question

Casper asked Dec 15, '15

POST request parameters/apache authentication sent from Skill kits

Hi, I've set up a home apache web server as an api endpoint for the Alexa skill kits. It works for me but I now use[found on the internet] an authentication for the server. And I have 2 similar questions: 1. I use apache authentication by creating a .htaccess file in root or some certain directories of /var/www/ (auth box pops up from browser when accessing the URL): AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/.htpasswd Require valid-user 2. I use a piece of PHP code inside the api.php endpoint to authenticate, which use $_POST to get the values and do string comparison within the PHP file. In both cases, I don't know how to get pass the authentication from Echo skill kits with credentials, meaning where to put in my POST values. I actually prefer the apache authentication because it works with fail2ban

alexa skills kit debugging

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise answered Dec 15, '15

What is your end goal here? Why do you want Alexa to authenticate with your Apache server? If you're just looking to make sure that the requests are legitimately coming from Amazon, you can do that using the special headers provided with an incoming request. https://developer.amazon.com/public/solutions/alexa/alexa-skills-kit/docs/developing-an-alexa-skill-as-a-web-service#Verifying%20that%20the%20Request%20was%20Sent%20by%20Alexa

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Casper answered Dec 15, '15

I want to create a protection for the api (nobody can execute except from the Echo skill kits). Actually my question becomes: how to put POST parameters, is it from the endpoint?

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise answered Dec 15, '15

The answer is that you cannot tell alexa to pass you any special POST parameters - there's no mechanism for setting this up in and Alexa skill - but by default it already provides you everything you need as headers, and the link I gave you explains how to use those headers to validate that the request originated from Alexa. An alternate option would be to point your skill at a Lambda bucket, and then make your requests from Lambda to your webserver. From a Lambda you can control all of the aspects of the HTTP request, since it's just freeform Java or Node.js

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Casper answered Dec 16, '15

Thanks for the answers, I'm not trying to do anything complicated here so I try to stay away from Lambda, all I want is to send some POST requests to my PHP endpoint so I can filter my instructions and run a certain script [inside the linux machine that holds the server] according to the command from the POST request, is there any simple way to achieve this?

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Nick Gardner answered Dec 18, '15

Hi, There's no simple way to achieve this. If you only want the Alexa skill accessing certain parts of the server, you can have the server check the skill ID and signature of the request. However, the Alexa service will only send JSON encoded information to your server, and only expects JSON encoded information to be sent back, the rest is up to you. You could have a certain intent that triggers a POST request to be called on your own server, but you would need to implement that code yourself. -Nick

10 |5000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.