mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-18 10:41:08 +01:00
e96c363eef
Summary: Provides a working SMS implementation with support for Twilio. This version doesn't really retry if we get any gruff at all. Future versions should retry. Test Plan: used bin/sms to send messages and look at them. Reviewers: chad, epriestley Reviewed By: epriestley Subscribers: aurelijus, epriestley, Korvin Maniphest Tasks: T920 Differential Revision: https://secure.phabricator.com/D8930
66 lines
2.8 KiB
ReStructuredText
Executable file
66 lines
2.8 KiB
ReStructuredText
Executable file
===========================
|
|
Validate Incoming Requests
|
|
===========================
|
|
|
|
Twilio requires that your TwiML-serving web server be open to the public. This is necessary so that Twilio can retrieve TwiML from urls and POST data back to your server.
|
|
|
|
However, there may be people out there trying to spoof the Twilio service. Luckily, there's an easy way to validate that incoming requests are from Twilio and Twilio alone.
|
|
|
|
An `indepth guide <http://www.twilio.com/docs/security>`_ to our security features can be found in our online documentation.
|
|
|
|
Before you can validate requests, you'll need four pieces of information
|
|
|
|
* your Twilio Auth Token
|
|
* the POST data for the request
|
|
* the requested URL
|
|
* the X-Twilio-Signature header value
|
|
|
|
Get your Auth Token from the `Twilio User Dashboard <https://www.twilio.com/user/account>`_.
|
|
|
|
Obtaining the other three pieces of information depends on the framework of your choosing. I will assume that you have the POST data as an array and the url and X-Twilio-Signature as strings.
|
|
|
|
The below example will print out a confirmation message if the request is actually from Twilio.com
|
|
|
|
.. code-block:: php
|
|
|
|
// Your auth token from twilio.com/user/account
|
|
$authToken = '12345';
|
|
|
|
// Download the twilio-php library from twilio.com/docs/php/install, include it
|
|
// here
|
|
require_once('/path/to/twilio-php/Services/Twilio.php');
|
|
$validator = new Services_Twilio_RequestValidator($authToken);
|
|
|
|
// The Twilio request URL. You may be able to retrieve this from
|
|
// $_SERVER['SCRIPT_URI']
|
|
$url = 'https://mycompany.com/myapp.php?foo=1&bar=2';
|
|
|
|
// The post variables in the Twilio request. You may be able to use
|
|
// $postVars = $_POST
|
|
$postVars = array(
|
|
'CallSid' => 'CA1234567890ABCDE',
|
|
'Caller' => '+14158675309',
|
|
'Digits' => '1234',
|
|
'From' => '+14158675309',
|
|
'To' => '+18005551212'
|
|
);
|
|
|
|
// The X-Twilio-Signature header - in PHP this should be
|
|
// $_SERVER["HTTP_X_TWILIO_SIGNATURE"];
|
|
$signature = 'RSOYDt4T1cUTdK1PDd93/VVr8B8=';
|
|
|
|
if ($validator->validate($signature, $url, $postVars)) {
|
|
echo "Confirmed to have come from Twilio.";
|
|
} else {
|
|
echo "NOT VALID. It might have been spoofed!";
|
|
}
|
|
|
|
Trailing Slashes
|
|
==================
|
|
|
|
If your URL uses an "index" page, such as index.php or index.html to handle the request, such as: https://mycompany.com/twilio where the real page is served from https://mycompany.com/twilio/index.php, then Apache or PHP may rewrite that URL a little bit so it's got a trailing slash... https://mycompany.com/twilio/ for example.
|
|
|
|
Using the code above, or similar code in another language, you could end up with an incorrect hash because, Twilio built the hash using https://mycompany.com/twilio and you may have built the hash using https://mycompany.com/twilio/.
|
|
|
|
|
|
|