-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
44 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
<!DOCTYPE html> | ||
<html lang="en-US"> | ||
<head> | ||
<title>Web Chat: Using Web Chat v3</title> | ||
<!-- | ||
If you want to continue to use the deprecated Web Chat v3, you can use our bundle "botchat.js" or "botchat-es5.js". | ||
Please note that v3 does not have similar customizability and style options as in v4. | ||
--> | ||
<link rel="stylesheet" href="https://cdn.botframework.com/botframework-webchat/latest/botchat.css" /> | ||
<script src="https://cdn.botframework.com/botframework-webchat/latest/botchat.js"></script> | ||
<style> | ||
html, body { height: 100% } | ||
body { margin: 0 } | ||
|
||
#webchat, | ||
#webchat > * { | ||
height: 100%; | ||
width: 100%; | ||
} | ||
</style> | ||
</head> | ||
<body> | ||
<div id="webchat"></div> | ||
<script> | ||
(async function () { | ||
// In this demo, we are using Direct Line token from MockBot. | ||
// To talk to your bot, you should use the token exchanged using your Direct Line secret. | ||
// You should never put the Direct Line secret in the browser or client app. | ||
// https://docs.microsoft.com/en-us/azure/bot-service/rest-api/bot-framework-rest-direct-line-3-0-authentication | ||
|
||
const res = await fetch('https://webchat-mockbot.azurewebsites.net/directline/token', { method: 'POST' }); | ||
const { token } = await res.json(); | ||
|
||
BotChat.App({ | ||
directLine: { token }, | ||
user: { id: 'userid' }, | ||
bot: { id: 'botid' }, | ||
resize: 'detect' | ||
}, document.getElementById('webchat')); | ||
})().catch(err => console.error(err)); | ||
</script> | ||
</body> | ||
</html> |
883e4ef
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@compulim I'm just hanging around and see "You should never put the Direct Line secret in the browser or client app." I have read that would be useful to distribute the bot as public. So other people would host the service in their sites. This warning: If you use this option, other developers can embed your bot into their websites by simply copying your embed code on MS Docs
883e4ef
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our platform is currently that way, we need to implement a switch.
883e4ef
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure. It is also bad on our side, we told you to put the secret in
<IFRAME>
, we are changing that.You can write a token server that look at HTTP referrer/origin and generate token based on different secret. But be sure to run thru threat modelling and understand the risk. Going production isn't easy.
With the secret, anyone can pretend to be someone else, think about (not exhaustive):
Anyway, thank you for digging into PRs. You are a real developer. :)
883e4ef
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a real power phrase, thank you - as well for information and code.
Hey, we got several HTTP listeners on our platform to help building .gbui (package type, there are: .gbkb - Excel based Knowledge Base, .gbot - metadata and services.json a .bot basically they were born together I believe as GitHub dates and of course .gbapp a true Node.js plugabble bot package), here is an example:
https://github.com/pragmatismo-io/BotServer/blob/azure-arm-automation/packages/core.gbapp/services/GBMinService.ts#L123
Regards,
Rodrigo.