search

alexa-js / alexa-app

A framework for Alexa (Amazon Echo) apps using Node.js
https://www.youtube.com/watch?v=pzM4jv7k7Rg
MIT License
1.03k stars 213 forks source link

verifier not returning the right response code #304

Closed sbeatz closed 6 years ago

sbeatz commented 6 years ago

my skill got removed from the alexa skill store cause the cert verification is not working properly

now i checked the verification manually and the only difference i found compared to the Amazon Docs is that the verifier returns 401 instead of 400... still waiting for a response from Amazon - but did anyone else have this issue already?

tejashah88 commented 6 years ago

Are you using express.js to host the skill? If so, the middleware for parsing it was recently updated and that could be the problem. @mreinstein Has there been any breaking changes to your alexa-verifier that should be addressed?

sbeatz commented 6 years ago

using both old and new(1.0.0) - old on live and new on dev - both return 401 when the verifier fails can change that easily myself, but was just curious if anyone else is facing that kind of issues with amazon

just in case Amazon is really that picky about an error code it should be imho verifier(certUrl, signature, req.rawBody, function(er) { if (er) { res.status(400).json({ status: 'failure', reason: er }) } else { next() } })

in the index.js of alexa-verifier-middleware

just for the record - here is the crap Amazon sent me (and their docs only state to use 400 for invalid timestamps - otherwise they only say reject the request)

Issue: The skill end-point is not validating the signatures for incoming requests and is accepting requests with an incorrect certificate URL. Please make sure that your signature validation is correct. To reject an invalid request with an invalid signature or certificate, the skill should respond with HTTP status code 400 (Bad Request) in the response. Please refer to our documentation on how to build your Alexa Skill as a web service and validate requests and signatures.

tejashah88 commented 6 years ago

Try changing it to 400, and submit it for certification again. If it succeeds, that means it's the middleware's fault. Otherwise there maybe be something else wrong with your setup.

sbeatz commented 6 years ago

feedback after recertification: changed it to 400 and got certified again

tejashah88 commented 6 years ago

@sbeatz Just released a patch (v1.0.1) which now returns a 400 on any error.

dblock commented 6 years ago

This was https://github.com/alexa-js/alexa-verifier-middleware/commit/38ec0c37b15c75ff93cbb650a27c4dda48b62457 and https://github.com/alexa-js/alexa-verifier-middleware/commit/c4d82c6e5f9d7dcb2362a3c6a4c2492d5d7e588f.