1
votes

I have my bot ready and working with Direct Line Secret in WebChat (by passing &s=SECRET in URL) and on other channels.

I am interested in the integration of front-end Custom Chat Application using Direct Line ClientJS (link at bottom).

After going through the documentation on Bot Framework I came to know that it can be done in 2 ways:

  1. Pass Direct Line secret from front-end Chat Application in ClientJS
  2. Passing Token from front-end Chat Application (But, this requires Direct Line Secret to be passed to generate token first time)

As I develop bots for my clients with their respective use-cases which need to be kept private with client servers.

So, anybody having Direct Line Secret can easily obtain Bots Logic (i.e Not actual code, but what answer bot replies to particular question) by just passing that Direct Line secret in Microsoft Bot Framework provided WebChat client (by passing s=SECRET in URL)

So, basically, how do I hide the secret from others?

Direct Line Client : https://github.com/Microsoft/BotBuilder-Samples/tree/master/Node/core-DirectLine

Authentication Mechanism : https://docs.microsoft.com/en-us/bot-framework/rest-api/bot-framework-rest-direct-line-3-0-authentication

Programming Languages:

  • FrontEnd - Angular.js with Typescript
  • Backend - Node.js on Heroku
2

2 Answers

0
votes

You need to follow method #2 as described in the section Generate a Direct Line Token. Then you won't have to use the secret in your WebChat page at all.

A Direct Line token is a key that can be used to access a single conversation. A token expires but can be refreshed.

This way your client will use the generated token on a per-conversation basis, and there's no need to embed the secret in the WebChat page. Also when you are using the token it will expire, so you have additional security there as well.

0
votes

Indeed, you you need put the secret altogether for direct line but there are ways you can handle in you bot code to avoid using to other people.

Follow the below steps:

1) you can pass the domain where you want to implement with user login context.
2) login context will go in bot code and will be check server side that the user which is logged in having authorized to access or to use your chat bot.
3) Restrict your bot to that particular domain.
4) Check authentication in bot using sign in feature via card.

I hope above liners will help you. do let me know in case you need more help.