Required c# code instead of Js functions for Kore bot Implementation

nilam.n.pawashe · February 2, 2021, 3:12pm

Hi Team,

We are facing vulnerability issues , we are planning to move all client side code to server side. Kindly help us to provide c# code for kore bot implementation.

Let us know if any additional information required .

Regards,
Nilam Pawashe.

swagata.sengupta · February 2, 2021, 3:16pm

@nilam.n.pawashe
Do you have an account manager from Kore?
Your requirement needs more clarity -
Are you talking about web-sdk in github? If yes, we do not have any C# code available readily. You will need to work with the account manager.
We would strongly advise you to report the vulnerabilities you have identified with us so that they can be validated and fixed if required.
@yogaramya.mendu @srirama.yadlapalli

nilam.n.pawashe · February 3, 2021, 3:49pm

Hi Swagata,

Thanks for your reply.

We are not aware who is our account manager from Kore. We have used client id and secret key in JavaScript file which is visible in developer’s window in result team has found it as vulnerability.

We have converted all client side code into server side code now we are facing issue while converting chatwindow.js into c# code. As chatwindow is inbuilt functionality of Kore chat bot. Requesting you to provide chatwindow is in c# if available.

Let me know if further info required feel free to contact.

Regards,
Nilam Pawashe.

swagata.sengupta · February 3, 2021, 4:21pm

@nilam.n.pawashe
You need not worry. JWT service / URL is outside our web-sdk and usually hosted by customer/ end users.

Yes, we need client id and secret for generating JWT but this can very easily be obfuscated/ obscured from client-side (SDK). Say you pass ‘CID’ and ‘CSECRET’ from client to the JWT generation service (usually called an STS service). For demonstration purpose we have it in kore-config.js but you may as well pass dummy and override it in server.

One demo JWT service can be found in SDK Demo App mentioned in Getting started with widget sdk (v7.2 onwards)
There, under /routes/users.js you will see a demo JWT service. client ID and secret can very easily be overridden using some config/ hardcoded there.

And you need to have your own JWT service created in any of the tech stacks. Here are some Tips on setting up JWT service.