In the inbound emails second, it said in the docs that when an email is received, it will forward the email through a POST request, so I should have an endpoint that will receive these POST requests. The thing is, we want the POST request sent by mandrill to have specific header values, possibly a token to verify it's from mandrill. Otherwise, I think anyone will be able spam us with fake POST requests. Is it possible to add a custom header?
It's not currently possible to add a custom header for POSTs. Mandrill, does, however, offer webhook authentication so you know it's coming from Mandrill and hasn't been modified.
Related
We are using twilio to send/receive SMS messages. We have a webhook configured to receive the messages sent by a customer. We want to validate if the request infact originated from twilio. I was going through the documentation and found that there is a method called validated in twilio sdk. For some reason we are not using the sdk. So we want to validate it by ourself. Can anyone please tell me how to validate?
You can do it yourself without the SDK if you wish.
In short, you'll have to use https for your webhooks when configuring at Twilio, and, on your server side, validate a signature which Twilio sends as a header X-Twilio-Signature when making the request.
Computing the signature means to re-assemble the request data and compute a hash using your Twilio account AuthToken.
This is explained in more details on Twilio's docs here:
https://www.twilio.com/docs/usage/security#validating-requests
I'm struggling to access headers sent to my API in Grape. In my test specs I am sending a GET request with an email in a header. I want to extract the email sent in the header as it hits the API and record it in an instance of my Audit model. However I can't access the header here through request.headers, any idea what I can do?
From the docs at https://developer.surveymonkey.net/api/v3/#webhooks and trying out the feature I understand that webhooks first do a HEAD and then POST call to my webhook receiver public API.
Does the webhook POST callback to my receiver API require a response from it??
Many webhooks pay attention to responses and re-send requests if the application errors out. Just wanted to understand how SurveyMonkey deals with responses.
Perhaps this should be specified in the documentation, but no, SurveyMonkey doesn't expect a response, as in it doesn't expect any particular body returned to us.
That said it does expect you to return a 2xx HTTP status code (which is usually automatically handled by any web server framework you use).
I am using Twilio Voice API to make calls. The flow is that a user initiates an action on my site, we then send a request to Twilio API via the twilio object in the ruby gem. This object contains the
'from' number , 'to' number , 'url'
The 'url' is my API end point, which looks something like this
.../api/v1/users/here
From here, I route the request to one of my controllers' actions to serve up a twiml to play.
My question is: How can I ensure that ONLY TWILIO is able to ping this api endpoint?
a) Is there some kind of identifier in Twilio's request that I can use to validate source?
b) I am using Grape gem to set up the api endpoint. Can I do something with the grape gem for this purpose?
Twilio evangelist here.
Twilio has a special header we send called X-Twilio-Signature that allows you to validate that the webhook request is only coming from Twilio.
The Ruby helper library includes a piece of middleware that you can plug in to check for this header and perform the validation. Check out this blog post for more info:
https://www.twilio.com/blog/2014/09/securing-your-ruby-webhooks-with-rack-middleware.html
Hope that helps
A simple way to do this is with an API token. Pick a nice, random string and set up your Twilio URL to include ?token=abcd1234, then on your server, verify that the token is present. Anyone else hitting your endpoint won't have it, so you know it must be Twilio.
I am creating outbound SMS communication and need to set a cookie so I can track the conversation thread. I'm using the Twilio-charp client and did not see a way to set a cookie or and http header. Is this possible or do I need to pursue a different route?
Edit:
I need to elucidate here. In my scenario I need to set a cookie with a transaction id that needs to included in the originating outbound message. For example I will be creating an SMS message that will request a response from the user: "Text (1) to approve, (2) to decline".
The Twilio sample code details a page that receives a message, checks for a cookie, then creates one if it does not already exist. In my scenario I need the cookie to be in the outbound message.
I contacted support at Twilio and they stated that cookies can not be sent with their REST API. Cookies can be exchanged from the response endpoint that you create where you set the http header.
This means that you must wait for the user to reply to your first message before you can insert cookies to the http headers.
You can definitely set a cookie to track the conversation thread. Details and sample code can be found here under Twilio's .NET (C#) quickstarts: http://www.twilio.com/docs/quickstart/csharp/sms/tracking-conversations