I wonder how I can access the webhook payload in the fulfillment tab/dialogue, as I am trying to write it in text to the user.
So, for example a session parameter can be accessed through "$session.params.breakfast", but I am wondering what to write to access a webhook payload. In the webhook payload pictured, I would be interested in accessing the value to the key "hello".
Related
How does a Lambda Authorizer detect if an IAM user has been Disable?
We have a two client servers of Iterable and Punchh. The first one uses a payload of just the base64 token of the username : password while the other server uses the username and password (password is masked).
These 2 servers are pushing (POST method) events down to our API Gateway. To avoid any ,malicious packets being sent down to the gateway, we use an IAM test user (dd_transfer in the example figures below) that can be disbaled once malicious packets are discovered. Thus the IAM test user should now be denied access to the API Gateways where both Punchh and Iterable are pushing their payloads.
When I have an active test user, they are allowed access to the API gateway whenever Punchh or Iterable webhooks push(Post) data. However when that same user is Disabled (password is null) in IAM, that user should not be allowed to access to the gateway. Unfortunately, the 2 external servers are still allowed access once the IAM test user has been deactivated/disabled. I don't want to program and search through a credentials report csv file using boto3 that's encoded to base64. This would expose too much account user info - very risky. Is there another way for the Lambda Authorizer function to determine when an IAM user has been deactivated?
Here are the screen shots below for code, gateway , and servers.
Note that the payloads for the two servers are represented differently. Punchh webhook admin page uses password and username while Iterable webhook admin page uses only the base64 encoded token.
Thanks
Lambda Authorizer Code
API Gateway Method (Note: Post and Get Method Requests are identical)
Lambda Authorizer configuration
Punchh Webhook page
Iterable Webhook Page
I found a safe way to determine whether the dd_transfer user is enabled or not and that is with using the GetLoginProfile API. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.get_login_profile
If there is a valid password for dd_transfer, then a LoginProfile object will be displayed in the response message, a 200 response code is returned, and the access to the API Gateway will be given when the policy is generated (‘Allow’).
However if the password is null because the dd_transfer has been disabled, a NoSuchEntity exception will be returned indicating that the Login Profile for User dd_transfer cannot be found. It’s blunt but at least I don’t have to worry about access being given to allow malicious events to bypass our API Gateway and into S3 buckets.
I have added a try/catch block to gracefully handle the error by calling the generate Policy function passing the ‘Deny’ parameter in order to generate the Deny Access policy.
It’s a lot less work than using the Credential Report API and then BASE 64 decoding each record in the text/csv file to look for dd_transfer’s entry. The csv file doesn’t expose actual raw data like passwords etc but GetLoginProfile takes less to write up. Then in the exception handler, I would make a call to the generate the Deny Policy.
https://developers.google.com/drive/api/v3/reference/files/watch
Seeing this documentation, I couldn't find any option to set up additional request headers and body to be sent to my webhook endpoint. So I can't set anything like auth tokens to these notifications, right?
You have multiple options:
Add the token in the URL
Validate with the headers X-Goog-Channel-Token (parameter token) and/or X-Goog-Channel-ID (parameter id)
The first one you simply make Google call a URL with the token backed in. The second one you use data that you know to make sure it's Google who's sending the message.
References
Push Notifications (Google Drive v3 reference)
I have created a bot with Amazon lex and it's validation & fulfillment with Python and MongoDb.
Bot is working as expected.
Now I am working to integrate my Bot with an ipad application.
Currently my bot asks user about his account id and then bot validate that id in DB and according responses.
Now after integration instead of asking the account id from user, that id should be passed from ipad application to the bot and then bot should responds according.
My question is about this. How can we pass account id from ipad app to bot and then how can my bot or lambda function can get that?
Please suggest if anyone has done similar functionality.
You will want to use requestAttributes or sessionAttributes to pass information like an account ID to your bot with the initial input.
Your bot can then retrieve these from event.requestAttributes or event.sessionAttributes
References: Lex-Lambda Input Event and Response Format
sessionAttributes – Application-specific session attributes that the client sends in the request. If you want Amazon Lex to include them in the response to the client, your Lambda function should send these back to Amazon Lex in the response. For more information, see Setting Session Attributes
requestAttributes – Request-specific attributes that the client sends in the request. Use request attributes to pass information that doesn't need to persist for the entire session. If there are no request attributes, the value will be null. For more information, see Setting Request Attributes
Additional Info
You will want to handle the passing of userInput to your Lex bot yourself in order to include requestAttributes data. To do this, you will need to use PostContent (text or audio input) or PostText (text input only) to send data to your Lex bot.
Your Lex bot will interpret the input and pass along the requestAttributes to your Lambda function, where you can handle the logic based on the Account ID.
Sending user input data as JSON object via PostText:
POST /bot/botName/alias/botAlias/user/userId/text HTTP/1.1
Content-type: application/json
{
"inputText": "Hello Bot",
"requestAttributes": {
"accountID" : "xxxxxxxx"
},
"sessionAttributes": {
"name" : "John Smith"
}
}
To see what Lex will pass to your Lambda Function and how to retrieve the requestAttributes there, see this question where I've answered that in more depth:
AWS Lex Python Codehook references
What is the best practice to validate that webhook has been sent to my subscription endpoint by azure event grid rather than by other, possibly malicious, service or person.
When you configure webhook URL, you can put a secret token into a query parameter. Then, in your code you can validate this parameter.
For example, for Azure Function webhook, you would use code parameter:
https://myfunctionapp.azurewebsites.net/api/EventGridWebHook1?code=your_functionapp_code
I have used a proxy lambda function to be called in the API gateway. I am able to pass in the URL and get the response back from the Lambda. My issue is how do I secure the data that I am sending in the URL...
I am sending the username and password in the URL as the query string. Since I will call this API from the front end, it will be logged in the server logs.How do I secure that query string.
Thanks for your help
Do not send sensitive data in the query string. This data could be logged or cached by clients and servers.
If you absolutely need to send this data in the request, send it in the request body. Ideally, you should encrypt this data using a public key and decrypt in your Lambda function using a private key (i.e. using KMS)