Adjust app_secret details

Author: Ben Brown

changelog.md

@@ -12,6 +12,9 @@ Add `controller.handleWebhookPayload()` to process a raw webhook payload and ing
 
 Make stale connection detection configurable [PR #505](https://github.com/howdyai/botkit/pull/505)
 
+DDOS Vulnerability Fix - Secure Facebook Webhook [PR #555](https://github.com/howdyai/botkit/pull/555)
+
+
 Bug fixes:
 
 Fix an issue where a custom redirect_uri would be rejected by Slack's oauth verification

facebook_bot.js

@@ -25,7 +25,7 @@ This bot demonstrates many of the core features of Botkit:
 
   Run your bot from the command line:
 
-    page_token=<MY PAGE TOKEN> verify_token=<MY_VERIFY_TOKEN> node facebook_bot.js [--lt [--ltsubdomain LOCALTUNNEL_SUBDOMAIN]]
+    app_secret=<MY APP SECRET> page_token=<MY PAGE TOKEN> verify_token=<MY_VERIFY_TOKEN> node facebook_bot.js [--lt [--ltsubdomain LOCALTUNNEL_SUBDOMAIN]]
 
   Use the --lt option to make your bot available on the web through localtunnel.me.
 
@@ -104,7 +104,7 @@ var controller = Botkit.facebookbot({
     log: true,
     access_token: process.env.page_token,
     verify_token: process.env.verify_token,
-    app_secret: process.env.app_secret
+    app_secret: process.env.app_secret,
     validate_requests: true, // Refuse any requests that don't come from FB on your receive webhook, must provide FB_APP_SECRET in environment variables
 });
 

lib/Facebook.js

@@ -496,7 +496,7 @@ function Facebookbot(configuration) {
       if (expected !== calculated) {
         throw new Error("Invalid signature on incoming request");
       } else {
-        facebook_botkit.debug('** X-Hub Verification successful!')
+        // facebook_botkit.debug('** X-Hub Verification successful!')
       }
     }