Skip to content

This is a library to authenticate requests sent to an Alexa .NET backend

License

Notifications You must be signed in to change notification settings

ThomasPe/Alexa.NET.Security

Repository files navigation

Alexa.NET.Security

Alexa.NET.Security.Middleware

This is a middleware library to authenticate requests sent to an Alexa ASP.NET backend. It wraps the verification logic of the Alexa Skills SDK for .NET in an easy to use middleware.

It will take care of almost all additional security requirements for self-hosted skills:

  • Check the request signature to verify the authenticity of the request.
  • Check the request timestamp to ensure that the request is not an old request being sent as part of a “replay” attack.
  • Validate the signature in the HTTP headers
  • Verify the URL specified by the SignatureCertChainUrl
  • The signing certificate has not expired (examine both the Not Before and Not After dates)
  • The domain echo-api.amazon.com is present in the Subject Alternative Names (SANs) section of the signing certificate
  • All certificates in the chain combine to create a chain of trust to a trusted root CA certificate
  • Verify request body hash value

Getting Started

Install from NuGet

Install-Package Alexa.NET.Security.Middleware

// Startup.cs
using Alexa.NET.Security.Middleware;

public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
    //...
    app.UseAlexaRequestValidation();
    app.UseMvc();
}

Alexa.NET.Security.Functions

This project contains an extension method of SkillRequest object to validate a request within an Azure Functions project. It wraps the verification logic of the Alexa Skills SDK for .NET in an easy to use method.

It will take care of almost all additional security requirements for self-hosted skills:

  • Check the request signature to verify the authenticity of the request.
  • Check the request timestamp to ensure that the request is not an old request being sent as part of a “replay” attack.
  • Validate the signature in the HTTP headers
  • Verify the URL specified by the SignatureCertChainUrl
  • The signing certificate has not expired (examine both the Not Before and Not After dates)
  • The domain echo-api.amazon.com is present in the Subject Alternative Names (SANs) section of the signing certificate
  • All certificates in the chain combine to create a chain of trust to a trusted root CA certificate
  • Verify request body hash value

Getting Started

Install from NuGet

Install-Package Alexa.NET.Security.Functions

// Function.cs
using Alexa.NET.Security.Functions;

//...

// Get body and deserialize json 
var payload = await req.ReadAsStringAsync(); 
var skillRequest = JsonConvert.DeserializeObject<SkillRequest>(payload); 

// Verifies that the request is a valid request from Amazon Alexa 
var isValid = await skillRequest.ValidateRequestAsync(req, log); 
if (!isValid) 
  return new BadRequestResult();

// ...

About

This is a library to authenticate requests sent to an Alexa .NET backend

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages