Comments (1)
MrDave1999
commented on May 24, 2024
The solution was easier than I thought. There is no need to pass any security token to the bot.
The only thing to do is to link the user ID in the Direct Line token, that way, Direct Line can perform an additional validation, as described in the documentation:
Direct Line can perform additional security validation of the user ID and name, inhibiting tampering of these values by malicious clients.
This means that Direct Line will use the user ID attached to the token, regardless of whether a malicious user tries to alter it.
However, there is a problem, the person ID (the identification of a user's personal information) field is still manipulable. Any malicious user can modify this field. So the proposed solution is to embed the person ID together with the user ID in the Direct Line token.
Example:
{
"user": {
"id": "dl_{userID}-{personID}",
}
}{userID} and {personID} must be replaced by their respective IDs. Then, on the bot side, can add a code that is in charge of performing a split to obtain the IDs.
If this process is not performed, a malicious user may provide their own person ID and attempt to schedule an appointment for another user without their consent.
from back-end.
Related Issues (20)
- Apply a unique index to the `user name` field
- Apply an index on some fields of the `Person` table to speed up queries
- Usernames should be fully case-insensitive HOT 1
- Apply the null-condition operator to format dates
- Add middleware to handle exceptions
- Unit tests take more than a minute to run HOT 1
- Migrate unit tests from MSTest to NUnit
- Add Docker support HOT 1
- Add project documentation
- Add each feature in a file to represent the vertical slice HOT 1
- Add a persistence mechanism for jobs
- Replace the `IDbConnector` interface by `IDbConnection` HOT 1
- Add support for Fluent Validations
- Using a solution template to define the architecture of vertical slices
- Remove repositories and Unit of Work HOT 1
- Add support for multiple languages
- Implement the `Result` pattern
- Implement each layer in a separate project
- Add support for loading plug-ins
- Distribute CPlugin.Net as NuGet package HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from back-end.