Limit the Chatbots to Run on Specified Domains
SUSI botbuilder enables users to make their own private skill and deploy a chatbot widget in their websites. Users can copy paste a javascript code into their website’s source code to activate the bot. But what if someone copies that code from your website and put it in their own website? You won’t want the chat bot to work for such users in some cases. Thus we have a feature through which the bot creator can restrict the usage of the chatbot to only certain domains. The chat bot will not work from other domains.
Understanding the APIs Used
In working of the chatbot, there are mainly two APIs used from the server which play a mainstream role. The first API is the cms/getSkillMetaData.json API. It is used to get the design and configurations of the chatbot. The second API is the susi/chat.json API. It is used to get responses from the server applying the private skill. By restricting the chatbot usage we try to restrict the usage of these two APIs. Also, on the client side we display the chatbot only if the server sends a valid response indicating that the chatbot is legitimate. However, this can be circumvented if the person modifies the javascript of the chatbot. Hence, we need to secure the above two APIs. We check the domain from where the request is coming by checking the referer field in the request’s header.
Securing the APIs
In each of the above two APIs, we check if the bot owner has checked “allow bot only on own site”. If no, then the APIs can be accessed from any domain we need not check. If selected yes, then we need to check if the current site’s domain is allowed in the allowed sites list. For this, we extract the current domain from the request’s referer field. The allowed sites list is fetched from the configure object of that skill.
public static boolean allowDomainForChatbot(JSONObject configureObject, String referer) { Boolean allowed_site = true; if (configureObject.getBoolean("allow_bot_only_on_own_sites") && configureObject.has("allowed_sites") && configureObject.getString("allowed_sites").length() > 0) { allowed_site = false; if (referer != null && referer.length() > 0) { String[] sites = configureObject.getString("allowed_sites").split(","); for (int i = 0; i < sites.length; i++) { String site = sites[i].trim(); int referer_index = referer.indexOf("://"); String host = referer; if (referer.indexOf('/',referer_index+3) > -1) { host = referer.substring(0,referer.indexOf('/',referer_index+3)); } if (host.equalsIgnoreCase(site)) { allowed_site = true; break; } } } } return allowed_site; }
Result
Not allowed from other domains:
(For getSkillMetaData.json API)
Allowed on approved domains:
(For getSkillMetaData.json API)
Resources
- JSON Object in java: https://docs.oracle.com/javaee/7/api/javax/json/JsonObject.html
- Byte array input stream: https://www.javatpoint.com/java-bytearrayinputstream-class
- Work with Files in java: https://docs.oracle.com/javase/7/docs/api/java/io/File.html
You must be logged in to post a comment.