = express();
app.use(require('body-parser').urlencoded({extended: true}));
app.use(bodyParser.json());

from alexa-app.

commenting those out worked :)

from alexa-app.

yeah that's why. You need to be sure that you install the app.use(.. one before any other body parsers.

from alexa-app.

thank you!!

from alexa-app.

my pleasure. happy computering!

from alexa-app.

i guess at this point the issues i'm facing are more about learning express/node. But @mreinstein since you've been so helpful....

commenting out my other app.use is breaking my other express endpoints that aren't part of the alexa skill.

I tried putting the app.use statements after alexaApp.express but it's still not getting the body of my requests anymore.

from alexa-app.

figured it out. had to put my other app.post methods after the app.use(bodyParser) related entries (for those other people with a single express app for both their alexa skill and other non-alexa skill endpoints). Thanks for the offer to help though. all is good.

from alexa-app.

@cpup22 I know you've already solved this, but you might consider using the module @tejashah88 produced instead:

https://github.com/tejashah88/alexa-verifier-middleware

it's using my verifier logic under the hood.

from alexa-app.

@tejashah88 do you have an example of your express middleware integrated with the express example of @alexa-app?

from alexa-app.

@StErMi alexa-app automatically handles this for you. You can just use the example from here and you're good to go.

from alexa-app.