We are developing a google action with a fullfilment in a cloud function in
GCP.
We want to know how is the best way to securize this cloud function:
It is possible use a private cloud function as fullfilment and avoid
requests from others origins to dialogflow?
It is possible include a rate limit and quota in our cloud function?
It is possible to limit the number of concurrent request?
Are there some recomendation about certificates or similar?
Thanks!
It is possible use a private cloud function as fullfilment and avoid requests from others origins to dialogflow?
The short answer is that your fulfillment must be publicly accessible. Your cloud function cannot be private.
If you want, Dialogflow's Fulfillment section lets you add custom auth or headers. You may be able to use this to only enable requests with this header go through.
It is possible include a rate limit and quota in our cloud function?
It is possible to limit the number of concurrent request?
I'm going to suggest not to have any sort of rate limiting. If each request is authentic, you'd end up creating a bad user experience if your fulfillment keeps going down.
Are there some recomendation about certificates or similar?
Cloud Functions are all HTTPS by default, so I'm not sure what certificates you'd need or want in this case.
Related
Throughout my career, I've relied on and used various API services in my project. I saw multiple mechanisms of how these APIs are secured, but most common one seems to be via API Keys.
I am now planning to build out my own API service and being unfamiliar with security part of this I had few questions:
So far, what I gathered is to do the following: Create API key, store it's hash in db, only show api key to user 1 time, check for api key in requests and rate-limit based on it.
But above raises one concern, if someone was to inspect customer website they could easily get this api key (if customer is calling api directly from their front end) and abuse it, correct? This can be done in form of constantly hitting rate-limits or sending bad data to customers dashboard.
I feel like I am missing few key parts here and would appreciate if someone could outline best practices of how this is done nowadays in NodeJS. Thank you.
EDIT: Users of such service would be developers utalizing this API in their product
I'm working on a website that is supposed to offer users to make use of azures cognitive services api. They can play audio or use their microphone to transform speech into text.
I'm currently using azures js sdk and technically it's working fine. However, I noticed a big shortcoming with this approach. The sdk connects through a websocket with the azure server, which exposes the subscription key to the client. So every member could theoretically read it out and sell it or alike.
Furthermore, if the client connects directly with azure, I have no secure way of preventing clients abusing the service. I need a way to measure roughly how much time a customer uses the service to take into account individual billing.
I could not find anything about that in the official documentation. So what are my options?
Should I redirect the clients' audio input to my own server, do some quantitative analysis, and then forward the input from a server side connection to azure? I fear with many concurrent customers, it might get laggy or connections might get dropped...
Is there any way to attach at least client ids or alike to azure websocket connection that I can read out somehow later?
Do you have any advice for me?
Given your additional comment, I would suggest that you switch your implementation from using subscription key to using authentication tokens.
That would:
generate a unique token for each client, based on 1 global subscription key
not expose your subscription key to your clients
restrict the use of the API, as the token is only valid for 10 minutes
Each access token is valid for 10 minutes. You can get a new token at any time, however, to minimize network traffic and latency, we recommend using the same token for nine minutes.
See documentation here for global implementation. In a nutshell, you need to implement this token generation in your backend, and serve the page to your client with this token instead of the key.
Side note 1: be careful about the maximum number of concurrent requests (100 - see here).
Note 2: that will not help you bill clients given their usage as you have just 1 key and there is no way to identify distinct usages in it
I have a bot developed using Microsoft-bot-framework, And for Whatsapp i am using Twilio-Adapter.
so for performace tuning if i create a CDN for my BotService-WebApp, will that be useful,
CDN works by creating a cache in different POP's and store static & content files there
so when the enduser tries to access website from different location, content will be cached in the nearest region & send response to the end user. But in case of Bot, end user send message in Whatsapp & using twilio webhook botframework will be invoked. so end user is not directly accessing out Bot, its connected through Twilio. Adding CDN to my BotService will work or not?
In my opinion, CDN will work in your case. Because all the service are from service provider anyway, so create CDN for bot service will be benefit to those contact with service provider. And you need to know that CDN also help user request to choose a better point(not only the nearest, but also a free, well point) to connect to service, e.g one endpoint burst into error or busy. Azure CDN will provide a new url to replace the former one, this is where it will work.
I think any assumption is smaller than the experiment result, you can try to use CDN first to test if it worked. Azure CDN is payed for usage the more you payed indicates the more useful it is.
I am trying to build a Rocket Chat Google Action and one of the major advantage of RC is it's Realtime API's however they require Websocket to get access. I know that Dialogflow can be used for Websocket's but does Google Actions support it?
I am using Dialogflow along with Firebase as backend for my Action.
Actions on Google is a platform for stateless applications running through a REST API call. In this model, the user sends one request to your server and they get back one response.
Actions on Google itself doesn't support web sockets, but you are able to define a cloud function like Firebase to do advanced fulfillment. While you may be able to get web sockets to work in your function, you'd still need to adjust the Action's conversational flow to work in a request/response fashion instead of listening to web sockets continually.
How to make 3rd party api call in dialogflow using inline editor please share if you have some code regarding this.
Thank you
You cannot make external network requests (for example an API call) from the inline editor. You need to deploy your code elsewhere. The easiest way to do this is by deploying to a paid Firebase plan. From Google:
Network calls originating from your Cloud Function for Firebase to destinations outside Google's network require billing to be enabled for the underlying Google Cloud or Firebase project.
You can create an API with the technology that you want, as long as the response from the API can be understand by Dialogflow.
You need to configure it by going to Fulfillment, and point it to your API.
The API needs to respond with this structure: Dialogflow.
And If you plan to integrate with Actions on Google, you have this repository which includes some examples of responses.
And here you have some libraries to interact with Dialogflow with different languages.