Is it possible to confirm the identity of a bot via HTTP request headers?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP



Is it possible to confirm the identity of a bot via HTTP request headers?



I'm looking to proxy requests to https://directline.botframework.com for specific consumers but only allow them to use the proxy for a specific bot:



consumers -> my.proxy.com -> directline.botframework.com



I read in another post "the Direct Line secret or token that you specify in the Authorization header of the request is used to identify the bot that the request should be directed to"



I'm unable to find any documentation on the syntax of tokens but examples appear to follow a certain pattern of 11 chars followed by period...:


Authorization: Bearer RCurR_XV9ZA.cwA.BKA.iaJrC8xpy8qbOF5xnR2vtCX7CZj0LdjAPGfiCpg4Fv0y8qbOF5xPGfiCpg4Fv0y8qqbOF5x8qbOF5xn



Are any of these fields(?), e.g. first 11 characters before first period, a unique identifier for a bot that I could use to filter requests on?





As you said, it seems that no any documentation demonstrates how to extract information of bot from a Direct Line secret or token to identify the bot. If possible, you can try to create a github issue to report it.
– Fei Han
Aug 7 at 3:01





Thanks @FeiHan, I'll create that now. I've also raised a support ticket via the Azure portal so will update with any feedback.
– jonhadfield
Aug 7 at 7:49





"only allow them to use the proxy for a specific bot": do you already know the secret for this specific bot?
– Nicolas R
Aug 7 at 8:43





@NicolasR, yes. We only want to be able to proxy requests to bots we have created and have control over.
– jonhadfield
Aug 7 at 8:52





If your consumers are using the secret directly, can't you just store a list of those secrets and check the Bearer value?
– Nicolas R
Aug 7 at 9:27




1 Answer
1



If you decode the bearer token you can get the app id. I just tested this with jwt.io and was able to see my correct app id.



enter image description here



You can probably find a library that you can use to do this for you to get the app id, but I do not know one off hand. If you have access to the whole request another option would be to parse the activity for the bot id ( in c# activity.recipient.id or activity.from.id depending on direction) and use this data to whitelist somehow. This is a fairly unique case so I do not have any examples of this.


activity.recipient.id


activity.from.id






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

-

Popular posts from this blog

make 2 or more post in bootsrap

Image
Clash Royale CLAN TAG #URR8PPP make 2 or more post in bootsrap I am making a CMS and I want to add two or more content post in every row, I can made one post in one columns, please see my code below. I am using PHP , HTML and bootstrap . CMS PHP HTML bootstrap How can I add two or more content post in every row? Code: <div class="container"> <div class="row"> <!-- Post Content Column --> <div class="col-lg-4 border border-dark rounded"> <?php $query = "SELECT * FROM POSTS"; $run_query_post = mysqli_query($connection, $query); while ($row = mysqli_fetch_assoc($run_query_post)) $post_id = $row['post_id']; $post_title = $row['post_title']; $post_author = $row['post_author']; $post_date = $row['post_date']; $post_image = $row['post_image']; $post_content = substr($row['post_content'], 0, 50); $post_status = $row['post_status']; if ($post_status !=...
Read more

Store custom data using WC_Cart add_to_cart() method in Woocommerce 3

Image
Clash Royale CLAN TAG #URR8PPP Store custom data using WC_Cart add_to_cart() method in Woocommerce 3 I am creating a membership site and totally created static pages for each Membership plans (have only 3 plans). However, I have added products for each plan and when I hit SELECT PLAN button I redirect to some custom form where I ask users range of info we are going to use to fulfil the plan (same as sneakertub.com). I have written code into the PHP page which will handle SUBMIT action of the form. This PHP file, infopage.php , will process POST data I sent via POST call and stores these all data into WC session. infopage.php $customer_name = $_POST["customer_name"]; $customer_email = $_POST["customer_email"]; $customer_sex = $_POST["customer_sex"]; $customer_age = $_POST["customer_age"]; $product_id = $_POST["product_id"]; global $wp_session; $data = array( 'customer_name' => $customer_name, 'customer_email' =...
Read more

Firebase Auth - with Email and Password - Check user already registered

Image
Clash Royale CLAN TAG #URR8PPP Firebase Auth - with Email and Password - Check user already registered I want to check when a user attempts to signup with createUserWithEmailAndPassword() in Firebase user Authentication method, this user is already registered with my app. createUserWithEmailAndPassword() 8 Answers 8 To detect whether a user with that email address already exists, you can detect when the call to createUserWithEmailAndPassword () fails with auth/email-already-in-use . I see that @Srinivasan just posted an answer for this. createUserWithEmailAndPassword () auth/email-already-in-use Alternatively, you can detect that an email address is already used by calling fetchSignInMethodsForEmail() (previous called fetchProvidersForEmail() ). fetchSignInMethodsForEmail() fetchProvidersForEmail() When the user trying to create an user with same email address, the task response will be "Response: The email address is already in use by another account." mFirebas...
Read more