/alexa_verifier

Rubygem to verify requests sent to an Alexa skill are sent from Amazon

Primary LanguageRubyMIT LicenseMIT

Alexa Verifier

AlexaVerifier is a gem created to verify that requests received within a Rack-based application originate from Amazon's Alexa API.

This gem is framework agnostic and should work with any Rack based application including both Rails and Sinatra.

Gem Version Build Status Code Coverage License

Contents

Requirements

AlexaVerifier requires the following:

  • Ruby - version 2.0 or greater

Installation

Add this line to your application's Gemfile:

gem 'alexa_verifier'

Usage

This gem's main function is taking an Rack request and verifying that it was sent by Amazon.

Sinatra

# within server.rb (or equivalent)

post '/' do
  AlexaVerifier.valid!(request)
end

Rails

# config/routes.rb

post '/', to: 'alexa#index'
# app/controllers/alexa_controller.rb

class AlexaController < ApplicationController
  skip_before_action :verify_authenticity_token, only: :index

  def index
    AlexaVerifier.valid!(request)
  end
end

Methods

AlexaVerifier has two main entry points, detailsed below:

Method Parameter type Returns
AlexaVerifier.valid!(request) Rack-based request object true on successful verification. Raises an error if unsuccessful.
AlexaVerifier.valid?(request) Rack-based request object true on successful verificatipn. false if unsuccessful.

You are also able to configure AlexaVerifier to disable some checks. This is detailed in the section below.

Disabling checks

If you'd like to disable one (or more) of the checks performed by AlexaVerifier, you can do so by passing a #configure block. Each of the configuration attributes are Boolean values and are detailed below.

It is possible to disable checks either globally, or for a specific instance. This is useful if you want to run multiple instances of the verifier within your application.

Option Default Description
enabled true Enables or disables AlexaVerifier checks. This setting overrides all others i.e. setting config.enabled = false disables all checks even if you set others to true.
verify_uri true Enables or disables checks on the certificate URI. Set to false to allow serving of certificates from non-amazon approved domains.
verify_timeliness true Enables or disables timeliness checks. Set to false to allow requests generated in the past to be executed. Good for serving test requests.
verify_certificate true Enables or disabled checks on whether the certificate is in date, or contains the SAN address we expect.
verify_signature true Enables or disables checks to see if a request was actually signed by a certificate.

Examples

The below is an example of a 'complete' configure block, setting attributes both globally and for an individual instance.

Globally
AlexaVerifier.configure do |config|
  config.enabled            = false # Disables all checks, even though we enable them individually below
  config.verify_uri         = true
  config.verify_timeliness  = true
  config.verify_certificate = true
  config.verify_signature   = true
end
AlexaVerifier.valid!(request)
Instance level
With a block
verifier = AlexaVerifier::Verifier.new do |config|
  config.enabled            = false
  config.verify_uri         = true
  config.verify_timeliness  = true
  config.verify_certificate = true
  config.verify_signature   = true
end
verifier.valid!(request)
Calling #configure
verifier = AlexaVerifier::Verifier.new
verifier.configure do |config|
  config.enabled            = false
  config.verify_uri         = true
  config.verify_timeliness  = true
  config.verify_certificate = true
  config.verify_signature   = true
end
verifier.valid!(request)

Handling errors

AlexaVerifier#valid! will raise one of the following expected errors if verification cannot be performed.

Please note that all errors come with (hopefully) helpful accompanying messages.

Error Description
AlexaVerifier::InvalidCertificateURIError Raised when the certificate URI does not pass validation.
AlexaVerifier::InvalidCertificateError Raised when the certificate itself does not pass validation e.g. out of date, does not contain the requires SAN extension, etc.
AlexaVerifier::InvalidRequestError Raised when the request cannot be verified (not timely, not signed with the certificate, etc.)

Getting Started with Development

To clone the repository and set up the dependencies, run the following:

git clone https://github.com/mattrayner/alexa_verifier.git
cd alexa_verifier
bundle install

Running the tests

We use RSpec as our testing framework and tests can be run using:

bundle exec rake

Contributing

If you wish to submit a bug fix or feature, you can create a pull request and it will be merged pending a code review.

  1. Fork the repository
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Ensure your changes are tested using Rspec
  6. Create a new Pull Request

License

AlexaVerifier is licensed under the MIT.

Code of Conduct

Everyone interacting in the AlexaVerifier project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.