security question to Watson Assistant Plugin

  • Resolved doozersmagic

    (@doozersmagic)


    5 years, 1 month ago

    Team,

    in the plugin configuration we need to provide API key and Assistant URL which are quite sensitive information. It’s easy and straightforward – cool, but…

    QUESTION: is it possible for end-user to retrieve API key from: HTLM, JS or cookies generated by WordPress when accessing web page with Web Watson Assistant widget on it?

    question is quite important because as far as I can see you are not securing the WA REST API calls using JWT.

    guys I will be extremely appreciated if you provide the answer. I’d be lovely if you could elaborate a bit about data flow between end-user web browser and WA service in IBM Cloud for better understanding security issues, if there are any.

    Doozer

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Intela-bot Help

    (@intelahelp)

    5 years, 1 month ago

    Hello @doozersmagic,

    The end user cannot get the API key from the sources you listed.
    When sending a message, the user sends a request to your WordPress server. This request does not contain any confidential information, only information required to continue the dialogue (user message, ID of the dialogue session, context variables). Further, after processing the received information on the server, using the “wp_remote_post” function (performs an HTTP request using the POST method and returns its response), a JWT-protected request is sent to the Watson Assistant.

    Kind regards,
    Support for WordPress plugin “Chatbot with IBM Watson”

    Thread Starter doozersmagic

    (@doozersmagic)

    5 years, 1 month ago

    awesome @intelahelp – You Guys did really great job! I don’t get the JWT stuff you described, because there is no private key required in plugin config, but it is minor thing now – you’ve designed it really great, so JWT stuff isn’t important anymore.

    • This reply was modified 5 years, 1 month ago by doozersmagic.
    Plugin Author Intela-bot Help

    (@intelahelp)

    5 years, 1 month ago

    Hello @doozersmagic,

    We are glad that everything works for you now.
    Feel free to contact us if you have any further questions or concerns.

    Kind regards,
    Support for WordPress plugin “Chatbot with IBM Watson”

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘security question to Watson Assistant Plugin’ is closed to new replies.