How can i ensure the security of a chatbot protected by a payment gateway? As i have in the html page only an iframe, a quick “View Source” would compromise my direct URL to the TARS bot. Is there a way to validate that a chatbot is accesed by someone who is already logged in the paid area?
1 Like
Maybe you could run an API at the start of the bot that will only work if certain parameters are met. I guess the problem is how to add those parameters to an embedded bot though. 
Maybe having an option to switch the generated URL to private and/or password protected could work where embedded is not affected?
Unique pass will leak. There should be a way to be able to validate a valid paying user at the beginning…
Still thinking myself…
I guess I should clarify. I meant maybe they could add that feature in the TARS dashboard where we can set the URL private or password protected like in Wordpress. Then your users would be able to access it embedded, but if someone tried to hack using the physical URL of the bot they would be challenged with a password that only those with access to the dashboard would know (e.g. just you and your team).
that would be a sweeeet feature to have!
1 Like
I need this! Can someone from the team respond if this is possible
Hey @dan,
Authentication system in general is bit more complex than a simple password validation. It usually means that the user, once authenticated, will have an account on the backend, and can access to the account on which they have authenticated for. That would mean that you need to have a backend for the user accounts and an API which will do the password check for the users. and once authenticated, will give access to the user to only their account.
In your case, you just want that the user gets access to the chatbot’s conversation. In that case, you need to have an API for password check, which will take the user’s credentials (email/username and password), from within the chatbot and validate it using that API. and then use the conditional jump to check the response of the API and take the user to one or another gambit. A Deadend gambit or a re-try login gambit, if the authetication is invalidated, OR to the real conversation if all good.
This is same as what @Levi suggested, but you are asking the user for the password one more time, within the conversation to make sure it cannot be used by someone with the URL of the chatbot, or the unique userid of some other account.
3 Likes
@vinit
Thank you for your answer. Yes, this is the setup we are contemplating. We use ProductDyno as a membership solution with ThriveCart as a payment processor.
ProductDyno has API comm capabilities and can also be used to protect external static pages.
Will test and come back here to update.
4 Likes