The certification documentation requires that we have code in place to do various verifications on an incoming request - checking the signature headers, comparing the timestamp, etc. I'm wondering, though, if those are still a hard requirement for requests that go out to Amazon Lambda instead of directly to a service I host. The reason I ask is because I've been having certificate issues and so I've switched to use the Lambda pass-through technique for now. I'm using Matt Kruse's excellent tutorial on this, but I noticed that he does not pass any of the Alexa headers through, only the JSON body. In fact, I'm not sure the Alexa event source even exposes a way to get at the headers (the two parameters it provides are "json" and "context"). Having already implemented the validation on my service, I'm now seeing errors because the signature headers never make it through Lambda to my service. I can easily remove these restrictions, but my concern is that my reviewer is going to test for them, see that that they don't exist anymore, and then hold-up my certification. Has anyone who used Matt's tutorial run into this?
I don't think they test this at all. They have no visibility into your skill's code. So unless they purposely try to break it with invalid requests, they have no way to verify that you check those things. I think it's more of a recommendation than a requirement.
I generally turn off timestamp validation so I can run automated tests against my skills. I can't ever remember turning it on again. So I think that's verification that Amazon don't actually test that you validate the timestamp.