Messenger JavaScript SDK Token

CM_H · April 4, 2024, 4:58am

I am currently building a client app with the Messenger JavaScript SDK and it seems that I can use the same token at any time to go back and look at the history of a conversation. Is that correct? Or will that chat eventually expire? My concern is that a bad actor could guess (or capture) the token I create and then use it to view the entire conversation later.

So basically, if I use the below code, every time I use it, I seem to be able to see the same chat history.

{
    action: "configureSession",
    deploymentId: "<deployment_id>",
    token: "<some_token>",
})

My question, is there a way to expire this chat so it cannot be reopened? Using a close command is not an option as this will be sensitive chats so a user may "quick exit" or close the tab in a hurry so I cannot rely on a clean close. I'm hoping there is some backend expiry that I am unaware of.

vpirat · April 4, 2024, 4:24pm

Hi,

I am currently building a client app with the Messenger JavaScript SDK and it seems that I can use the same token at any time to go back and look at the history of a conversation. Is that correct?

Yes, as long as the session is active.

Or will that chat eventually expire?

It will automatically expire after 72 hours from the last message sent.
See (https://developer.genesys.cloud/commdigital/digital/webmessaging/websocketapi#web-messaging-sessions).
This time to live is a fixed value that currently cannot be changed.

Hope this helps,

Regards,
V.P.

CM_H · April 4, 2024, 11:25pm

Thanks, vpirat,

Do you have any thoughts of works arounds for this? Our chats are extremely sensitive (and anonymous) so a hacker/another person getting ahold of that token and reading messages could be devastating so I'm trying to find a solution that would allow for that. Unfortunately, user authentication is not possible in this situation.

Angelo_Cicchitto · April 5, 2024, 7:41am

Related to this thread > Deprecation & Removal - ACD Chat v1.0 - #3 by Angelo_Cicchitto

vpirat · April 5, 2024, 3:27pm

Was thinking about the following.
Don't know if this could work, but if you're listening to Messenger events, and register for a session start event, you could delete right away the key _actmu holding the session token in the local storage to prevent any further access.

Can't guarantee that this will work, with or without any side effect, nor this will be supported by Care.
If not, then you'll have to wait for upcoming features or open a feature request.

Best regards,
V.P.

CM_H · April 8, 2024, 3:45am

Thanks, it's a good suggestion but unfortunately, it's anonymous counselling sessions so potentially the wrong person gets the device (and 72-hour history) and that could be bad, there is that slight chance they close the session on a train or something and then delete session key locally doesn't fire, it stays open and then it can be accessed.

Angelo_Cicchitto · April 8, 2024, 6:40am

@CM_H we plan to make the Guest Session configurable, to values smaller than 72 hours (down to 15 mins), that might help here > Genesys Cloud Ideas Portal
This would allow to mimic the more synchronous Chat behavior that some customers are trying to replicate.