MS BotFramework Temporary token issue in WebChat URL

Question

I have developed a chatbot using Microsoft BotFramework and node.js and deployed it in webchat. As per this documentation, it is written that the bot's secret 's' can be replaced with a temporary token 't' which is valid for one conversation only.

But the problem is the life span of this token is 30 minutes and within this time window, if some intruder accesses the entire URL: "https://webchat.botframework.com/embed/YOUR_BOT_ID?t=YOUR_TOKEN_HERE&userid=some_user_id" then it is just a child’s play for him to get all of the user’s data because it mimics the chat of the actual user in the other machine.

Is there anything in the BotFramework (apart from DirectLine) that can be done that restricts the URL with the same token to be opened in another machine?

Answer 1

There is an issue on GH which is facing the same event with you, and with the comments, we can found that this situation will not be changed currently.

However, we can get some hints from the comment:

Ultimately, you can't hide the secret/token from clients.

• If you want to remove it from the URL, you can host the JS control on your own.
• If you want to remove it from page source, you can pass the value in a cookie >and read it in JS in your webpage.

However, in all cases, the value will be available in memory.

I think you can build another simple web site yourself as the bridge from the iframe and yout bot application. You can restrict your user whether is unique in this website's session. And also you can verify your user before instantiate the Bot WebChat.