Rubygem to verify requests sent to an Alexa skill are sent from Amazon
alexa_verifier is available on Rubygems. You can install it with:
$ gem install alexa_verifier
You can also add it to your Gemfile:
gem 'alexa_verifier'
Amazon requires publicly registered skills validate requests sent to it. This includes doing the following:
- Verifying that the timestamp in the request is from not too long ago (Amazon recommends a max of 150 seconds).
- Verifying that the signature sent is valid against the request.
This gem takes care of both of these. You can read more about the technical specifications [here](https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/developing-an-alexa-skill-as-a-web-service#Verifying that the Request was Sent by Alexa).
To create an instance of AlexaVerifier
, you can simply call AlexaVerifier.new
. By default, it will verify that timestamps are within 150 seconds and that signatures match. To configure this behavior, you can use AlexaVerifier.build
:
verifier = AlexaVerifier.build do |c|
c.verify_signatures = true
c.verify_timestamps = true
c.timestamp_tolerance = 60 # seconds
end
To validate a request, you need three things:
- The request itself (raw JSON string)
- The HTTP header
SignatureCertChainUrl
- The HTTP header
Signature
When you have each of these, you can pass them to AlexaVerifier#verify!
. If verification passes, it returns true
. If it fails, an AlexaVerifier::VerificationError
will be thrown. Here's an example:
verifier.verify!(
request.headers['SignatureCertChainUrl'],
request.headers['Signature'],
request.body.read
)
This code was adapted from signature verification code found in the AWS SNS module.