Prevent direct line token usage from untrusted domains

[LOKESHGORLE]

I have a question

HI,

I do not want to expose the directline secret in the client side, so that no unauthorized user access the bot outside the trusted domain . So i have stored the secret in a controller and getting token over an API. This brings me two issues:

• Token expires after a period of time and i dont find any recommended mechanism to refresh token before the token expiry.
• The token could be obtained from the client side and can be used in another site to initiate the chat. Can we prevent the user from accessing the bot outside the trusted domain. Is there any solution to this?

[InfinytRam]

Thanks for your patience @LOKESHGORLE, I'm investigating this issue.

[InfinytRam]

Hi @LOKESHGORLE,

Token expires after a period of time and i dont find any recommended mechanism to refresh token before the token expiry.

According to this comment, WebChat will automatically refresh the token for you.

But you can refresh a Direct Line token any number of times before it expires. To refresh a Direct Line token, you would make a POST request to https://directline.botframework.com/v3/directline/tokens/refresh with the Authorization header containing your current token to be refreshed.

In your server-side controller, you could set up an endpoint, e.g., /directline/refresh, to handle token refresh requests from the client. When a request is received at this endpoint, your server would issue the refresh request to the Direct Line service and return the new token to the client.

Example:

// Listen for incoming requests
server.post('/directline/refresh', (req, res, next) => {
    const userId = req.body.id ? req.body.id : `dl.${Date.now() + Math.random().toString(36)}`;
    const options = {
        method: 'POST',
        uri: 'https://directline.botframework.com/v3/directline/tokens/refresh',
        headers: {
            Authorization: `Bearer ${req.body.token}`,
            "Content-Type": "application/json"
        },
        json: {
            user: { id: userId }
        }
    };

    // Issue the request to refresh the token
    // ... (handle the request, send the new token back to the client)
});

Documentation: https://learn.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-direct-line-3-0-authentication?view=azure-bot-service-4.0#refresh-a-direct-line-token

#

The token could be obtained from the client side and can be used in another site to initiate the chat. Can we prevent the user from accessing the bot outside the trusted domain. Is there any solution to this?

Have you had chance to review these documentation?

• https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-security-enhanced?view=azure-bot-service-4.0
• https://learn.microsoft.com/en-us/azure/bot-service/bot-service-channel-connect-directline?view=azure-bot-service-4.0#configure-settings

[stevkan]

Closing due to inactivity.