I am playing around with developing a chatbot on facebook messenger platform. I went through the Facebook document and couldn't find how to protect my webhook
from random calls.
For example, if users can buy stuffs with my bots, an attacker that knows someone's userId can start placing unauthorized orders by making calls to my webhook.
I have several ideas on how to protect this.
1) Whitelist my api to only calls from facebook.
2) Create something like CSRF tokens with the postback calls.
Any ideas?
Facebook has of course already implemented a mechanism by which you can check if requests made to your callback URL are genuine (everything else would just be negligence on their part) – see https://developers.facebook.com/docs/graph-api/webhooks#receiveupdates: