Adding JWT Auth To Rasa SocketIO Chatbot
In this blog post we are going to talk about how to take your existing or new Rasa chatbot and ensure it has JWT auth setup for the Rasa Chat Widget which uses SocketIO for the connection. If you don't specify a
jwt_key option it won't be secure and anyone could technically communicate to your bot if its public.
So instead we want to use JWT auth with Rasa and a channel connector Rasa Chat Widget which only will allow our web chat instance we provide the proper key information with to work.
Creating JWT Token
First things first we need to generate a JWT token, we can use https://jwt.io/ to accomplish this.
You will notice from the image here we have setup a payload data with just the
sender_id setup which I think is required from testing in order to work. The other thing you will want to do is in the section here where you see
testing you will want to setup a secure long secret to be used for this.
This is then the same value you will use in the
credentials.yaml file for Rasa and supply that secret value for
jwt_token in the config like:
socketio: user_message_evt: user_uttered bot_message_evt: bot_uttered session_persistence: true jwt_key: testing jwt_method: HS256
Ensure you don't put this value in version control and I would recommend setting this up as a env var type setup.
Setting Up Web Chat
Now we can take the encoded value we got from the previous step above which is on the left side of the screenshot. We want to put this into the Rasa Web Chat configuration like so in order for the bot to communicate and allow it to work:
Now if we do a
rrasa run --cors '*' or whatever you want to use for cors and you should now be able to talk to your bot locally through the web chat widget.
Now when you deploy this to say Kubernetes via helm, you can just use this same SocketIO config in the values setup. Now only things with the proper encoded jwt setup with the secret will actually be able to work.
Hopefully this helps clear up a little bit how this works, this is completely seperate from the http api and the --jwt-auth flag in the
rasa run command as a FYI, so that is another thing you can also setup.