Click here to Skip to main content
15,888,908 members
Search within:


Articles / Programming Languages / PHP
 
Tip/Trick

Alexa Request-Validation in PHP/Laravel

Rate me:
Please Sign up or sign in to vote.
0.00/5 (No votes)
27 Sep 2018CPOL 3.3K   1  
This tip shows you how to validate Requests by Alexa according to the Amazon requirements.

This article appears in the Third Party Products and Tools section. Articles in this section are for the members only and must not be used to promote or advertise products in any way, shape or form. Please report any spam or advertising.

Introduction

While developing an Alexa Skill for my Work using a custom Endpoint to a Laravel-Backend system, because of Amazons strict Security requirements, I faced major problems getting the validation right. Due to the lack of documentation by Amazon or basically anyone else.

I worked on this for quite a while even though the final solution seems quite simple.

The solution now worked for 1 month with continuous use by around 250 users without any errors. So it seems that it is safe to assume that it works properly.

Using the Code

This is the Laravel function.

$request is a Request object by Laravel.

PHP
public static function validateRequest($request)
{
    $data = json_decode($request->getContent(), false);

    if (!$request->hasHeader("SignatureCertChainUrl") | !$request->hasHeader("Signature"))
        return false;

    $certificateUri = $request->header("SignatureCertChainUrl");
    $uriParts = parse_url($certificateUri);

    if (strcasecmp($uriParts["scheme"], "https") != 0)
        return false;
    if (strcasecmp($uriParts["host"], "s3.amazonaws.com") != 0)
        return false;
    if (array_key_exists("port", $uriParts) && $uriParts["port"] != "443")
        return false;
    if (strpos($uriParts["path"], "/echo.api/") !== 0)
        return false;

    $certificateName = "certificates\\" . array_last(explode("/", $uriParts["path"]));

    if (!Storage::disk("alexa")->exists($certificateName))
        Storage::disk("alexa")->put($certificateName, file_get_contents($certificateUri));

    $certificateFile = Storage::disk("alexa")->get($certificateName);
    $certificateData = openssl_x509_parse($certificateFile);

    $validFrom = date("Y-m-d H:i:s", $certificateData["validFrom_time_t"]);
    $validTo = date("Y-m-d H:i:s", $certificateData["validTo_time_t"]);
    $san = substr($certificateData["extensions"]["subjectAltName"], 
           strpos($certificateData["extensions"]["subjectAltName"], ":") + 1);

    if (!Carbon::now()->between(Carbon::parse($validFrom), Carbon::parse($validTo)))
        return false;
    if ($san != "echo-api.amazon.com")
        return false;

    $publicKey = openssl_get_publickey(openssl_x509_read($certificateFile));
    $signature = base64_decode($request->header("Signature"), true);

    $hash1Binary = null;
    openssl_public_decrypt($signature, $hash1Binary, $publicKey);
    $hash1 = substr(bin2hex($hash1Binary), 30);
    $hash2 = sha1($request->getContent());

    if ($hash1 != $hash2)
        return false;

    if (!Carbon::now() > Carbon::createFromFormat("Y-m-d\TH:i:s\Z", $data->request->timestamp))
        return false;

    //finally
    return true;
}

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Friedrich Rehren
Web Developer Plakos GmbH
Germany Germany
This member has not yet provided a Biography. Assume it's interesting and varied, and probably something to do with programming.

Comments and Discussions

 
 
-- There are no messages in this forum --
Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 27 Sep 2018

Article Copyright 2018 by Friedrich Rehren
Everything else Copyright © CodeProject, 1999-2024

Web04 2.8:2024-04-02:1