search

alexa-js / alexa-app-server

An Alexa app server for alexa-app.
MIT License
401 stars 116 forks source link

verify & debug in production #86

Open britneydossett opened 7 years ago

britneydossett commented 7 years ago

Hi,

I just updated to the latest version, and now I have verify: true and debug: false in my code. I tested it out in production, and it doesn't work.

I get the following { status: "failure", reason: "missing certificate url" }

I have a feeling that it has to do with debug: false. I think turning off the debugger page deactivates the url's ability to be active.

Is anyone else seeing this too? Thanks!

ericblade commented 7 years ago

Do you have a valid SSL certificate installed?

britneydossett commented 7 years ago

@ericblade I do, and I've been certified for almost a year.

ericblade commented 7 years ago

@britneydossett so, that error comes from the alexa-verifier module, which I presume is used when verify: true is set, which of course also requires debug: false .. what I don't see is how the alexa-verifier module is invoked, so i'm guessing it goes through a couple of layers at least to get there.

Is your certificate in the root of your project, under root/sslcert, and does the privateKey, certificate, and chain (if needed) configs for alexa-app-server point to their correct filenames? Do you have Alexa Developer Console configured in the Skill with the correct certificate settings?

britneydossett commented 7 years ago

@ericblade It's all just as it was before I updated it to the most current version (and is currently living and breathing on Alexa right now), the only thing I added to my code was debug: false.

It seems to me like setting debug to false is essentially making the endpoint useless.

ericblade commented 7 years ago

That seems odd, because the documentation indicates that you can't have debug: true and verify: true, and you can't run in production, without verify: true . . . though i haven't yet actually tried much of any of that, as I'm nowhere near production ready on anything :)

Right at the top of alexa-app-server, if you have verify and debug both on, it throws an Error. (though I admit I'm looking at the 3.0.1 code, i don't know if there's any newer)

So far, we haven't run into this exact error, but all similar errors that just dump JSON data that comes from alexa-verifier have been due to certificate misconfigurations on our end (either in the code, or at the Alexa Dev Console)

ericblade commented 7 years ago

probably also worthy of mentioning, that we are not using the built-in SSL certificate support at all, instead using a different library to handle SSL (greenleaf i think it's called), but we do have two servers running, one with verify:true/debug:false and one with verify:false/debug:true .. so the switch itself is functional, at least in 3.0.1

tejashah88 commented 7 years ago

@ericblade While the error does originate from the alexa-verifier module. It might be more of a problem with the request headers and how it's set up.

Currently, alexa-app-server uses the alexa-verifier-middleware, which wraps the alexa-verifier module into an expressjs middleware. The middleware attempts to read the entire request body and pulls out key information such as the certificate url before passing it to the alexa-verifier module. The reason this error is popping up is that either the certificate url was not passed into the alexa-verifier module, or that it is a falsey value (see here). Looking at where the middleware grabs the certificate url and other information, my suspicion is that the request headers somehow don't contain the certificate url and the verifier module is receiving values of undefined.

TL;DR: The request headers are possibly corrupted or not containing the right information

@britneydossett Can you try to print the request headers and post what you received?

tomafc330 commented 7 years ago

@tejashah88 I'm running into this issue as well. I'm hosted on heroku which presumably has https support which means I don't need to define https settings.

As a matter of fact the deployed heroku app is currently experiencing a similar issue http://alexa-app-server-hello-world.herokuapp.com/alexa/hello_world

{
status: "failure",
reason: "The signaturecertchainurl HTTP request header is invalid!"
}

Any ideas on how to fix this? TIA

britneydossett commented 7 years ago

I never solved the problem. I just went back to version 2.3.1.....

tomafc330 commented 7 years ago

@tejashah88 @britneydossett I actually managed to solve it. I'm using heroku and it already has a subdomain https certification. Check the subdomain ssl option in the Alexa app config, then turn debug: true and verify: false when deploying to heroku. Then https should work.

britneydossett commented 7 years ago

@tommytcchan I don't have my stuff hosted in heroku, but we have an SSL cert. Are you still verifying Amazon's signatureCertChainUrl and the whole 150 seconds thing when verify: false ?

tomafc330 commented 7 years ago

@britneydossett I tested the call on the Alexa app console and the response was parsed by Amazon with no issues. Do they require you to verify that upon verifying your app?

britneydossett commented 7 years ago

@tommytcchan Unfortunately, yes. I think they need to fix it where verify: true and debug: true can exist together.

getmohanraj95 commented 6 years ago

@britneydossett whether the issue is resolved when using version 2.3.1..... Am having the same issue,kindly help me out from this.