chipchat-tokens-to-google-secretmanager-mixin

Store Authentication tokens of ChatShipper in Google Cloud Secret Storage

ChatShipper uses access tokens (token and refreshToken) to gain access to the api. You normally pass them when you initilialize the sdk like this:

const Sdk = require('chipchat');
const api = new Sdk({ token: 'your access token', refreshToken: 'your refresh token'})

You get these tokens via the interface of ChatShipper by going to the user or bot that you want to use when accessing the api and in it's properties panel you can generate tokens.

These tokens expire though. And altough the chipchat sdk will automatically refresh the tokens for you when the access token expires, it only remembers those new tokens while the app is running. When you restart it will use the old tokens again that you passed to the initilialization process. Which will work as long as the refreshToken is valid, which is a month (at the moment)

So you need some way to store the (new) tokens somewhere save and reuse them. Tokens give access and should be kept very save. Do not commit tokens to github or put them in env variable even.

Big cloud platforms like Google or AWS have special secret stores where you can savely store tokens.

This package uses the Google Secret Manager to store the tokens. It does so by overwriting the special chipchat functions getTokens and setTokens via a mixin to add the store to google secrets functionality.

You need to have basic understandings of the Google platform and have your service account file with sufficient rights to the project stored locally.

Before you can use this, you have to set the _tokens in the store from the CLI (terminal) with:

#first we export some stuff to make the command more readable

export GOOGLE_APPLICATION_CREDENTIALS=/full/path/to/serviceaccountfile.json   #Get access to your project
# security tip: add a space in front of the tokens to prevent them from being stored in your (bash) history
 export TOKEN=<paste your access token here>
 export REFRESHTOKEN=<paste your refresh token here>
export WPROJECT=<type the name of the project in google where you will create the secret and the service account has acces to>
export BOTID=<paste the bot id here>
export CONCERSATION=<paste a conversation id (from CS UI) here. we will retrieve this conv as an example>

#then create the secret holding the bots tokens:
echo -n '{"token":"'$TOKEN'", "refreshToken":"'$REFRESHTOKEN'"}' | gcloud secrets create ${BOTID}_tokens \
  --data-file=- --replication-policy automatic --project $WPROJECT

or even easier while in the cs2-bots/bot dir call the scripts/addsecret script.

Now that you have got you tokens in the store, lets use them via the mixin module like this:

const ChipChat = require('chipchat');
const { getTokens, setTokens } = require('chipchat-tokens-to-google-secretmanager-mixin');

ChipChat.mixin({ getTokens, setTokens });

// The bots email is needed to request new tokens
// and to get and store the tokens in/from the google secrest store.
// The bots user id that is found in
// the properties panel of the bot (if you are the bot owner)

const email = `bot+${process.env.BOTID}@chatshipper.com`;
const bot = new ChipChat({ email }); // no need for tokens, they will be retrieved from the secret store now

// As an example we will get a conversation and dump it to the console.
const conversationid = process.env.CONVERSATION;
bot.conversations.get(conversationid).then(console.log);

install the needed packages and test with node version 10 (use nvm) or higher:

npm init # enter enter enter etc
npm i -s chipchat chipchat-tokens-to-google-secretmanager-mixin
DEBUG=* node test.js