UNPKG

alexa-verifier

Version:

Verify HTTP requests sent to an Alexa skill are sent from Amazon

github.com/mreinstein/alexa-verifier

mreinstein/alexa-verifier

48 lines (28 loc) 1.59 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# alexa-verifier ![tests](https://github.com/mreinstein/alexa-verifier/actions/workflows/main.yml/badge.svg) Verify HTTP requests sent to an Alexa skill are sent from Amazon. This module is framework-agnostic. If you're using expressjs, you should check out [alexa-verifier-middleware](https://github.com/alexa-js/alexa-verifier-middleware) which is a lot easier to integrate. ### motivation Part of the certication process for alexa skills hosted on a generic web service (i.e., not AWS Lambda) is that your skill must validate requests are actually coming from Amazon. This is enforced by checking: * the timestamp of the request * the validity of the certificate * the signature of the the request signed with the aforementioned certificate This module provides a function to handle this validation. ### usage arguments * `cert_url` full url of the certificate to verify (from HTTP request header named `signaturecertchainurl`) * `signature` signature of the request (from HTTP request header named `signature`) * `requestRawBody` full body string from POST request * `callback` (optional) completion function. has 1 argument which indicates error. falsey when verification passes You may include a callback function, in the standard node error argument-first format: ```javascript import verifier from 'alexa-verifier' verifier(cert_url, signature, requestRawBody, function callbackFn (er) { // if er, something went wrong }) ``` Ommiting a callback function returns a promise: ```javascript const verifyPromise = verifier(cert_url, signature, requestRawBody) ```