Secret to authenticate bot requests is in the source

hack4vdb / anthill

2 stars 1 forks source link

Closed MSch closed 8 years ago

MSch commented 8 years ago

def join_meetup_fb_messenger(request, signeddata):

    s = JSONWebSignatureSerializer('anthill4vdb')

    indata = s.loads(signeddata)

stefan2904 commented 8 years ago

Move to local config? (If wew change this, it also needs to be change on the bot end. /cc @tosh)

(Same key for the planned protection of other api endpoints, I guess.)

tosh commented 8 years ago

Jup we'd need to change this at the same time

MSch commented 8 years ago

(Same key for the planned protection of other api endpoints, I guess.)

Just to make sure: Same secret for all API endpoints used by the bot, but a different secret for the API endpoints exposed to the campaign website

stefan2904 commented 8 years ago

define "exposed to the campaign website". to a frontend or to the CRM?

stefan2904 commented 8 years ago

ok, in settings_local, there is now

BOT_API_KEY = 'key1'
CRM_API_KEY = 'key2'

to use:

from hack4vdb.settings_local import BOT_API_KEY

from itsdangerous import JSONWebSignatureSerializer
s = JSONWebSignatureSerializer(BOT_API_KEY)

(ask me for the specific keys or look in the file on the server.)

stefan2904 commented 8 years ago

@tosh changed on my site, please update bot (see slack for new BOT_API_KEY)

tosh commented 8 years ago

new bot key live in bot