Alexa skill: The skill end-point is not validating the signatures for incoming requests and is accepting requests with an empty signature URL.

[isabelacmor]

We're using Claudia.js to deploy a lambda function for an Alexa skill. Everything works on their platform after running claudia update locally, but when we submit the skill for certification, it fails and says:

The skill end-point is not validating the signatures for incoming requests and is accepting requests with an empty signature URL. Please check if your signature validation is correct. To reject an invalid request (with an invalid signature or certificate), the skill should respond with an HTTP status code 400 (Bad Request). Please refer to our documentation on how to build your Alexa Skill as a web service and validate requests and signatures.

• Link to a minimal, executable project that demonstrates the problem:
  Our skill's repo: https://github.com/tylerl0706/alexa-spell

• More info:
  In the Alexa skill SSL cert page, I put in the URL generated by Claudia and also checked the " My development endpoint is a sub-domain of a domain that has a wildcard certificate from a certificate authority" option.

[TylerLeonhardt]

Hey there - Isabela and I working on this online hackathon and the deadline is coming up so if you have any suggestions, we're all ears!

FWIW, I attempted to add "Alexa Skills Kit" to the lambda function hoping that would fix it (I, of course, updated the https url to the ARN) but instead, our skill now throws:

{ "errorMessage": "event does not contain routing information" }

Any thoughts? We are desperate and are depending on you guys 😢

Originally opened here: claudiajs/claudia#143

[simalexan]

@tylerl0706 @isabelacmor we'll take a look

[TylerLeonhardt]

Thanks @simalexan! Looking forward to your response.

[gavinr]

We are having this issue too with getting our Alexa skill approved. Note that there are multiple requirements for verification, including:

1. Verifying the signature certificate url:
   1. The protocol is equal to https (case insensitive).
   2. The hostname is equal to s3.amazonaws.com (case insensitive).
   3. The path starts with /echo.api/ (case sensitive).
   4. If a port is defined in the URL, the port is equal to 443.
2. Checking the timestamp of the request is within less than 150 seconds
3. Check the signature of the request
   1. There are multiple parts to verifying the SSL certificate is valid (see link)

I have written code to address 1 and 2 above, but Amazon will only accept the rejection if you reply with a HTTP 400 code. As far as I can see, there is no way to get your lambda function to return a HTTP 400 code when using claudia-bot-builder - is this correct? I would be interested in simply getting this working since I assume getting all those checks into the bot builder might take some time.

[TylerLeonhardt]

@gavinr we ended up using https://github.com/stojanovic/alexa-skill-kit while they work on fixing this issue. It seems to work!

[NODayLikeToday]

+1 for the issue @gavinr describes. We're running into the same issues and don't have the bandwidth to build in this functionality ourselves (nor the time). Any updates @simalexan?