I have Rasa-X set up on a server using the Quick Install and can send messages through the REST API to Rasa (which land in Rasa-X as being in the “rest” channel). However, this channel is not protected, and anyone is able to post to it.
It got me scratching my head that authentication via the token only applies to HTTP APIs that grab the model, such as
api/projects/default/models/tags/production but not ones like
/webhooks/<channel>/webhook. This means that my rest channel is exposed.
I’ve looked a lot into ways to authenticate this channel but have found nothing that works. I attempted to implement a custom channel as implemented in this thread: RASA Custom Connector keep giving custom response - #5 by athenasaurav since the implementation in the docs was throwing errors.
However, adding an access token to the credentials did not work, and I can still access both
/webhooks/myio/webhook from anywhere.
I also don’t quite understand how to implement Token-Based Auth (as explained here: Rasa Open Source HTTP API) in the docker-compose file from the Quick Install.
Can anyone give me some pointers here? I’m pretty sure there is something I’m missing.