Skip to content
This repository has been archived by the owner on Sep 20, 2024. It is now read-only.

Commit

Permalink
Improve docs : Add how to send app secret proof
Browse files Browse the repository at this point in the history
  • Loading branch information
ouadie-lahdioui committed Dec 11, 2017
1 parent 39cfb28 commit e7de784
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 3 deletions.
17 changes: 17 additions & 0 deletions docs/readme-facebook.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ Table of Contents
* [Silent and No Notifications](#silent-and-no-notifications)
* [Messenger code API](#messenger-code-api)
* [Attachment upload API](#attachment-upload-api)
* [Built-in NLP](#built-in-nlp)
* [Message Tags](#message-tags)
* [App Secret Proof](#app-secret-proof )
* [Running Botkit with an Express server](#use-botkit-for-facebook-messenger-with-an-express-web-server)

## Getting Started
Expand Down Expand Up @@ -570,6 +573,20 @@ var taggedMessage = {
bot.reply(message, taggedMessage);
```

## App Secret Proof

To improve security and prevent your bot against man in the middle attack, it's highly recommended to send an app secret proof :

```javascript
var controller = Botkit.facebookbot({
access_token: process.env.page_token,
verify_token: process.env.verify_token,
app_secret: process.env.app_secret,
require_appsecret_proof: true // Enable send app secret proof
});
```

More information about how to secure Graph API Requests [here](https://developers.facebook.com/docs/graph-api/securing-requests/)

## Use BotKit for Facebook Messenger with an Express web server
Instead of the web server generated with setupWebserver(), it is possible to use a different web server to receive webhooks, as well as serving web pages.
Expand Down
6 changes: 3 additions & 3 deletions lib/Facebook.js
Original file line number Diff line number Diff line change
Expand Up @@ -909,9 +909,9 @@ function Facebookbot(configuration) {
return 'sha1=' + hmac.digest('hex');
}

function getAppSecretProof(dataToHash, key) {
var hmac = crypto.createHmac('sha256', key);
return hmac.update(dataToHash).digest('hex');
function getAppSecretProof(access_token, app_secret) {
var hmac = crypto.createHmac('sha256', app_secret);
return hmac.update(access_token).digest('hex');
}

function abortOnValidationError(err, req, res, next) {
Expand Down

0 comments on commit e7de784

Please sign in to comment.