microsoft / botframework-sdk

Bot Framework provides the most comprehensive experience for building conversation applications.
MIT License
7.5k stars 2.44k forks source link

No authorization header #22

Closed PaulBGD closed 8 years ago

PaulBGD commented 8 years ago

My BotConnectorBot isn't working because there's no header passed from Microsoft's server. When I get a message it looks like:

{ 'x-correlating-operationid': 'V4fVa2VBh3M=.dAA=.MQA2ADkANAAyADYANgAxADcAOQA2ADYANAA5ADYANgA1AA==.oTDx9LyL0QE=.91gOrML9EKM=.cZUdfQ4Gdb2Q/0P5Gke2MBv/5BWWh5g1z0aLdio0Nzs=',
  'content-type': 'application/json; charset=utf-8',
  host: 'xxx.xxx.xxx.xxx:3978',
  'content-length': '952',
  expect: '100-continue' }
{
  "type": "Message",
  "id": "xxx",
  "conversationId": "xxx",
  "created": "2016-04-01T01:14:21.8846104Z",
  "language": "en",
  "text": "awdawdawdawdawd",
  "attachments": [],
  "from": {
    "name": "devportal",
    "channelId": "test",
    "address": "devportal",
    "id": "xxx",
    "isBot": false
  },
  "to": {
    "name": "ChesterBot",
    "channelId": "test",
    "address": "chester",
    "id": "chester",
    "isBot": true
  },
  "participants": [
    {
      "name": "devportal",
      "channelId": "test",
      "address": "devportal",
      "id": "xxx",
      "isBot": false
    },
    {
      "name": "ChesterBot",
      "channelId": "test",
      "address": "chester",
      "id": "chester",
      "isBot": true
    }
  ],
  "totalParticipants": 2,
  "mentions": [],
  "channelConversationId": "chester",
  "hashtags": []
}

The BotConnectorBot then denies the connection because it's missing a header. Here's the code I'm running on my side, although I think it's an issue with Microsoft's servers:

var restify = require('restify');
var builder = require('botbuilder');

// Create bot and add dialogs
var bot = new builder.BotConnectorBot({ appId: 'xxx', appSecret: 'xxx' });
bot.add('/', function (session) {
   session.send('Hello World'); 
});

// Setup Restify Server
var server = restify.createServer();
server.post('/api/messages', bot.verifyBotFramework(), bot.listen());
server.listen(process.env.port || 3978, 'xxx', function () {
   console.log('%s listening to %s', server.name, server.url);
});
tomlm commented 8 years ago

We use HTTPS with Basic Auth. If you register an endpoint which is HTTP we do NOT send the auth header because with basic auth that would be passing your appsecret in the clear. If you want a secure server, register it with HTTPS. Otherwise turn off the basic auth.

PaulBGD commented 8 years ago

Where is it that I turn that off? I can't find it in my bot settings on the dev.botframework.com site.

PaulBGD commented 8 years ago

I see, so if I include my app id/secret at all, it tries to do authentication. Well thanks.

tomlm commented 8 years ago

Just don't call bot.verifyBotFramework(). That's the function which is checking the appId/appsecret is being passed via basic auth.

Stevenic commented 8 years ago

I'll also update verifyBotFramework() to ignore auth over HTTP

runxc1 commented 8 years ago

On the .Net side of things you have to comment out the Authentication Attribute if not using SSL... seems that should be documented