Alexa skill certification: error The skill end-point is not validating the signatures for incoming requests and is accepting requests with an empty signature URL

Question

question

ethan asked Dec 5, '18

Alexa skill certification: error The skill end-point is not validating the signatures for incoming requests and is accepting requests with an empty signature URL

Hi everbody, I 'm going through the certification process for an Alexa Skill. I receive the error above mentioned. My endpoint runs on an Heroku app, when an Alexa request is sent to that endpoint, it triggers an http request to a remote web service. I 've checked and have turned on SSL Certificate on heroku app but keep receiving this message. I got it that there's something related the signature of the request but don't understand how to fix this problem. Any suggestions? Thanks in advance

This is the code:

const options = {

hostname: ‘xx.xx.xx.xx’,

port: 8080,

path: '/path/to/service?searchText=',

method: 'POST',

headers: { 'Content-Type': 'application/json', 'Cookie':'' }

};

var server = http.createServer(app);

var port = process.env.PORT || 3000; server.listen(port, function () {

console.log("Server is up and running on port 3000...");

});

alexaRouter.post('/callAVA', function (req, res) {

bot=req.query.ava; callAva(req,res); });

function callAva(req, resp){

let strRicerca='';

let data='';

let strOutput='';

let sessionId = req.body.session.sessionId; l

let request = req.body.request; //per slot

let boolEndSession=false;

if (req.body.request.type === 'LaunchRequest') { strRicerca='zzzstart'; }

else if (req.body.request.type === 'IntentRequest' && req.body.request.intent.name === 'AnyText') { strRicerca=utf8.encode(request.intent.slots.searchText.value);

strRicerca = querystring.escape(strRicerca); }

else if (req.body.request.type === 'IntentRequest' && req.body.request.intent.name === 'AMAZON.HelpIntent') { strRicerca='zzzhelp'; }

else if (req.body.request.type === 'IntentRequest' && req.body.request.intent.name === 'AMAZON.StopIntent') { strRicerca='zzzstop'; boolEndSession=true; }

else if (req.body.request.type === 'IntentRequest' && req.body.request.intent.name === 'AMAZON.CancelIntent') { strRicerca='zzzcancel'; }

else if (req.body.request.type === 'SessionEndedRequest') { strRicerca='zzzEndSession'; }

else if (req.body.request.intent.name === 'AMAZON.FallbackIntent') { strRicerca='zzzNoResponse'; } else if (req.body.request.intent.name === 'AMAZON.NavigateHomeIntent') { strRicerca='zzznavigatehome'; }

if(strRicerca) {

options.path+=strRicerca+'&user=&pwd=&ava='+bot; }

var ss=leggiSessione(__dirname +'/sessions/', sessionId); if (ss===''){ options.headers.Cookie='JSESSIONID='; }

else { options.headers.Cookie='JSESSIONID='+ss; }

var req1 = http.request(options, (res) => { if (res.headers["set-cookie"]){

certification certificate signature

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 1 · 2018-12-11T17:13:50Z

Amazon_Bernardo Bezerra answered Dec 11, '18

Hello @ethan and thank you for posting.

This page has the requisites necessaries to host your skill as a web service. Please check if your configuration fulfills those.

Regards,
Barry

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 2 · 2019-04-30T07:19:30Z

newuser-cb8d2c7e-982c-4c8f-a1d9-95a15a63157b answered Apr 30, '19

hello @ethan are your issues resolved because I am facing the same problem. I would really appreciate your help.Thanks.

1

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Amazon_Bernardo Bezerra ♦♦ commented · May 07, 2019 at 04:09 PM

Hello and thank you for your message.

Have you checked the documentation on this link? Can you please share the specifics on what sort of issues you are facing?

Regards,
Barry

0 ·

Answer 3 · 2020-04-05T02:03:20Z

Igor Belagorudsky answered Apr 5, '20

I just lost a couple hours on this until I found this little comment - https://developer.amazon.com/en-US/docs/alexa/custom-skills/host-a-custom-skill-as-a-web-service.html#manually-verify-request-sent-by-alexa. I was returning a 401 but it's looking for exactly 400 as the error code. I changed it and the validation passed. Hope this helps someone in the future.

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Answer 4 · 2023-02-03T00:55:58Z

Clelio Quattrocchi answered Feb 3, '23

I have the same issues.

On first run of certification I had 4 fix required because I forgot to implement signature/timestamp verification. So I have fixed the issue and installed it but nothing is changed. Despite my webservice return 400 BAD request, Alexa certification highlight the same 4 fix.

The skill end-point is not validating the signatures for incoming requests and is accepting requests with an empty signature URL.

The skill end-point is not validating the signatures for incoming requests and is accepting requests with an incorrect certificate URL.

The skill end-point is not validating the signatures for incoming requests and is accepting requests with an invalid signature URL specified.

The skill end-point is not validating the signatures for incoming requests and is accepting requests when no signature URL headers are specified.

I tested on my local and my web service retunr 400 if signaturecertchainurl missed or contains wrong value

Any suggestion?

I saw other threads in the forum but nobody is able to answer

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

question