This tutorial shows how to make an existing Spark bot more secure.
If you are building your first bot, it is recommended you start with this tutorial.
Then come back here once it’s up and running!
If someone outside of your organization never interacted with your bot, they can’t just run a simple search to find it. However, if they know or guess the ‘email’ address of your bot, they will be able to add it to a space (formerly called room) and send it messages. The more bots that are out there, the higher the possibility of that happening! To prevent unwanted attention, there are three main ways to control access to your bot:
1. You can setup a space (formerly called room) filter when you create a webhook, which points to your bot application’s server. If someone adds your bot to a Cisco Spark space, and the space does not fit the filter rule for any of the bot’s webhooks, the bot application server will not receive any messages from Spark. For large enterprise bots that need access to many different spaces, that might not work out. That’s okay— you can setup one webhook for your bot, with no filter, to receive all messages from any space to which it belongs, and use the following two methods to secure the bot.
2. Filter at the bot’s code level - JSON Payloads are sent from Cisco Spark via HTTP POST to your webserver, which is defined in your webhook (see Handling Requests from Cisco Spark). When the JSON payload comes in, you can begin your server’s code by checking the incoming message’s data[“personId”] or data[“personEmail”], compare it to a predefined list in your code or database, and handle accordingly. You can also make a request to Spark with data[“personId”] to check other details, like the organization, to only allow people of a specific org.
Note: the OrgId that comes in with the webhook JSON Payload is the OrgId of the person that created the webhook.
3. Last, but not least, we have the webhook secret. This should be used to prevent your bot from processing any POST request that does not come from your specific webhook. This will block any of your other Spark webhooks, or Spark webhooks setup by other users trying to send to your bot’s webserver location.
Here is a brief tutorial on using a webhook secret in Python.
Everything together, here is a code snippet of all of these features combined:
print"orgId does not match or person not in list of authorized users"
print"Secret does not match!"
You can get the full, working example on Github. You’ll just need to replace your desired orgId, bot name, and token values in the variables at the bottom of the file. Let us know if you have any questions!
Hi, We are using UCCE 11.6 with CTI-OS.Recently we are getting following events in event viewer.Let me know if you can suggest.CTI OS Server's total amount of monitor mode connections is: 3. This exceeds CTI OS Server's limit of: 2.CTI OS Server has ...
I am using lineGetNewCalls() to get handles to the calls which is established before invoking my application.https://docs.microsoft.com/en-us/windows/win32/api/tapi/nf-tapi-linegetnewcalls The issue is that It always returns zero in the dwCallsN...
Hi, We have developed Custom toolbar using finesse rest API and it is working fine with SANDBOX lab on port 71 for https://jabber1.abc.inc:71 but same software when we installed on client side, did same configuration and used port 443 for https getti...
Hello, When using the sample available with the Jabber SDK 11.8.3, it is working perfectly in my lab. But when I am using it on a customer site, I can login, select the Device associated to an end user, but then I receive the following error mes...
I've added a client in Identity Service Management which gave me a client_id and I added a redirect_uri in there, but there's no client_secret. I am able to get an authorization code by hitting /ids/v1/oauth/authorize but I cannot get a token by...