Support Jovo v3 with alexa-verifier-middleware: 2.0.1
rmtuckerphx opened this issue · 4 comments
I'm submitting a...
- Bug report
- Feature request
- Documentation issue or request
- Other... Please describe:
Expected Behavior
Change the code to use alexa-verifier-middleware: 2.x which requires a change to server.ts to use an import statement.
This requires all Jovo 3 projects to be deployed on node 12.17 or higher.
Alternative approaches are welcome.
Current Behavior
The alexa-verifier-middleware supported in Jovo v3 has a dependency on node-forge which has a know security vulnerability.
See comments on commit - 9bc2c10
Is there any way to use Jovo v3 with alexa-verifier-middleware: 2.0.1?
A required code scanning tool is giving me errors due to node-forge:0.10.0
node-forge: 0.10.0 > alexa-verifier: 2.0.2 > alexa-verifier-middleware: 1.0.3.
The fix is to use alexa-verifier-middleware: 2.0.1
I'm currently using Jovo 3.6.1
jovo-core: 3.6.1
jovo-db-filedb: 3.6.1
jovo-db-mongodb: 3.6.1
jovo-framework: 3.6.1
jovo-platform-alexa: 3.6.2
jovo-plugin-debugger: 3.6.1
Error Log
If you have an error log, please paste it here.
No Error
Your Environment
- Jovo Framework version used: 3.6.1
- Operating System: linux
@jankoenig @aswetlow This is an issue on a big project I'm working on now.
@rmtuckerphx we won't be able to deploy new v3 releases over the next 2 weeks. The fastest way to solve this is probably to patch this yourself
@jankoenig I'm not sure what I would do to patch this.
Would that require me changing my code to not use whatever Jovo code calls server.ts?
What files would that be exactly?
I understand if this needs to wait. I'll do what I can to get a temporary exemption.
Hi @rmtuckerphx,
Here is the code snippet provided by @aswetlow in Slack. It needs this workaround because alexa-verifier-middleware doesn't support require() at all.
'use strict';
const { ExpressJS, Lambda, Webhook } = require('jovo-framework');
const { app } = require('./app.js');
const fs = require('fs');
const bodyParser = require("body-parser");
const express = require("express");
const http = require("http");
const https = require("https");
// ------------------------------------------------------------------
// HOST CONFIGURATION
// ------------------------------------------------------------------
const verifiedServer = express();
verifiedServer.jovoApp = undefined;
verifiedServer.ssl = undefined;
verifiedServer.ssl = {
key: fs.readFileSync('/etc/letsencrypt/live/<domain>/privkey.pem'),
cert: fs.readFileSync('/etc/letsencrypt/live/<domain>/fullchain.pem'),
};
(async function() {
const verifier = await ( await import('alexa-verifier-middleware')).default;
verifiedServer.listen = function () {
try {
if (verifiedServer.jovoApp) {
verifiedServer.jovoApp.initWebhook();
}
const router = express.Router();
verifiedServer.use(router);
router.use('/webhook_alexa', verifier);
router.use('/webhook_alexa', bodyParser.json());
router.use('/webhook', bodyParser.json());
const httpServer = verifiedServer.ssl
? https.createServer(verifiedServer.ssl, this)
: http.createServer(this);
// @ts-ignore
return httpServer.listen.apply(httpServer, arguments); // eslint-disable-line
} catch (error) {
console.log(error);
}
};
// ExpressJS (Jovo Webhook)
if (process.argv.indexOf('--webhook') > -1) {
const port = process.env.JOVO_PORT || 443;
verifiedServer.jovoApp = app;
verifiedServer.listen(port, () => {
console.info(`Local server listening on port ${port}.`);
});
// Use this
verifiedServer.post(['/webhook','/webhook_alexa'], async (req, res) => {
await app.handle(new ExpressJS(req, res));
});
}
}());