search

alexa / alexa-skills-kit-sdk-for-nodejs

The Alexa Skills Kit SDK for Node.js helps you get a skill up and running quickly, letting you focus on skill logic instead of boilerplate code.
Apache License 2.0
3.12k stars 736 forks source link

Verifier Broken Due To Dependency #685

Closed Jamie0 closed 3 years ago

Jamie0 commented 3 years ago

https://github.com/alexa/alexa-skills-kit-sdk-for-nodejs/blob/9b0dd9fbd0169e140be09ed3dfda2e30772dd0af/ask-sdk-express-adapter/lib/verifier/index.ts#L288

To validate signatures on incoming requests, the Alexa skills hit uses the 'ssl-root-cas' nodejs package, loaded as ssl-root-cas/latest.

This package doesn't appear to have been updated beyond 1.3.1. Due to a breaking change in Firefox, the package references the now-discontinued site 'mxr.mozilla.org', which no longer resolves and means the certificates fail to download.

As a result, on a fresh install of the ASK SDK, signature verification is not working. 

Needs latest SSL Root Certificate Authority data /Users/jamiewoods/Documents/Code/.../node_modules/ssl-root-cas/ssl-root-cas-latest.js
Loading latest certificates from https://mxr.mozilla.org/nss/source/lib/ckfw/builtins/certdata.txt?raw=1

skill test failure  Error [AskSdk.TimestampVerifier Error]: Timestamp verification failed
    at Object.createAskSdkError (/Users/jamiewoods/Documents/Code/.../node_modules/ask-sdk-runtime/dist/util/AskSdkUtils.js:23:19)
    at TimestampVerifier.verify (/Users/jamiewoods/Documents/Code/.../node_modules/ask-sdk-express-adapter/dist/verifier/index.js:287:34)
    at /Users/jamiewoods/Documents/Code/.../routes/voiceapi.js:23:35
    at processTicksAndRejections (internal/process/task_queues.js:97:5)

Error: getaddrinfo ENOTFOUND mxr.mozilla.org
    at GetAddrInfoReqWrap.onlookup [as oncomplete] (dns.js:66:26) {
  errno: -3008,
  code: 'ENOTFOUND',
  syscall: 'getaddrinfo',
  hostname: 'mxr.mozilla.org'
}
ShenChen93 commented 3 years ago

Hi @Jamie0 ,

Thanks for posting this issue. I just created a new issue on ssl-root-cas repo: https://github.com/windhamg/node-ssl-root-cas/issues/1. If there is no fix plan for ssl-root-cas, i plan to use tls.rootCertificates to load all root cas instead (which require node version >= 12.3.0).

Thanks, Shen

ShenChen93 commented 3 years ago

PR for the fix is merged in: https://github.com/alexa/alexa-skills-kit-sdk-for-nodejs/commit/8217a3f38ce1cba9d6b5b9d2488902cf12322cb7. Will do release ASAP

ShenChen93 commented 3 years ago

Closing this issue as ask-sdk-express-adapter v2.10.2 is released to fix this issue