search

mreinstein / alexa-verifier

✓ Verify HTTP requests sent to an Alexa skill are sent from Amazon
MIT License
76 stars 23 forks source link

Not working with azure functions #61

Closed fildanrcs closed 6 years ago

fildanrcs commented 6 years ago

Hi,

I'm trying this module on a Windows 10 machine and I always get 'invalid signature' error.

Here is how I'm trying to use it. Once I get the request, I extract the parameters in the following way

            let headers = request.headers;
            let signatureField;
            if("SignatureCertChainUrl" in headers) signatureField = "SignatureCertChainUrl";
            if("signaturecertchainurl" in headers) signatureField = "signaturecertchainurl";
            let cert_url = headers[signatureField];
            let signature = headers.signature;
            let requestRawBody = JSON.stringify(request.body);

Then I call the promise method with the following params

            verifier(cert_url, signature, requestRawBody).then((res) => {
                resolve(true);
            }).catch((err) => {
                resolve(false);
            })

I get that it goes always in catch with the error: 'invalid signature'

Sorry for having poorly documented the issue before.

Thanks for the patience

mreinstein commented 6 years ago

@fildanrcs I don't understand your issue. Can you provide more details please?

mreinstein commented 6 years ago

issue unclear, please elaborate on what issue you are running into and we'll re-open as needed.

fildanrcs commented 6 years ago

Sorry, I've updated the issue description.

mreinstein commented 6 years ago

I suspect your problem is in let requestRawBody = JSON.stringify(request.body);.

Stringifying the request body is not the same as the raw body input. You need the raw, unaltered request body (before any middlewares parse this into an object.)

Which server framework are you using?

fildanrcs commented 6 years ago

I'm using Azure Functions, so I fear I've no control on the middleware underneath. Unfortunately I can't change this stack..

Do you have any other idea on how make the signature check by using the body in json format?

Thanks for the reply

mreinstein commented 6 years ago

You're going to need raw request body to use this. Perhaps this is already available via request.rawBody ?

https://github.com/Azure/azure-functions-host/issues/293 https://github.com/Azure/azure-functions-host/issues/1951

fildanrcs commented 6 years ago

Works perfectly.. It was my bad :) Thanks a lot!

mreinstein commented 6 years ago

glad it worked!

fildanrcs commented 6 years ago

Yep. I have to admit that I was fooled by this thread since I'm using Azure Functions based on Windows.

Wanted just to clarify the original mistake.

Regards

mreinstein commented 6 years ago

thanks for the clarification. Perhaps this issue will be useful to others trying the same thing (which is why I renamed your original title; to hopefully improve discoverability.)