This is a middleware library to authenticate requests sent to an Alexa ASP.NET backend. It wraps the verification logic of the Alexa Skills SDK for .NET in an easy to use middleware.
It will take care of almost all additional security requirements for self-hosted skills:
- Check the request signature to verify the authenticity of the request.
- Check the request timestamp to ensure that the request is not an old request being sent as part of a “replay” attack.
- Validate the signature in the HTTP headers
- Verify the URL specified by the
SignatureCertChainUrl
- The signing certificate has not expired (examine both the Not Before and Not After dates)
- The domain echo-api.amazon.com is present in the Subject Alternative Names (SANs) section of the signing certificate
- All certificates in the chain combine to create a chain of trust to a trusted root CA certificate
- Verify request body hash value
Install from NuGet
Install-Package Alexa.NET.Security.Middleware
// Startup.cs
using Alexa.NET.Security.Middleware;
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
//...
app.UseAlexaRequestValidation();
app.UseMvc();
}
This project contains an extension method of SkillRequest
object to validate a request within an Azure Functions project.
It wraps the verification logic of the Alexa Skills SDK for .NET in an easy to use method.
It will take care of almost all additional security requirements for self-hosted skills:
- Check the request signature to verify the authenticity of the request.
- Check the request timestamp to ensure that the request is not an old request being sent as part of a “replay” attack.
- Validate the signature in the HTTP headers
- Verify the URL specified by the
SignatureCertChainUrl
- The signing certificate has not expired (examine both the Not Before and Not After dates)
- The domain echo-api.amazon.com is present in the Subject Alternative Names (SANs) section of the signing certificate
- All certificates in the chain combine to create a chain of trust to a trusted root CA certificate
- Verify request body hash value
Install from NuGet
Install-Package Alexa.NET.Security.Functions
// Function.cs
using Alexa.NET.Security.Functions;
//...
// Get body and deserialize json
var payload = await req.ReadAsStringAsync();
var skillRequest = JsonConvert.DeserializeObject<SkillRequest>(payload);
// Verifies that the request is a valid request from Amazon Alexa
var isValid = await skillRequest.ValidateRequestAsync(req, log);
if (!isValid)
return new BadRequestResult();
// ...