Messenger Documentation

Product Overview

ConverX Messenger (“Messenger”) is a rich conversational UI (user interface) for agents / bots built on Dialogflow. Seamlessly integrate Dialogflow agents into web & mobile apps delivering rich conversational experience. Messenger is built on Google Cloud (GCP) and tightly integrates with Dialogflow. All conversations through Messenger are secured with multi-layer security and encryption.

Architecture

ConverX Messenger (or “Messenger”) is comprised on two major components – Auth & Chat. Each one of them are designed for specific tasks and services.

Auth. This is the back-end module of Messenger. Auth acts like a bridge between the Chat module and Google Dialogflow. Auth is designed to manage authentication and authorization between Messenger and Google Cloud Platform (GCP), hence the name “Auth”.

Auth is built on Google’s Go (version 1.12) language running on an open-source framework and server, Beego – a microservices architecture. Adhering to the OAuth 2.0 specification, Auth uses the Go language’s open-source oauth2 package to provide authorization between Messenger and GCP. To ensure session authenticity and message integrity between Messenger and GCP, RSA-signed JWTs (JSON Web Tokens) are created and verified using the open source jwt package. Authentication and transport encryption between Messenger and GCP are provided by Go’s open-source crypto/tls package.

Auth connects to the Dialogflow API v2 via a GCP service account using an RSA private key that is associated with the service account. API calls are implemented through Google’s official Dialogflow package for the Go language. Explore setting up GCP service account and private key here – https://dialogflow.com/docs/reference/v2-auth-setup.

Chat. This is the front-end module of Messenger, built on the AngularJS 7 framework. Chat can be hosted on any webserver, like NGINX etc., and can use cloud storage that supports static websites like AWS S3 or Google Cloud Storage. SSL needs to be enabled on the hosting server to ensure that communication between the browser and application server are safe and secured.

Features

Quick Replies

Quick replies are displayed in Messenger as clickable buttons with pre-defined user responses. When clicked, the button text is sent to the agent as a user query. Setting up quick replies in Messenger for Dialogflow agents is simple and straight forward. Below code can be used to structure a response in Dialogflow as Custom Payload.

{

"DataflixMessenger": {

"text": "Message to be sent to user.",

"QuickReplies": [

"Option 1",

"Option 2"

]

}

}

HTML Response

Messenger renders HTML response when sent as a custom payload. Below are sample codes for reference.

{

"DataflixMessenger": {

"HTML": "Click <a href='https://www.dataflix.com'target='_blank'>here</a> to go to Dataflix."

}

}

HTML Code with Quick Replies

{

"DataflixMessenger": {

"HTML": "Click <a href='https://www.dataflix.com' target='_blank'>here</a> to go to Dataflix.",

"QuickReplies": [

"Academy",

"Products"

]

}

}

Clickable Links

Messenger automatically detects URLs, emails and phone numbers making them clickable by users. No custom payload code is required.

Add an Image

Messenger renders images with HTML response when sent as a custom payload. Below are sample codes for reference.

{

  "DataflixMessenger": {

    "HTML": "Click <a href='https://www.dataflix.com'target='_blank'>here</a> for more information or see overview below<br><img src='/folder/file.png' width='100%'>"

  }

}

Add an iframe

Messenger supports iframe code.

{

"DataflixMessenger": {

"HTML": "Response from the bot<iframe width='100%' height='150px' frameborder='0' scrolling='no' src= 'https://www.replacethis.com'> </iframe>"

}

}

Disable Input Box

Input box of Messenger can be disabled to let users only pick from one of the QuickReplies.

{

  "DataflixMessenger": {

    "inputbox": "hide",

    "QuickReplies": [

      "QuickReply 1",

      "QuickReply 2",

      "QuickReply 3"

    ],

    "text": "Response from Bot"

  }

}

Configuring Messenger

Setup

Messenger is setup by our support team. We will need the following to setup Messenger for a Dialogflow Agent. Support team will provide instructions on the information sharing processing.

• Project ID. Navigate to https://console.cloud.google.com, can be found under “Project info”.

• JSON Key – IAM & admin > IAM > Service accounts > [Dialogflow Integrations] > EDIT > CREATE KEY (Key type – JSON).

• Name of the Agent or your digital assistant. This will be displayed on the top banner of messenger.

Supported Browsers

• Chrome, latest

• Firefox, latest

• Edge, 2 most recent major versions

• IE 11, 10, 9

• IE Mobile 11

• Safari, 2 most recent major versions

• iOS, 2 most recent major versions

• Android Nougat (7.0), Marshmallow (6.0), Lollipop (5.0, 5.1), KitKat (4.4)

Security

Overview

We implement security controls at OSI layers 4 through 7 to ensure in-depth data protection – Chat to Autu to GCP. This documentations provides more specifics of our security controls and testing methodology, including:

• Data Transport Encryption

• Authentication & Authorization

• Session Authenticity & Message Integrity

• Application Security Testing & Code Review

Messenger only transmits data between user and GCP, no data is stored locally within Messenger.

Data Transport Encryption

Messenger integrates with GCP services using their standard / recommended approaches. All communications between the user and Messenger are secured using SSL (TLS >= v1.2). Any data that the user sends to Messenger is encrypted using the HTTPS protocol with a certificate from the hosting provider. Authentication and encryption of data in transit between Messenger and GCP is provided by Go’s open-source crypto/tls package. More details about transport encryption in Google’s cloud services can be found at: https://cloud.google.com/security/encryption-in-transit/#encryption_in_transit_by_default. Additional encryption can be implemented for specific use cases. Example: Communication that involves PII or any other sensitive data. Messenger only transmits data between user and GCP, no data is stored locally within Messenger.

Authentication & Authorization

Adhering to the OAuth 2.0 specification, Messenger’s Auth module uses the Go language’s open-source oauth2 package to provide authorization between Messenger and GCP. To ensure session authenticity and message integrity between Messenger and GCP, RSA-signed JWTs (JSON Web Tokens) are created and verified using the open source jwt package. Authentication and transport encryption between Messenger and GCP are provided by Go’s open-source crypto/tls package. Auth connects to the Dialogflow API v2 via a GCP service account using an RSA private key that is associated with the service account. API calls are implemented through Google’s official Dialogflow package for the Go language. More details on the Dialogflow API can be found here: https://cloud.google.com/dialogflow-enterprise/docs/reference/rest/v2-overview. Golang’s oauth2 package verifies that only authorized requests from Messenger are sent to GCP. API calls are implemented through Google’s official Dialogflow package.

Session Authenticity & Message Integrity

Cryptographic message signing and verification by Messenger ensures that data sent to GCP arrives unaltered. Both message integrity and session authenticity are accomplished using RSA-signed JWTs (JSON Web Tokens) which are created and verified using the open source JWT package.

Application Security Testing & Code Review

The Messenger application and source code has been tested looking for the OWASP Top Ten vulnerabilities and other common software flaws. The testing methodology has been multilayered:

• Vulnerability scanning using industry standard DAST tools

• Manual penetration testing

• Source code analysis using industry standard SAST tools

• Manual source code review

All testing has been according to methods and industry standards recommended by the Open Web Application Security Project (OWASP). Using automated vulnerability scanning tools, Dynamic Application Security Testing (DAST) has been combined with manual penetration testing. The DAST testing focused on checking for vulnerabilities defined in the latest (2017) version of the well-known OWASP Top Ten List. Additionally, Messenger’s front-end and back-end source code has been reviewed both manually and using Static Application Security Testing (SAST) Tools. The overall code review methodology has followed OWASP’s recent Code Review Guide v2.0.