Will there be support on verifying Facebook Graph API Calls with appsecret_proof?

[XY-Wang]

Hi guys,

I've noticed recently that there has been very suspicious behaviour on one of our bots where there are lots of concurrent new user sessions being created which do not appear as conversations in the bot FB page. This completely overloads the bot and normal user messages can't get through. I applied validate_requests: true to my bot and it seems to hold off this behaviour. So, many thanks for developing this and shame on me for not applying it sooner.

On another note, I've been reading about FB security and came across the "Require app secret" setting in the app page:

We can secure our API request by adding a parameter appsecret_proof as described in FB's documentations: https://developers.facebook.com/docs/graph-api/securing-requests/

Will Botkit support this in the near future? It would be great to have additional security measures to avoid other possible suspicious behaviour.

[ouadie-lahdioui]

Yes, Botkit will support this FB recommandation, PR is already here #1170.

Thanks for the report ;)

[peterswimm]

Closing this for now, please follow the above linked thread for progress!