Slackbox - the requested URL could not be retrieved - access denied - node.js

I have slackbox running locally, have created a Spotify dev application and have successfully authenticated slackbox. It says I am logged in at http://localhost:5000/. All of my variables have been set, including the slack token, in an .env file via dotenv.
All seems well there.
On the slack side, I have created a slash command mapped to /spotify that POSTs to http://localhost:5000/store. The slash command shows up in my command description list when typing.
When I attempt to use it though, I get an access denied message in chat, I'm assuming due to cross-domain issues:
ERROR: The requested URL could not be retrieved Access Denied.
According to their docs - https://github.com/benchmarkstudios/slackbox - running this locally should work. I also run a Hubot bot locally and it integrates fine with the same slack room.
Any help is appreciated!

https://sprint.ly/blog/5-steps-to-a-slack-integration/
Slack’s outgoing slash command requests need to be sent to a public facing url, which is a problem if we want to receive these messages to our local development server.
How do we solve this?
One way is with the use of a secure tunnel which acts as a public HTTPS URL for our local development server. Problem solved!
Who provides this service?
ForwardHQ provide the best user experience, including a browser extension for setting up a local tunnel in one click. They have a free 7 day trial.
My preferred option is ngrok. It’s free for one concurrent tunnel client, with no time restriction. Woop! Its a little harder to use but it does the job.

Related

Error when setting up webhook with Ngrok/WhatsApp

I am trying to setup a WhatsApp bot using voiceflow, based on the tutorial found here. I've set this up before and everything has worked fine, but now I can't seem to configure the webhook.
The steps I'm performing are as follows:
Clone the repo here
Checked ngrok is installed (version 3.0.7), and its location (/usr/local/bin/ngrok)
Created a .env file at the root with the VERIFY_TOKEN, PORT, and WHATSAPP_TOKEN
Started the app from root with npm start
Started ngrok with ngrok http 8000 (the same port as specified in my .env)
Checked the resulting address works in the browser
According to the documentation, I then configure the webhook by adding "/webhook" to the end of the URL, and adding the same VERIFY_TOKEN as specified in my .env file. This, however, gives me the following error:
The callback URL or verify token couldn't be validated.
Please verify the provided information or try again later.
I've had a look around at similar questions here, but could not find what was wrong. I have also spoken to others who encountered similar issues over the last few weeks. This process was working up until recently (Nov 2022).
The error msg: The callback URL or verify token couldn't be validated. Please verify the provided information or try again later. usually means you are not returning a 200 response to the webhook origin. I would make sure your code is returning a 200 to whatsapp.
As an alternative, try to set the webhook on glitch as explained here:
https://developers.facebook.com/docs/whatsapp/sample-app-endpoints#cloud-api-sample-app-endpoint
so that you can check if your meta account is valid.
From what I have found it seems that feature is now behind a paywall. It worked fine a few months ago on the free tier of ngrok. So you will need to upgrade your ngrok subscription for WhatsApp to start validating. You can read about it here. Try using Cloudflare tunnel.

IBM Watson Assistant: Access issues when using ngrok for webhook URL

Good morning everyone. I am developing an application that uses the watson assistant webhook by sending some parameters to a server, which analyzes the parameters and based on these sends a response to the application and to watson itself.
Well, it turns out that I was using ngrok to do this test by placing the parameters in watson, until a few days ago I couldn't (or it doesn't exactly let me) make the request.
Error
Cannot create property 'transactionId' on string ' Access Denied Access Denied You don't have permission to access "http://us-south.assistant.watson.cloud.ibm.com/rest/v2/skills/ on this server. Reference '
I have tried other applications that allow me to do the same work as ngrok, but I am new to this and it is very complicated. LOCALTUNNEL solved my problem temporarily, but later it didn't work anymore. I also tried with portmap.io, serveo, pagekite, smee.io among others and I still can't perform my requests.
I would really appreciate any help with my problem. Thank you very much.

YouTube Data API v3 OAuth setup from Python

I am using Python to directly run a script of automatically replying user's comments.
I have a client secrets file after applying for a web-application. However, when I run for credentials, it first asks me to Please visit this URL to authorize this application and then when I clicked on it, it gives me this error:
Error 400: redirect_uri_mismatch The redirect URI in the request, urn:ietf:wg:oauth:2.0:oob, can only be used by a Client ID for native application. It is not allowed for the WEB client type. You can create a Client ID for native application at.
What application should I have applied for the OAuth in this case.
I know that this issue could be related to redirect URL. But because I am running this out of my script on my local computer, I am wondering what my URL should be.
You have to acknowledge that your issue above is precisely due to the redirect URI mismatch. The error response you got from the API is indicating you this.
To fix you issue, you'll have to have the same redirect URI set on your project within Google developers console and, at the same time, within your Python script.
If you indeed are running your application on your desktop (laptop) computer, then follow on the error message advice: within Google developers console, do set your project type to be of Desktop kind.

Google app engine bot attack?

I have an application in Google app engine that only runs cron jobs and uses a backend, so there are no incoming requests from any client. I noticed that a request from a user named 'niki-bot' was received and I'm quite surprised as my app url does not appear anywhere it's only used by admin account which sends cron requests. Fortunately I had setup security on my crons so this user got a 403 forbidden message, but I'm still wondering how could this happen. Has any of you guys experienced something similar?
You were likely running the 'Awesome Screenshot' plugin in your browser, or similar software which leaks all your browsing history to an upstream service - that upstream service appears to return with a niki-bot crawler to scrape or do something with those 'impossible to otherwise find' URLs.
Read more about it here: https://mig5.net/content/awesome-screenshot-and-niki-bot
As I think you are aware, backends are addressable to the outside world, it's only the public/private status and the security level applied to the endpoints that determines if the calls are successful.
Regarding how a bot would have gotten your App ID, I suppose they could just be trying random ones to see if there is anything they can exploit.
Were the requests for standard admin endpoints? I get many random requests for the PHP files below, and my app isn't even on PHP. People just trying to attack known systems (this is on my front-end module):
/mysqladmin/scripts/setup.php
/myadmin/scripts/setup.php
/MyAdmin/scripts/setup.php
/pma/scripts/setup.php
/phpMyAdmin/scripts/setup.php
/phpmyadmin/scripts/setup.php
/db/scripts/setup.php
/dbadmin/scripts/setup.php

Pitfalls of accessing a webserver on 127.0.0.1 from js with a public site

I'm thinking about exploring the idea of having our client software run as a service on a high port and listen for simple http GET requests from 127.0.0.1. The theory is that I would be able to access this service via js from a web page that is served from my site.
1) User installs client software that installs itself as a service and waits for authenticated requests on 127.0.0.1:8080
2) When the user hits my home page js on the page makes an xhtml request to 127.0.0.1:8080 and asks for the status
3) The home page then makes another js request back to my web server sending the status that it received.
This would allow my users to upload/download and edit files on a USB attached device in real-time from a browser. Polling could be the fallback method which is close to what we do today.
Has anyone done this and what potential pitfalls are there? Will this even work?
I can't see any potential pitfalls. I do have a couple of points however.
1/ You probably want to make sure your service only accepts incoming connection from the local machine (127.0.0.1). Otherwise, anyone could look at your JavaScript and figure out that it's talking to [your-ip]:8080. They could then try that themselves from a remote site (security hole).
2/ I wouldn't use port 8080 as it's commonly used for other things (alternate HTTP servers, etc.). Make it configurable and choose a nice high random-type value.
3/ I'm not sure what you're trying to do with point 3 but I think you're trying to send the status back to the user. In which case, why wouldn't the JavaScript on your home page just get the status in a single session and output/update the HTML to be presented to the user? Your "another js request back to my web server" doesn't make sense to me.
You may not be able to do a xml http request to 127.0.0.1 as XMLHTTPRequest is usually limited to the same domain as the main content is being served from. I'm not sure if this restriction applies if the server is on the client's machine. That being said, you could still create a <script> tag that had the src pointing to 127.0.0.1, and have the web server return some Javascript to run. If you only need a simple response, this could work well.
I think it is much better for you to avoid implementation of application logic in JavaScript and html. Once user clicks button on a web page JavaScript should send request to your service and allow it do the rest of the work.
You could have problems with step 1 (Client installs itself) depending on your target user base.
You will need a customised install for each supported environment (Win2K, Vista, Linux, MAC OS 9.0/10.0 etc.).
If your user is on a locked down at work PC this simply wont be allowed.
To some users this might look distressingly similar to a trojan unless you explicitly point out you will be installing software that runs as a service.
You didnt mention an unistall procedure. Users resent "Adobe" like software which installs itself and provides no sensible un-install options
Ohterwise the approach is sound, and, there are are couple of commercial products out there that use exactly this approach!

Resources