Twilio SDK Not Validating Signature

[dcaponi]

Hi - Please see details below

The Setup

I'm catching requests from Twilio on a SvelteKit API endpoint. I get the request and all the goodies off of it just fine with the following code

const validateExtractMessage = (url: URL, request: Request): TwilioMessage => {
  const twilio_sig = request.headers.get('x-twilio-signature') ?? '';

  const from = url.searchParams.get('From');
  const text = url.searchParams.get('Body');
  const sms_sid = url.searchParams.get('MessageSid');

  const params: Record<string, string> = {};
  url.searchParams.forEach((value, key) => {
    params[key] = value
  });

  const messageRequestValid = twilio.validateRequest(
    TWILIO_AUTH_CREDENTIAL,
    twilio_sig,
    url.toString(),
    params
  );

  console.log("twilio valid", messageRequestValid)
  return { from, text, sms_sid, twilio_sig, messageRequestValid }
}

The Problem

I've logged out every variable and everything looks correct, and according to all the documentation I could find this seems to be the correct way to validate a signature. I know I have the correct auth credential exported to my environment as I can send texts no problem. The signature is definitely there and all I got from the docs was to send back the url.toString() and params like so.

According to the security docs Im supposed to be sending back like so

const params = {
  CallSid: 'CA1234567890ABCDE',
  Caller: '+12349013030',
  Digits: '1234',
  From: '+12349013030',
  To: '+18005551212',
};

however my requests dont have digits or callers (Is there a messaging centric doc I should be looking at 🤔)? I also noticed a Very subtle callout that these need to be alphabetized?

Then, sort the list of POST variables by the parameter name (using Unix-style case-sensitive sorting order):

What I tried

1. The code you see above
2. Setting the url to be my callback url configured in the portal without trailing slash
3. passing {} for params, alphabetizing params.

If there's a fix or if this is a known issue I'd really appreciate it.

[manisha1997]

Can you please mention the version where you found this bug? With the latest release, we have been introduced a fix for twilio signature validation. https://github.com/twilio/twilio-node/releases/tag/5.4.3

[dcaponi]

Can you please mention the version where you found this bug? With the latest release, we have been introduced a fix for twilio signature validation. https://github.com/twilio/twilio-node/releases/tag/5.4.3

I'm on 5.4.2 so I suppose a bump is required in order to catch your fix.

[dcaponi]

@manisha1997 it looks like that wasn't it. Same code as above now running 5.4.3 and it still comes back as invalid.

[leon19]

Hi @dcaponi, are you using a URL without a path as a callback?

For example, something like https://example.com?

The validate function relies on new URL(), so when you do new URL("https://example.com").toString(), you'll get https://example.com/ (mind the ending /), meaning that the URL the Twilio server is using to sign the request is not the same that the validation function is using.

Adding a path or an ending slash to your URL callback should fix your issue.

[dcaponi]

Hey @leon19

Are you using a URL without a path as a callback?

No, the callback URL I entered into the Messaging Configuration section for my number is https://example.com/callback

Adding a path or an ending slash to your URL callback should fix your issue.

I did try that to no avail though. The URL with the / isn't even being hit on my app side. I did try just setting the url to whatever I have configured in the Twilio dashboard as well (without trailing slash or query params)

const messageRequestValid = twilio.validateRequest(
    TWILIO_AUTH_CREDENTIAL,
    twilio_sig,
    "https://example.com/callback",
    alphabetizeParams(params)
);

[dcaponi]

So anyway if I had to guess, one or more of the following must be happening -

• Twilio's backend is creating a signature from all the params I get back in the query string in some order that is not alphabetical or as is when I unpack the query params.
  • I'd try to crack this myself but there's something like 19 params and 19! combinations which would take me like 300 years to figure out 😅
• the backend is generating the signature from some subset of those params.
• the backend is creating the signature from some other params that Im not getting back with the request.

Im fairly certain if there's any guidance in addition to the existing security doc that's focused on SMS validation (this one seems to be focused on call validation and the advice given isn't helping) that outlines the params (in order) required for signature validation that would pretty much get me over the hump and I can stop worrying about hackers pinging the crap out of my webhook and I have no way of knowing if its coming from Twilio 🙂

[manisha1997]

Hello @dcaponi , I will debug this issue to find why the signature is not being validated.
Thanks for the patience!

[github-actions]

This issue is stale because it has been open for 30 days with no activity. Please remove stale label or comment or this issue will be closed in 30 days.

[juancarrey]

Hello @dcaponi, apologies for the late answer.

The main problem I see in the provided code is the addition of query-params into params map.

The differentiation between params & query-params is important here:

• query-params come in the URL and they will be present when doing url.toString()
• params on the other hand, come in the body as form-urlencoded, to extract this you could potentially use request.formData() if I am not mistaken.

The requested params parameter in twilio.validateRequest(...) function are ALL the incoming body-params and the url param is what you correctly set as url.toString() which is the full URL with all query-params as-is. Internally, the validateRequest function already orders params as expected.

We should be clarifying in the documentation how this differentiation affects the signature and to make it clearer where each thing comes from.

[gabrielgrover]

I am seeing the same issue. Here my code. It fails at the last if statement. Same situation. I know it's not an invalid secret, because I am able to send message from the same environment.

    // Get the Twilio signature from headers
    const twilioSignature = req.headers.get("X-Twilio-Signature");

    if (!twilioSignature) {
      logger.info(`Twilio signature not found in header`);
      return new Response(null, { status: 200 });
    }

    // Get the request body
    const [reqErr, body] = await to(req.text());

    if (reqErr) {
      logger.error(`Failed to parse body.  ${reqErr.message}`, {
        url: req.url,
      });
      return new Response(`Webhook error: ${reqErr.message}`, { status: 500 });
    }

    // Parse the form data from the body
    const [formErr, formData] = toResultTuple(() => {
      const params = new URLSearchParams(body);
      return Object.fromEntries(params.entries());
    });

    if (formErr) {
      logger.error(`Failed to parse form data. ${formErr.message}`, {
        url: req.url,
      });
      return new Response(`Webhook error: ${formErr.message}`, { status: 500 });
    }

    // Validate the Twilio signature
    const url = req.url;
    const isValid = twilio.validateRequest(
      twilioAuthToken,
      twilioSignature,
      url,
      formData,
    );

    if (!isValid) {
      logger.error(`Failed to verify Twilio signature`, {
        url: req.url,
      });
      return new Response(`Webhook error: Invalid signature`, { status: 403 });
    }