Authenticating users

By default, Fernand's widget doesn't know the identity of the users interacting in widget. If you are dealing with logged in users, you can pass the "user" parameter to authenticate them.

Fernand('set', {
    user: {
        name: 'Richard',
        email: 'richard@piedpiper.com'
    }
})

In this scenario, whenever the user opens a new chat session, they won't be asked to provide their email or their name. They will be automatically identified, and all their previous conversations linked to Fernand, either via chat or email, listed in the Messages view.

To prevent bad actors from impersonating your users and passing any email to our widget through Javascript, we rely on the HMAC+SHA256 algorithm. You can sign and hash the user email, and pass it as the hash parameter using the secret key available in your Fernand's dashboard.

When receiving the hash, we'll hash the email you provided with the same key and compare the resulting hash with the one you provided. If they match, we'll consider the email valid and verified.

We consider that you took the necessary steps to validate your user's email, so make sure your users can't impersonate anyone by simply signing up with any email address and not having to verify their account.

Finding your secret key

You can find your secret key in Fernand's dashboard, under Settings → Channels, and then scrolling down to the Support widget section.

Click on "Show advanced settings", and you'll see the key to use for securing the emails under the "Authenticating users" section.

Hashing an email

To hash an email, you will need to use the HMAC+SHA256 mechanism.

We provide an example in Python, which is easily implemented, but you can do the same in all major programming languages.

import hmac, hashlib

hmac_digest = hmac.new(
    key='6fdc0085d97cc621edcc0333fd93ef220f0eb1ce'.encode(),
    msg='richard@piedpiper.com'.encode(),
    digestmod=hashlib.sha256
).hexdigest()

print(hmac_digest)  # fc3cf30c76a8b5c1c875b79c53a36bd8e2d653a1ec00c11fff538583ef759244

This hashing should be done server-side
Be careful not to put your key on the frontend of your application. If a visitor can access the key, they will be able to hash any email and impersonate other users.

Then, you can add this hash into the user's object like the following code example:

Fernand('set', {
    user: {
        name: 'Richard',
        email: 'richard@piedpiper.com',
        hash: 'fc3cf30c76a8b5c1c875b79c53a36bd8e2d653a1ec00c11fff538583ef759244'
    }
})

Be careful that the hash is case sensitive. If you hash with an email having uppercase letters, but set the "email" property in lower case, the hashes won't match.

Need help setting this up?

We appreciate this is a bit technical and could be a source of questions. If anything is unclear, please feel free to reach out at support@improvmx.com or.. on the widget in the bottom right, and we'll be right with you 🙂

Was this helpful?