security question to Watson Assistant Plugin

  • Resolved doozersmagic

    (@doozersmagic)


    3 years, 9 months ago

    Team,

    in the plugin configuration we need to provide API key and Assistant URL which are quite sensitive information. It’s easy and straightforward – cool, but…

    QUESTION: is it possible for end-user to retrieve API key from: HTLM, JS or cookies generated by WordPress when accessing web page with Web Watson Assistant widget on it?

    question is quite important because as far as I can see you are not securing the WA REST API calls using JWT.

    guys I will be extremely appreciated if you provide the answer. I’d be lovely if you could elaborate a bit about data flow between end-user web browser and WA service in IBM Cloud for better understanding security issues, if there are any.

    Doozer

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author intelahelp

    (@intelahelp)

    Hello @doozersmagic,

    The end user cannot get the API key from the sources you listed.
    When sending a message, the user sends a request to your WordPress server. This request does not contain any confidential information, only information required to continue the dialogue (user message, ID of the dialogue session, context variables). Further, after processing the received information on the server, using the “wp_remote_post” function (performs an HTTP request using the POST method and returns its response), a JWT-protected request is sent to the Watson Assistant.

    Kind regards,
    Support for WordPress plugin “Chatbot with IBM Watson”

    Thread Starter doozersmagic

    (@doozersmagic)

    awesome @intelahelp – You Guys did really great job! I don’t get the JWT stuff you described, because there is no private key required in plugin config, but it is minor thing now – you’ve designed it really great, so JWT stuff isn’t important anymore.

    • This reply was modified 3 years, 9 months ago by doozersmagic.
    Plugin Author intelahelp

    (@intelahelp)

    Hello @doozersmagic,

    We are glad that everything works for you now.
    Feel free to contact us if you have any further questions or concerns.

    Kind regards,
    Support for WordPress plugin “Chatbot with IBM Watson”

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘security question to Watson Assistant Plugin’ is closed to new replies.