How to secure dialogflow webhook(using firebase functions)?

1
votes

I am developing a dialogflow agent with its fulfillment webhook in firebase functions(using Actions on Google Client Library). How can I secure it to let only my agent has access to these functions?

I read the following document, but it didn't provide any further details on their implementation.

https://dialogflow.com/docs/fulfillment/configure#authentication

It's important to secure your webhook to prevent unwanted, potentially malicious calls. Dialogflow supports two mechanisms for authentication:

Basic authentication with login and password.
Authentication with additional authentication headers.
1
firebasedialogflow-esactions-on-google

1 Answers

1
votes

Dialogflow provides these two ways to be somewhat flexible in how you secure your webhook.

If you're using a load balancer, and API gateway, or have a firewall in front of your webhook - you may be able to have that system block requests to your webhook path if they don't have a particular header set to a particular value or if they are making requests using Basic auth that doesn't have a a valid account in the system.

If you're not using something like that, or it is too difficult to configure, you may use these tools to filter things out when the function itself is called. If you're using the actions-on-google library, you can set the verification parameter when you create your dialogflow object to enforce matching the auth or headers and, if they don't match, to reject the request.