this is regarding incoming sms from a mobile phone via twilio.
when testing with postman (and I append the header with a Bearer JWT token I received from my app), everything works fine and my app can recognise the request.
but sending an sms results in a 401 error as my endpoints are not reachable. any proven ways of doing this or do I have to hack my app to bypass incoming requests from twilio and just every request that comes from that twilio number.
please help!
Twilio developer evangelist here.
Twilio will not send a bearer token JWT in requests because it doesn't know to authenticate with your application like that.
You will need to bypass the JWT check for requests from Twilio. If you're using express that should be straightforward and if you share some code we can look into how to make that happen for your app. On the up side, there are other security methods you can put in place instead.
Twilio supports HTTP authentication via basic or digest auth. If you can set the endpoint in your app to require authentication in this way instead, then it can be secured.
You can also check against the X-Twilio-Signature header that is sent with every request to validate that the request came from Twilio. There is a guide on how to validate Twilio requests in Node.js with Express.
Related
What are the keys of username/ password in webhook connect header response? I tried with username/ password/ X-DocuSign-Password/ X-DocuSign-UserName but is not
webhook connect response is sent from DocuSign to your web server following events that occured and based on your configuraiton.
No password is ever going to be sent from DocuSign.
You may be referring to the header that was used in the past to make API calls before OAuth 2.0 was implemented. That is an insecure way to authenticate and therefor no longer allowed for new applications that are under development.
The popular SMS service Twilio allows the application to receive a status callback for downstream message events after sending an SMS message by calling the Twilio API.
Our application utilizes both basic auth and passport.js to manage users, session and protect routes.
What's the correct way to protect the POST route that receives the status callbacks from Twilio, since these callbacks will not be authenticated or signed?
(In other words, trying to protect the route that receives the POST from Twilio on callback currently returns a 401. Removing the authentication obviously allows the request to be received and processed, but leaves the route unprotected.)
This webhook will definitely need to be a public endpoint. Usually for webhooks you will get a signed header that will enable you to verify that the message is legit.
If this is not the case, what you can do is to create a middleware that compares the MessageSid that you receive on the callback with the sid that you got when you made the request to generate the sms.
In case the message doesn't have a MessageSid or the MessageSid does not match any on your database you give an unauthorize response.
You have a couple of options detailed here:
Security
For Express and validating Twilio Webhooks, there is a good blog below.
How to secure Twilio webhook URLs in Node.js
I'm a new to microservice architecture. In general, we have an applictaion broken into microsrvices. I was advised to use API Gateway as a client request router. I chose the Express-Gateway. And that's what i want to do: I need that when unauthorized user sends a request, his request would be redirected to the authorization service. On the authorization service the SMS code would be validated and then a JWT would be generated. This token would be sent to the client and saved in the Express-Gateway system. In the future, Express-Gateway would check the token and, upon successful validation, redirect requests to other services. How can I implement such a solution, or are there other options? I just don't like Express-Gateway's Consumers Management System, and I need my own authentication logic.
I'm trying to authenticate with a third party API using OAuth 2 via a NodeJS + Express REST api. We're doing this through a ReactJS webapp
The current flow is that we send a request to our Express API from the front-end with the Fetch API, with a username as parameter
This request builds an authUrl object containing a redirect_url and then responds with
return res.redirect(authUrl);
When we initiate this endpoint straight from the browser, we get redirected to the Third Party API, and after authenticating a user is successfully created.
But the problem lies when we try to send a request to this endpoint from the front-end.
We added CORS headers to our Express app so we can reach this endpoint, but it still gave us the following error:
Fetch API cannot load OUR ENDPOINT. Redirect from 'OUR ENDPOINT' to 'THIRD PARTY API' has been blocked by CORS policy: Request requires preflight, which is disallowed to follow cross-origin redirect.
When we just do a res.json(authUrl) instead of res.redirect(authUrl) we retrieve a proper response containing the URL. But redirecting doesn't seem to work.
We experimented a bit with different headers but can't seem to find a suitable solution.
So we were wondering does res.redirect() handle requests differently? Are we implementing the OAuth flow properly? Do we need specific headers?
Any help would be welcome!
Summary of our flow:
Browser receives request for front-end
User enters his name and clicks the signup button
Our Rest API receives the request and builds an authentication url
Rest API sends a response that redirects the browser to the authurl.
After successful authentication, third party sends a confirmation to the callback endpoint of our Rest API.
With the confirmation, the Rest API then sends another request to the third Party API.
Rest API sends a response back to ReactJS app with the token.
How do I pass the value of JWT from my node js backend to android/ios frontend?
Should it be scored in my mongoDB database to be picked up each time by the frontend?
I am not getting your problem when user will login JWT is sent from the node backend and your android device will store it and for every request, it will send the JWT to authenticate.
Typically for mobile apps, if you're trying to get a JWT from your node.js server, it is passed as a response to an API request.
One pattern if you're using JWT for authentication is the client will make a request to the node.js API at /authenticate for example, which will send back the JWT in the response body if authentication was successful. The client can then pass this token with subsequent requests to show that it has been authenticated- the server will parse the JWT to determine whether it is valid.
There's a great article on this here: https://scotch.io/tutorials/authenticate-a-node-js-api-with-json-web-tokens