question

Galactoise avatar image
Galactoise asked

Signature and Timestamp verification in Lambda

The certification documentation requires that we have code in place to do various verifications on an incoming request - checking the signature headers, comparing the timestamp, etc. I'm wondering, though, if those are still a hard requirement for requests that go out to Amazon Lambda instead of directly to a service I host. The reason I ask is because I've been having certificate issues and so I've switched to use the Lambda pass-through technique for now. I'm using Matt Kruse's excellent tutorial on this, but I noticed that he does not pass any of the Alexa headers through, only the JSON body. In fact, I'm not sure the Alexa event source even exposes a way to get at the headers (the two parameters it provides are "json" and "context"). Having already implemented the validation on my service, I'm now seeing errors because the signature headers never make it through Lambda to my service. I can easily remove these restrictions, but my concern is that my reviewer is going to test for them, see that that they don't exist anymore, and then hold-up my certification. Has anyone who used Matt's tutorial run into this?
alexa skills kitsubmission testing certification
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Matt Kruse avatar image
Matt Kruse answered
I don't think they test this at all. They have no visibility into your skill's code. So unless they purposely try to break it with invalid requests, they have no way to verify that you check those things. I think it's more of a recommendation than a requirement.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Galactoise avatar image
Galactoise answered
I was working under the assumption that they were going to purposely use invalid requests. If it hasn't been a problem for other people, though, then I guess I'm not super worried.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

jjaquinta avatar image
jjaquinta answered
I generally turn off timestamp validation so I can run automated tests against my skills. I can't ever remember turning it on again. So I think that's verification that Amazon don't actually test that you validate the timestamp.
10 |5000

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.