Reputation: 65
Twilio HTTP Authentication for programmable sms status callback urls
I want to use HTTP basic authentication to password protect the status callback endpoint for programmable sms. On the initial request from Twilio, which does not have a Authorization header, I send back a status code of 401 with the WWW-Authenticate header set to "Basic realm='some realm'". However I do not receive a following request from Twilio with Authorization header.
refer: https://www.twilio.com/docs/usage/security#http-authentication
// Send sms with status callback
const details = await client.messages
.create({
body: 'This is the ship that made the Kessel Run in fourteen parsecs?',
from: 'TEST',
to: '......',
statusCallback: `https://user123:[email protected]/status`
})
// Lambda response headers from logs
Method response headers: {WWW-Authenticate=Basic realm='Validate twilio request', Content-Type=application/xml}
Note: The reason as to why basic authentication is needed is to validate the authenticity of the request using the provided username and password. I am not using the X-Twilio-Signature HTTP header as I do not have access to the auth token to validate the request and am using api keys to make requests.
Upvotes: 2
Views: 681
Answers (2)
Reputation: 65
@Alan's answer lead me to investigate further on the headers returned by API Gateway. The 'WWW-Authenticate' headers that the lambda returned had been remapped by API Gateway (learn more here: https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-known-issues.html)
The solution was to implement a lambda authorizer to intercept the request and do the necessary authentication i.e check for the Authorization header. The lambda authorizer then allows or denies the request from passing on to the lambda method.
Upvotes: 0
Reputation: 10771
I tested with Ngrok (w/authentication enabled) with Twilio statusCallback basic authentication configured and it works. Try modifying your response headers to see if that changes anything.
Ngrok returns the below response headers:
HTTP/1.1 401 Unauthorized
Content-Length: 20
Content-Type: text/plain
Www-Authenticate: Basic realm="ngrok"
Upvotes: 2
Related Questions
- Twilio - Studio - HTTP Request
- Twilio SMS Status check by API (Without webhook)
- How authentication is handled for Twilio SMS StatusCallback URL
- Twilio - X-Twilio-Signature - Incoming request Validation
- Twilio SMS verify destination phone numbers and verification ID
- How to configure Twilio send sms with callback url?
- Twilio - Send HTTP Request to Endpoint When SMS Message is Received
- Twilio SMS service with callback URL
- Twiliorestful API service for outgoing SMS, with restrictive firewall
- How can I write a REST API to receive an SMS via Twilio Number Using ASp.net Web Api