0

I am trying to validate that an http POST request to an AWS Lamdbda function URL from a Twilio HTTP Request widget inside a Twilio Studio flow truly originated from Twilio. I am using the Node.js Twilio client library, which provides the validateRequest method to accomplish what I am after. The content-type header in the Twilio Studio flows HTTP Request widget is set to application/json

The problem is that I am passing in the "x-twilio-signature" header, the url, twilio auth token, and POST params to the validateRequest method and it always returns false. Below is the code snippet used to try and accomplish this.

const authToken = process.env.twilio_auth_token
const sid = process.env.twilio_account_sid
const client = require('twilio')
exports.handler = (event) => 
{  
  let twilioSignature = event.headers['x-twilio-signature']
  let requestBody = event.body
  let requestUrl = 'https://my-function-url.io/'
  
  let requestIsValid = client.validateRequest(authToken, twilioSignature, requestUrl, requestBody)

  if(requestIsValid){
    console.log('valid request')
  } else {
    console.log('invalid request')
  }
}
jipchik
  • 1

1 Answers1

-1

Seems like someone else had a similar issue in the past. I copied parts of the answer here:

The issue here is that query string parameters are treated differently to POST body parameters when generating the signature.

Notably part 3 of the steps used to generate the request signature says:

If your request is a POST, Twilio takes all the POST fields, sorts them by alphabetically by their name, and concatenates the parameter name and value to the end of the URL (with no delimiter).

IObert
  • 2,118
  • 1
  • 10
  • 17
  • I have done this and the request is still not valid, under the "A Few Notes" on this page twilio.com/docs/usage/security#validating-requests, it mentions to not include the JSON body to fill in the validators params when the content-type header is set to application/json. What should take its place? @IObert – jipchik Nov 02 '22 at 21:04