Secure Session

Secure session is currently supported in two ways, via a Baas call and via an AuthProfile. The secure session is set at a bot level. Below is the configuration needed to set this up generically for a bot.

Enabling secure sessions on a bot via the cli

First find the bot you want to add secure session to. Take note of the bot Name.

You will need to then run the following command in the cli: sb-cli bot update bot.json

bot.json file looks like this:

  "Name": "yourbotname",                // Your bot name
  "SecureSession": true,                // Enable secure session
  "SecureSessionConfig": {
    "ApiAlias": "secureSessionApi",     // The BAAS or AuthProfile alias you created previously
    "ErrorMessage": "Error message for when session is invalid",    // Invalid secure session error
    "ValidationInterval": "10",         // Validate session every 10 seconds
    "Type": "authProfile"               // The type of the secure session, currently baas and authProfile supported

This will enable secure session on the bot and checks every message ingested into the system. The call to the authorization service defined in the ApiAlias is made once we pass the ValidationInterval. So in the above scenario, if the 10 second Validation Interval has passed since the last time the session was validated against the authorization service, the session must be validated again, at which time the interval period of 10 seconds will be reset. If the session is invalid or a secure session is required, the ErrorMessage will be displayed to the user. In the case of an oauth2 authProfile a message containing the link for them to validate, will be displayed to the user.

Before the user has been signed in they will see a lock icon on the top right of messenger Unauthorized Once they have secured their session they will get a shield icon on the top right of messenger Authorized

For the ErrorMessage field you can use either markup or a normal message, when you use a normal message like “You need to login to continue” this will be sent out with a link appended the end of the message. This field also supports markup. If sending markup the link will be applied to available within the context of the markup. This means that when you send say a ButtonCard like so:

<TimelineMessage><ButtonCard title="You need to be logged in to continue" interactionType="none" urlTitle="Login" linkOpenTarget="self" showIcon="true" url="${link}"/> </TimelineMessage>

You can see the url="${link}" which will apply the link for oauth into the markup you. You must add the url="${link}" to your markup or else you will get the wrong link appearing in messenger.

Once your bot is configured for secure session, proceed to the creation of an Api Connector (Baas or AuthProfile).