Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

help with specific instance of certificate validation #68

Closed
fredzannarbor opened this issue Mar 12, 2019 · 2 comments
Closed

help with specific instance of certificate validation #68

fredzannarbor opened this issue Mar 12, 2019 · 2 comments

Comments

@fredzannarbor
Copy link

fredzannarbor commented Mar 12, 2019

I'm submitting a...


[ ] Regression (a behavior that used to work and stopped working in a new release)
[ ] Bug report  
[ ] Performance issue
[x] Feature request
[x] Documentation issue or request
[ ] Other... Please describe:

Opening an issue to track a request for assistance with a single specific instance of the problem trackedin #62, #56, and #53 among others, the absence of certificate & request validation code in the SDK. Having started down this road almost three weeks ago it is now apparent to me that this is a common roadblock that is preventing people from readily developing self-hosted alexa skills. It's also remarkable after 3+ years of Amazon's energetic investment in the platform developers are still faced with this obstacle. Be that as it may I am determined to push through so I am asking for some very specific guidance.

Expected Behavior

I want my code to verify Alexa's http requests that are sent to my skill Endpoint https://developer.amazon.com/docs/custom-skills/host-a-custom-skill-as-a-web-service.html#checking-the-signature-of-the-request and return 400 error as per Amazon's requirement.

Current Behavior

When I submit my skill for certification I get the error message:

The skill end-point is not validating the signatures for incoming requests and is accepting requests with an empty signature URL.
The skill end-point is not validating the signatures for incoming requests and is accepting requests with an incorrect certificate URL.
The skill end-point is not validating the signatures for incoming requests and is accepting requests with an invalid signature URL specified.
The skill end-point is not validating the signatures for incoming requests and is accepting requests when no signature URL headers are specified.

Possible Solution

I see what needs to be done but what I need guidance on is exactly where to do it. Clearly I need a function or module that does the certificate validation. I found the alexandra library which includes those functions and also some scripts by dizmo? and others. So should I call that function from inside my post function? How do ensure that flask then issues a 400?


Steps to Reproduce (for bugs)

@app.route('/altbrains-basketball', methods=['POST'])
def post():
    """
    Process the request as following :
    - Get the input request JSON
    - Deserialize it to Request Envelope
    - Verify the request was sent by Alexa
    - Invoke the skill
    - Return the serialized response
    """
    content = request.json
 **should the validation logic go here**   

e.g. alexandra.util.validate_request_certificate(content) if false then raise 400, if true proceed
**
    request_envelope = skill_obj.serializer.deserialize(
        payload=json.dumps(content), obj_type=RequestEnvelope)
    response_envelope = skill_obj.invoke(
        request_envelope=request_envelope, context=None)
    print(response_envelope)
    return jsonify(skill_obj.serializer.serialize(response_envelope))

Context

This is preventing me from deploying to the Alexa network. I should not have to write hundreds of lines of mechanical validation code just so that my server can talk to Alexa.

Your Environment

  • ASK SDK for Python used: 1.8.0
  • Operating System and version: AWS Ubuntu, Apache, mod_wsgi, flask

Python version info

  • Python version used for development: 3.6.7
@nikhilym
Copy link
Contributor

Hey @fredzannarbor , thanks for the issue. As mentioned in #53, we are working on providing the guidance to hosting skills as custom webservice. We cannot provide any help on usage of other third party library calls for doing this validation. You would need to check the corresponding documentation on their usage and input requirements.

However, as for the code structure on where this has to be done for example in your skill sample, this validation should be the first step to be done before invoking your skill code. So the validation has to be done before calling skill_obj.invoke. As for raising a HTTP 400 exception, you can use Flask's built-in Werkzeug's exceptions and similarly other HTTP exceptions.

Please let us know if you face any other problem.

@nikhilym
Copy link
Contributor

Hey @fredzannarbor , we hope you figured out where to do the request signature validation before invoking the skill handlers. We are closing this issue. Please reopen if you still have questions. \

We are tracking #53 to provide documentation and other support for skill deployment as custom web service. Please keep track of that. Thanks a lot for being patient.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants