Merge pull request #3 from mvazquezrius/webhooks-json-examples

Samples for: Validating webhooks with JSON body

Author: CristhianMotoche

security/signature_validation/signature_validation.10.x.java

@@ -5,10 +5,10 @@
 import com.twilio.security.RequestValidator;
 
 public class Example {
-  public static void main(String[] args) {
-    // Your Auth Token from twilio.com/user/account
-    public static final String AUTH_TOKEN = System.getenv("TWILIO_AUTH_TOKEN");
-
+  // Your Auth Token from twilio.com/user/account
+  public static final String AUTH_TOKEN = System.getenv("TWILIO_AUTH_TOKEN");
+    
+  public static void main(String[] args) throws java.net.URISyntaxException {
     // Initialize the request validator
     RequestValidator validator = new RequestValidator(AUTH_TOKEN);
 

security/signature_validation_json/meta.json

@@ -0,0 +1,4 @@
+{
+  "title": "Validate Signature of Request (application/json body)",
+  "type": "server"
+}

security/signature_validation_json/signature_validation_json.1.x.go

@@ -0,0 +1,32 @@
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/twilio/twilio-go/client"
+)
+
+func main() {
+	// Your Auth Token from twilio.com/console
+	authToken := os.Getenv("TWILIO_AUTH_TOKEN")
+
+	// Initialize the request validator
+	requestValidator := client.NewRequestValidator(authToken)
+
+	// Store Twilio's request URL (the url of your webhook) as a variable
+	// including all query parameters
+	url := "https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9"
+
+	// Store the application/json body from Twilio's request as a variable
+	// In practice, this MUST include all received parameters, not a
+	// hardcoded list of parameters that you receive today. New parameters
+	// may be added without notice.
+	body :=  []byte("{\"CallSid\":\"CA1234567890ABCDE\",\"Caller\":\"+12349013030\"}")
+
+	// Store the X-Twilio-Signature header attached to the request as a variable
+	signature := "hqeF3G9Hrnv6/R0jOhoYDD2PPUs="
+
+	// Check if the incoming signature is valid for your application URL and the incoming parameters
+	fmt.Println(requestValidator.ValidateBody(url, body, signature))
+}

security/signature_validation_json/signature_validation_json.10.x.java

@@ -0,0 +1,28 @@
+// Install the Java helper library from twilio.com/docs/java/install
+import com.twilio.security.RequestValidator;
+
+public class Example {
+  // Your Auth Token from twilio.com/user/account
+  public static final String AUTH_TOKEN = System.getenv("TWILIO_AUTH_TOKEN");
+
+  public static void main(String[] args) throws java.net.URISyntaxException {
+    // Initialize the request validator
+    RequestValidator validator = new RequestValidator(AUTH_TOKEN);
+
+    // Store Twilio's request URL (the url of your webhook) as a variable
+    // including all query parameters
+    String url = "https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9";
+
+    // Store the application/json body from Twilio's request as a variable
+    // In practice, this MUST include all received parameters, not a
+    // hardcoded list of parameters that you receive today. New parameters
+    // may be added without notice.
+    String body = "{\"CallSid\":\"CA1234567890ABCDE\",\"Caller\":\"+12349013030\"}";
+
+    // Store the X-Twilio-Signature header attached to the request as a variable
+    String twilioSignature = "hqeF3G9Hrnv6/R0jOhoYDD2PPUs=";
+
+    // Check if the incoming signature is valid for your application URL and the incoming body
+    System.out.println(validator.validate(url, body, twilioSignature));
+  }
+}

security/signature_validation_json/signature_validation_json.5.x.js

@@ -0,0 +1,21 @@
+// Get twilio-node from twilio.com/docs/libraries/node
+const client = require('twilio');
+
+// Your Auth Token from twilio.com/console
+const authToken = process.env.TWILIO_AUTH_TOKEN;
+
+// Store Twilio's request URL (the url of your webhook) as a variable
+// including all query parameters
+const url = 'https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9';
+
+// Store the application/json body from Twilio's request as a variable
+// In practice, this MUST include all received parameters, not a
+// hardcoded list of parameters that you receive today. New parameters
+// may be added without notice.
+const body = "{\"CallSid\":\"CA1234567890ABCDE\",\"Caller\":\"+12349013030\"}";
+
+// Store the X-Twilio-Signature header attached to the request as a variable
+const twilioSignature = 'hqeF3G9Hrnv6/R0jOhoYDD2PPUs=';
+
+// Check if the incoming signature is valid for your application URL and the incoming body
+console.log(client.validateRequestWithBody(authToken, twilioSignature, url, body));

security/signature_validation_json/signature_validation_json.6.x.cs

@@ -0,0 +1,34 @@
+// Download the twilio-csharp library from
+// https://www.twilio.com/docs/libraries/csharp#installation
+using System;
+using System.Collections.Generic;
+using Twilio.Security;
+
+class Example
+{
+    static void Main(string[] args)
+    {
+        // Your Auth Token from twilio.com/console
+        const string authToken = Environment.GetEnvironmentVariable("TWILIO_AUTH_TOKEN");
+
+        // Initialize the request validator
+        var validator = new RequestValidator(authToken);
+
+        // Store Twilio's request URL (the url of your webhook) as a variable
+        // including all query parameters
+        const string url = "https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9";
+
+        // Store the application/json body from Twilio's request as a variable
+        // In practice, this MUST include all received parameters, not a
+        // hardcoded list of parameters that you receive today. New parameters
+        // may be added without notice.
+        const string body = "{\"CallSid\":\"CA1234567890ABCDE\",\"Caller\":\"+12349013030\"}";
+
+
+        // Store the X-Twilio-Signature header attached to the request as a variable
+        const string twilioSignature = "hqeF3G9Hrnv6/R0jOhoYDD2PPUs=";
+
+        // Check if the incoming signature is valid for your application URL and the incoming body
+        Console.WriteLine(validator.Validate(url, body, twilioSignature));
+    }
+}

security/signature_validation_json/signature_validation_json.7.x.rb

@@ -0,0 +1,24 @@
+# Get twilio-ruby from twilio.com/docs/ruby/install
+require 'rubygems' # This line not needed for ruby > 1.8
+require 'twilio-ruby'
+
+# Get your Auth Token from https://www.twilio.com/console
+auth_token = ENV['TWILIO_AUTH_TOKEN']
+
+#  Initialize the request validator
+validator = Twilio::Security::RequestValidator.new(auth_token)
+
+# Store Twilio's request URL (the url of your webhook) as a variable
+url = 'https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9'
+
+# Store the application/json body from Twilio's request as a variable
+# In practice, this MUST include all received parameters, not a
+# hardcoded list of parameters that you receive today. New parameters
+# may be added without notice.
+body = '{"CallSid":"CA1234567890ABCDE","Caller":"+12349013030"}'
+
+# Store the X-Twilio-Signature header attached to the request as a variable
+twilio_signature = 'hqeF3G9Hrnv6/R0jOhoYDD2PPUs='
+
+# Check if the incoming signature is valid for your application URL and the incoming body
+puts validator.validate(url, body, twilio_signature)

security/signature_validation_json/signature_validation_json.8.x.php

@@ -0,0 +1,36 @@
+<?php
+// NOTE: This example uses the next generation Twilio helper library - for more
+// information on how to download and install this version, visit
+// https://www.twilio.com/docs/libraries/php
+require_once '/path/to/vendor/autoload.php';
+
+use Twilio\Security\RequestValidator;
+
+// Your auth token from twilio.com/user/account
+$token = getenv("TWILIO_AUTH_TOKEN");
+
+// The X-Twilio-Signature header - in PHP this should be
+// You may be able to use $signature = $_SERVER["HTTP_X_TWILIO_SIGNATURE"];
+$signature = 'hqeF3G9Hrnv6/R0jOhoYDD2PPUs=';
+
+// Initialize the request validator
+$validator = new RequestValidator($token);
+
+// Store Twilio's request URL (the url of your webhook) as a variable
+// including all query parameters
+// You may be able to use $url = $_SERVER['SCRIPT_URI']
+$url = 'https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9';
+
+// Store the application/json body from Twilio's request as a variable
+// In practice, this MUST include all received parameters, not a
+// hardcoded list of parameters that you receive today. New parameters
+// may be added without notice.
+// You may be able to use $body = $_POST
+$body = "{\"CallSid\":\"CA1234567890ABCDE\",\"Caller\":\"+12349013030\"}";
+
+// Check if the incoming signature is valid for your application URL and the incoming parameters
+if ($validator->validate($signature, $url, $body)) {
+  echo "Confirmed to have come from Twilio.";
+} else {
+  echo "NOT VALID. It might have been spoofed!";
+}

security/signature_validation_json/signature_validation_json.9.x.py

@@ -0,0 +1,25 @@
+import os
+# Download the twilio-python library from twilio.com/docs/python/install
+from twilio.request_validator import RequestValidator
+
+# Your Auth Token from twilio.com/user/account
+auth_token = os.environ['TWILIO_AUTH_TOKEN']
+
+# Initialize the request validator
+validator = RequestValidator(auth_token)
+
+# Store Twilio's request URL (the url of your webhook) as a variable
+# including all query parameters
+url = 'https://example.com/myapp?bodySHA256=5ccde7145dfb8f56479710896586cb9d5911809d83afbe34627818790db0aec9'
+
+# Store the application/json body from Twilio's request as a variable
+# In practice, this MUST include all received parameters, not a
+# hardcoded list of parameters that you receive today. New parameters
+# may be added without notice.
+body = """{"CallSid":"CA1234567890ABCDE","Caller":"+12349013030"}"""
+
+# Store the X-Twilio-Signature header attached to the request as a variable
+twilio_signature = 'hqeF3G9Hrnv6/R0jOhoYDD2PPUs='
+
+# Check if the incoming signature is valid for your application URL and the incoming body
+print(validator.validate(url, body, twilio_signature))

security/signature_validation_json_tests/meta.json

@@ -0,0 +1,4 @@
+{
+  "title": "Test Request Signature Validation (application/json body)",
+  "type": "server"
+}