0

I'm making a Google Chat bot with NestJS. It accepts slash commands and allows for interaction with an already existing system. The messages returned on the POST endpoint sometimes include private info or JWTs, so I need to improve security.

I need a way to authenticate and reliably identify the user that triggered the bot command. Currently I'm using the user email provided in the POST body and validating the Bearer token from the header.

Is there a good way to authenticate the user and make sure someone didn't just change the email in the request body?

A solution that could work:

Instead of returning the reply message contents in the POST response, send the message directly to the user it was requested for.

So even if someone changes the email in the request body to someone elses, they do not get the reply, only the requested email gets it.

Vid
  • 440
  • 4
  • 10
  • What about using the new [Google Identity Service](https://developers.google.com/identity/oauth2/web/guides/migration-to-gis#the_new_way) to authenticate the users? You can decode and [verify](https://developers.google.com/identity/gsi/web/guides/verify-google-id-token) the response in your backend server, and be sure that no one messes around with your requests. – Emel May 26 '22 at 12:11
  • @Emel could I use that with the Google chat bot though? I cannot modify the request sent to my server by the google chat server. – Vid May 27 '22 at 06:40
  • Sorry If I misunderstand the functioning of your application, but if I am correct, the message FROM GOOGLE, includes the email of the sender, why do you need an extra security layer? – Emel May 30 '22 at 07:34
  • @Emel I have no good way to verify that the message was actually from Google and not just somebody else. – Vid May 30 '22 at 15:47
  • But your message will always be returned to a valid source, right? Inside a Google chat? In the case that the server returns the request to anyone who makes a POST request, the safest thing would be to implement a CORS system or as you say, send the response by email. – Emel May 31 '22 at 11:19
  • The way I now implemented works, but I was wondering if there's a way to authenticate/verify the POST request body. I will also look into implementing a CORS system, as you've said. Thank you – Vid May 31 '22 at 13:07

1 Answers1

0

You can verify the authenticity of the app by checking the bearer token send it to the server

POST
Host: yourappurl.com
Authorization: Bearer AbCdEf123456
Content-Type: application/json
User-Agent: Google-Dynamite

Google Chat includes a bearer token in the Authorization header of every HTTPS Request to an app.

You can verify your bearer token using an open source Google API client library, in your case Node.js

You can review the full guide here

Emel
  • 2,283
  • 1
  • 7
  • 18