Your Facebook webhook is insecure.

[antonbelev]

I had a quick look at your video. Facebook uses app secret to generate signature which is part of very request. Only the app owner knows about this secret. You never ask about the secret in the video, which means that your webhook accept request from whoever call it, which is highly insecure. Hope this helps:

The problematic code is here:

 api.post('/facebook', request => {
    let arr = [].concat.apply([], request.body.entry.map(entry => entry.messaging));
    let fbHandle = parsedMessage => {
      if (parsedMessage) {
        var recipient = parsedMessage.sender;

        return Promise.resolve(parsedMessage).then(parsedMessage => bot(parsedMessage, request))
          .then(botResponse => responder(recipient, botResponse, request.env.facebookAccessToken))
          .catch(logError);
      }
    };

You never check the request signature :)

[stojanovic]

Thanks for reporting, we had some issues with attachments and fb verification that should be solved soon. If you want to send PR and help feel free to do that, I can help.