[#202] validate HMAC from twilio on requests to /twilioSms endpoint
Closes #202 (closed)
Context:
-
/twilioSms
is the only api endpoint we have that does not check for the presence of an API token to authenticate (because twilio will never be able to produce one) - we defend from injection attacks by validating the content of any messages we parse off the wire on this endpoint (and only accept messages) that appear to be valid Signal verification messages
- however, a savvy attacker could craft POST params with bogus messages and pass validation, potentially enabling them to block us from ever successfully registering phone numbers
- to prevent this (and generally ensure confidence that only twilio may hit this endpoint at all), we validate the HMAC signature that twilio includes in the header of all of its requests, according to the schema provided here: https://www.twilio.com/docs/usage/security#validating-requests
How to verify this MR:
Normal requests via twilio work...
$ boost create-number -n 1 -u signalboost.ngrok.io
--- checking environment...
--- provisioning 1 number(s) with area code (unspecified) at url signalboost.ngrok.io
[
{
"status": "VERIFIED",
"phoneNumber": "+17816184009",
"twilioSid": "PN9c7de1e5b316a7c9168de4fdb4cc952d"
}
]
Forged requests get a 401...
$ curl -s -X POST -H "X-Twilio-Signature: foo" -F "foo=bar" https://signalboost.ngrok.io/twilioSms
{"error":"Not Authorized"}