Giters

ThomasPe / Alexa.NET.Security

This is a library to authenticate requests sent to an Alexa .NET backend

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Alexa.NET.Security

Alexa.NET.Security.Middleware

This is a middleware library to authenticate requests sent to an Alexa ASP.NET backend. It wraps the verification logic of the Alexa Skills SDK for .NET in an easy to use middleware.

It will take care of almost all additional security requirements for self-hosted skills:

  • Check the request signature to verify the authenticity of the request.
  • Check the request timestamp to ensure that the request is not an old request being sent as part of a “replay” attack.
  • Validate the signature in the HTTP headers
  • Verify the URL specified by the SignatureCertChainUrl
  • The signing certificate has not expired (examine both the Not Before and Not After dates)
  • The domain echo-api.amazon.com is present in the Subject Alternative Names (SANs) section of the signing certificate
  • All certificates in the chain combine to create a chain of trust to a trusted root CA certificate
  • Verify request body hash value

Getting Started

Install from NuGet

Install-Package Alexa.NET.Security.Middleware

// Startup.cs
using Alexa.NET.Security.Middleware;

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    //...
    app.UseAlexaRequestValidation();
    app.UseMvc();
}

Alexa.NET.Security.Functions

This project contains an extension method of SkillRequest object to validate a request within an Azure Functions project. It wraps the verification logic of the Alexa Skills SDK for .NET in an easy to use method.

It will take care of almost all additional security requirements for self-hosted skills:

  • Check the request signature to verify the authenticity of the request.
  • Check the request timestamp to ensure that the request is not an old request being sent as part of a “replay” attack.
  • Validate the signature in the HTTP headers
  • Verify the URL specified by the SignatureCertChainUrl
  • The signing certificate has not expired (examine both the Not Before and Not After dates)
  • The domain echo-api.amazon.com is present in the Subject Alternative Names (SANs) section of the signing certificate
  • All certificates in the chain combine to create a chain of trust to a trusted root CA certificate
  • Verify request body hash value

Getting Started

Install from NuGet

Install-Package Alexa.NET.Security.Functions

// Function.cs
using Alexa.NET.Security.Functions;

//...

// Get body and deserialize json 
var payload = await req.ReadAsStringAsync(); 
var skillRequest = JsonConvert.DeserializeObject<SkillRequest>(payload); 

// Verifies that the request is a valid request from Amazon Alexa 
var isValid = await skillRequest.ValidateRequestAsync(req, log); 
if (!isValid) 
  return new BadRequestResult();

// ...

About

This is a library to authenticate requests sent to an Alexa .NET backend

License:MIT License

Languages

Language:C# 100.0%