Twilio - X-Twilio-Signature - Incoming request Validation

Question

I use the below code for validation incoming request, if it is really coming from Twilio.

The url is,

http://example.xom/twilio/getCallForwardResponse/phoneId=1&orgId=1&Called=%2B16032944666&ToState=NH&CallerCountry=US&Direction=inbound&CallerState=NH&ToZip=03801&CallSid=CA3070631fb96644ca8cb6e3ad4ffe75d5&To=%2B16032944666&CallerZip=03038&ToCountry=US&ApiVersion=2010-04-01&CalledZip=03801&CalledCity=PORTSMOUTH&CallStatus=ringing&From=%2B17037750000&AccountSid=ACASN

We use get & POST method.

We get the expectedSignature as follows,

String expectedSignature = request.getHeader("X-Twilio-Signature");

Request URl is,

    String serverUrl = request.getRequestURL().toString()+"/"+request.getQueryString();

// Since we use GET, it will be empty and it is working fine.
Map<String,String> tempParams = new HashMap<String,String>();

TwilioUtils util = new TwilioUtils("AUTH_TOKEN_OF_USER");
                    boolean validationResult = util.validateRequest(expectedSignature, serverUrl, tempParams);

For POST it is not working. Code for POST,

------------ EDIT ---------------------

    // Check twilio header ...
    String expectedSignature = request.getHeader("X-Twilio-Signature");

    // These are the post params twilio sent in its request
    Map<String, String> params = null;

    String serverUrl = null;
    serverUrl = PROTOCOL + "://" + request.getServerName() + request.getRequestURI() + "?" + request.getQueryString();
    if (request.getMethod().equalsIgnoreCase("POST")) {
       params = new HashMap<String, String>();
       Enumeration<String> reqParams = request.getParameterNames();
       LOGGER.info("NUMBER OF PARAMS ===>>>> " + request.getParameterMap().size());

       int i = 1;
       while (reqParams.hasMoreElements()) {
       String paramName = reqParams.nextElement();
       String paramValue = request.getParameter(paramName);

       LOGGER.info("KKKKK KEY is {}, value is {} count {}", paramName, paramValue, i);

       params.put(paramName, paramValue);
       i = i + 1;
      }

       String queryString = request.getQueryString();

       if (! StringUtils.isEmpty(queryString)) {

          String[] parameters = queryString.split("&");
             for (String parameter : parameters) {
                String[] keyValuePair = parameter.split("=");
                params.remove(keyValuePair[0]);
                LOGGER.info("===>>>> Removing KEY {} ", keyValuePair[0]);
             }
          }
          LOGGER.info("NUMBER OF PARAMS COUNT FINAL ===>>>> " + params.size());
        }
}

 TwilioUtils util = new TwilioUtils(authToken);
                    boolean validationResult = util.validateRequest(expectedSignature, serverUrl, params);

It always returns false. Am I doing anything wrong.

Answer 1

I would recommend outputting your serverUrl once you create it.

Based on this: HttpServletRequest to complete URL

It seems that getQueryString() does not include the ? and you need to add it yourself.

---Edit---

In your original question you said that you were doing gets. If you are doing posts, Map tempParams = new HashMap(); is not correct because you are creating a blank map and not actually capturing the post parameters.

Try either: Map params = RestContext.request.params; (How to get SMS request via twilio)

or

Map tempParams = getAllRequestParams(httpRequest); (Twilio - Validating Incoming Callback Request - Java)

Based on the second answer, it looks like the any query parameters that you set (does your post back url have a ?something=something in your twilio console or code?) need to be included in the serverUrl, but removed trom the tempParams.