Skip to content

Latest commit

 

History

History
73 lines (54 loc) · 3.31 KB

README.md

File metadata and controls

73 lines (54 loc) · 3.31 KB

Alexa.NET.Security

Alexa.NET.Security.Middleware

This is a middleware library to authenticate requests sent to an Alexa ASP.NET backend. It wraps the verification logic of the Alexa Skills SDK for .NET in an easy to use middleware.

It will take care of almost all additional security requirements for self-hosted skills:

  • Check the request signature to verify the authenticity of the request.
  • Check the request timestamp to ensure that the request is not an old request being sent as part of a “replay” attack.
  • Validate the signature in the HTTP headers
  • Verify the URL specified by the SignatureCertChainUrl
  • The signing certificate has not expired (examine both the Not Before and Not After dates)
  • The domain echo-api.amazon.com is present in the Subject Alternative Names (SANs) section of the signing certificate
  • All certificates in the chain combine to create a chain of trust to a trusted root CA certificate
  • Verify request body hash value

Getting Started

Install from NuGet

Install-Package Alexa.NET.Security.Middleware

// Startup.cs
using Alexa.NET.Security.Middleware;

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    //...
    app.UseAlexaRequestValidation();
    app.UseMvc();
}

Alexa.NET.Security.Functions

This project contains an extension method of SkillRequest object to validate a request within an Azure Functions project. It wraps the verification logic of the Alexa Skills SDK for .NET in an easy to use method.

It will take care of almost all additional security requirements for self-hosted skills:

  • Check the request signature to verify the authenticity of the request.
  • Check the request timestamp to ensure that the request is not an old request being sent as part of a “replay” attack.
  • Validate the signature in the HTTP headers
  • Verify the URL specified by the SignatureCertChainUrl
  • The signing certificate has not expired (examine both the Not Before and Not After dates)
  • The domain echo-api.amazon.com is present in the Subject Alternative Names (SANs) section of the signing certificate
  • All certificates in the chain combine to create a chain of trust to a trusted root CA certificate
  • Verify request body hash value

Getting Started

Install from NuGet

Install-Package Alexa.NET.Security.Functions

// Function.cs
using Alexa.NET.Security.Functions;

//...

// Get body and deserialize json 
var payload = await req.ReadAsStringAsync(); 
var skillRequest = JsonConvert.DeserializeObject<SkillRequest>(payload); 

// Verifies that the request is a valid request from Amazon Alexa 
var isValid = await skillRequest.ValidateRequestAsync(req, log); 
if (!isValid) 
  return new BadRequestResult();

// ...