I am using Twilio Voice API to make calls. The flow is that a user initiates an action on my site, we then send a request to Twilio API via the twilio object in the ruby gem. This object contains the
'from' number , 'to' number , 'url'
The 'url' is my API end point, which looks something like this
.../api/v1/users/here
From here, I route the request to one of my controllers' actions to serve up a twiml to play.
My question is: How can I ensure that ONLY TWILIO is able to ping this api endpoint?
a) Is there some kind of identifier in Twilio's request that I can use to validate source?
b) I am using Grape gem to set up the api endpoint. Can I do something with the grape gem for this purpose?
Twilio evangelist here.
Twilio has a special header we send called X-Twilio-Signature that allows you to validate that the webhook request is only coming from Twilio.
The Ruby helper library includes a piece of middleware that you can plug in to check for this header and perform the validation. Check out this blog post for more info:
https://www.twilio.com/blog/2014/09/securing-your-ruby-webhooks-with-rack-middleware.html
Hope that helps
A simple way to do this is with an API token. Pick a nice, random string and set up your Twilio URL to include ?token=abcd1234, then on your server, verify that the token is present. Anyone else hitting your endpoint won't have it, so you know it must be Twilio.
Related
https://github.com/TwilioDevEd/voice-javascript-sdk-quickstart-node
I have referred to the standard Twilio example to make a call from the browser, I was able to implement calling.
const call = await device.connect({ params });
where params are the body of the post request, But is there any way where we can attach a header to this post request?
Twilio developer evangelist here.
Using the SDK to start a call isn't an HTTP request. It results in a webhook request from Twilio to your application, but that is different to the initial request from the SDK. You can use the SDK to pass POST request parameters as you have seen, but you cannot pass headers.
If you are trying to pass an Authorization header, then I assume you are trying to ensure that only requests from Twilio are accepted by your application. There's already a way to do this.
Twilio sends an X-Twilio-Signature header with each webhook request. The signature is made up of the contents of the request signed with your Twilio auth token. You can read how this works in depth here.
Alternatively, you can add username:password# to the start of the webhook URL and Twilio will authenticate via HTTP authentication.
I'm trying to reconcile Twilio's advice and security best practices.
I initially wrote the app using SID and auth-token.
https://www.twilio.com/docs/usage/rest-api-best-practices says:
"we recommend the use of API Keys"
So I'm converting the python helper rest client to initialize using api key/secret
and since this is a webhook auth, following this security practice:
https://www.twilio.com/docs/usage/security#validating-requests
Using:
https://www.twilio.com/docs/usage/tutorials/how-to-secure-your-flask-app-by-validating-incoming-twilio-requests
However, this only seems to support auth_token
Does this mean there is no way to use API keys in a webhook app?
It seems silly to bother with API key secrets in app config if I'm also having to set the auth_token secret as well.
Twilio employee here 👋
Looks like you've spotted an inconsistency in our guidance. You are correct: if your app receives incoming webhooks from Twilio and you want to validate the signature of those incoming requests, you cannot use API keys to do so - you must use your account's Auth Token.
I just fixed the first doc you linked to so it reflects that guidance. Thank you for raising this with us and my apologies for the inconsistency in our docs!
We are using twilio to send/receive SMS messages. We have a webhook configured to receive the messages sent by a customer. We want to validate if the request infact originated from twilio. I was going through the documentation and found that there is a method called validated in twilio sdk. For some reason we are not using the sdk. So we want to validate it by ourself. Can anyone please tell me how to validate?
You can do it yourself without the SDK if you wish.
In short, you'll have to use https for your webhooks when configuring at Twilio, and, on your server side, validate a signature which Twilio sends as a header X-Twilio-Signature when making the request.
Computing the signature means to re-assemble the request data and compute a hash using your Twilio account AuthToken.
This is explained in more details on Twilio's docs here:
https://www.twilio.com/docs/usage/security#validating-requests
I'm looking to have the webhook which I pass back TwiML whenever there's a call coming inbound pass me the call's SID so in the future I can modify that active in-bound call. For example, (480)-000-000 is calling my Twilio number which then sets off the webhook to retrieve the TwiML. My server will then also get the SID for that call coming in, and send back TwiML to play lobby music. From then my server will have the SID stored into an array for people in the lobby. And one by one connect them with agents as they become open.
Twilio developer evangelist here.
Good news, every webhook for an incoming voice call to your Twilio number includes the CallSid in the request parameters.
The parameters are sent to your URL as URL encoded form data so if you're using a web framework it should be fairly straightforward to read the CallSid from the request.
Let me know if that helps!
I am creating outbound SMS communication and need to set a cookie so I can track the conversation thread. I'm using the Twilio-charp client and did not see a way to set a cookie or and http header. Is this possible or do I need to pursue a different route?
Edit:
I need to elucidate here. In my scenario I need to set a cookie with a transaction id that needs to included in the originating outbound message. For example I will be creating an SMS message that will request a response from the user: "Text (1) to approve, (2) to decline".
The Twilio sample code details a page that receives a message, checks for a cookie, then creates one if it does not already exist. In my scenario I need the cookie to be in the outbound message.
I contacted support at Twilio and they stated that cookies can not be sent with their REST API. Cookies can be exchanged from the response endpoint that you create where you set the http header.
This means that you must wait for the user to reply to your first message before you can insert cookies to the http headers.
You can definitely set a cookie to track the conversation thread. Details and sample code can be found here under Twilio's .NET (C#) quickstarts: http://www.twilio.com/docs/quickstart/csharp/sms/tracking-conversations