How can you verify an incoming Twilio sms? - security

I basically am trying to allow users to post to their blog using a text message. I have a phone number stored for each user, and since twilio sends that information in the post request they hand to my page, I can do a reverse lookup to see which blog to post it to. The question now arises, how can I be sure that the user sent the text? Can't anyone just send post information with someone else's phone number?
I have a couple thoughts about this:
1. Twilio sends your account number in the post, which I suppose isnt known to malicious users.
2. I could respond with an SMS containing a randomly generated code, and have the user send that back. This would effectively triple the SMSs needes do I would prefer the first.
Is number one "safe enough"? Or should I bite the bullet and make a response system as in number two?

You can verify that requests are coming from Twilio. We attach an X-Twilio-Signature header to each request which is signed with your Auth Token (which should be known only by you). Each of the Twilio helper libraries has a function to help determine if the request was made by Twilio or not.
Please see our documentation on validating requests: http://www.twilio.com/docs/security#validating-requests
or our helper library functions for validating Twilio requests: http://readthedocs.org/docs/twilio-php/en/latest/usage/validation.html#validate-incoming-requests, for example.

Related

Pass query parameter while making POST request from twilio webhook

When the call ends, I want to send data to Microsoft teams. For that purpose, I am making a POST request using the Twilio webhook. I have added the link for HTTP request in CALL STATUS CHANGES. But I also want to send data collected during calls. Is there any way to do that?
Article here(https://www.twilio.com/docs/usage/webhooks/voice-webhooks) doesn't mention anything about passing data.
My POST request URI looks something like this:-
https://xyz?Name=Himanshu&Phone=1234567890
I want Name and Phone data to be collected from Memory.
Twilio developer evangelist here.
When Twilio sends a webhook request about a voice call it will send a whole bunch of parameters including CallSid, To, From (the number user called from), AccountSid, CallStatus and more all of which are listed here.
I would not recommend making the Twilio webhook directly to Microsoft Teams as Twilio expects there to be a response to the request. Also, Twilio cannot know the name of your caller either.
Instead, I would recommend setting up the webhook request to go to your own application where you can parse out the data you need from the request, collect other data like name, and then make the request to Teams to complete your interaction.

Twilio Functions - forward sms to email?

I want to forward any sms messages incoming to my Twilio (virtual) number to an email address using Twilio functions. How would I go about that?
Twilio developer evangelist here.
You absolutely can forward incoming SMS messages to email using Twilio Functions. I actually wrote a blog post on how to forward SMS as email. This particular post uses the SendGrid API to send the message, the full code is available, with instructions, on GitHub.
If you wanted to use a different service to send the email you can. There is a pull request right now that I need to review where someone added SparkPost support. As long as you have a service that you can call as an HTTP API, then you can use the code and just adjust the payload.
Let me know if that helps at all.
So, I've been making some research on this, and found these info:
Whenever a message is sent to a twilio number, also an http request is sent to the twilio server, and this server saves the message that was sent to the number.
To access that message that server is holding
We are using this code down below.
const MessagingResponse = require('twilio').twiml.MessagingResponse;
const response = new MessagingResponse();
const message = response.message();
message.body('Hello World!');
response.redirect('https://demo.twilio.com/sms/welcome');//you need to have your own document
console.log(response.toString());
The message is being redirected to the link that we have specified there, and it must be a twilio link, you can create a link from here
And all you have to do is read the message and enjoy it! For more info, please see https://www.twilio.com/docs/api/twiml/sms/your_response

How to associate sendgrid webhook sg_message_id to sent mail?

Sendgrid webhook has sg_message_id
But the response of Web API v2 when sending mail doesn't have sg_message_id.
In fact, there is only message showing only success or failed.
So, how do i associate between sent mail and the webhook callback?
I have check the past questions in SO but it doesn't provide be the solution for this.
Thank you.
You can use unique arguments. Take your unique ID (like primary key) and give it to sendgrid API during sending email. You will get it back in the event webhook.
https://sendgrid.com/docs/API_Reference/SMTP_API/unique_arguments.html
EDIT: The best practice seems to be using custom arguments (see documentation). Which is not apparent from the documentation (as of today).
In Web API v3, the response includes a special header X-Message-Id (see https://sendgrid.com/docs/Glossary/x_message_id.html).
This can be later matched with sg_message_id in webhook: https://sendgrid.com/docs/Glossary/message_id.html
The documentation does not make it clear, but the X-Message-Id header is actually not equal to sg_message_id, but it is a prefix of sg_message_id.
For example:
X-Message-Id = "MUvGg3V1ThOu3oe8eRqFrA"
sg_message_id = "MUvGg3V1ThOu3oe8eRqFrA.filter0001p2iad2-21183-5AF0BD9B-E.0"
The Web APIv2 call that sends out the email only responds with a {message :"success"} answer indeed, but the sg_message_id is not generated at that point. The API call answer simply acknowledges that the email was sent to SendGrid for processing.
The email is sent to SendGrid, and there it receives the sg_message_id value that is provided through the Event Webhook posts.

SMTP Client - Send hidden information that can come back in a reply

I am using the nodemailer SMTP node module, a simple way to send emails through SMTP.
I am using this to send out text messages to various cell carriers, which will allow you to send a text message for free via email. An example email, which will text the Sprint phone (310) 987-6543:
3109876543#messaging.sprintpcs.com
These are all going out through one SMTP email address. This means all text replies from someone's phone will channel back to my email address.
A lot of people send these texts. I want to route the reply text back to the right person, using my own server side code.
The problem is distinguishing where the text came from. Ideally I could hide my own primary key ID for the sender in some sort of SMTP header, which would arrive at the recipients phone and come straight back in their text reply.
I don't really know anything about SMTP or email protocols - is this possible?
edit
As given in each of the answers below, in better email servers you can address to an email address as well as an extension to that address, such as:
// original email
sms-service#mysite.com
// extension
sms-service+a6e1087b#mysite.com
This would be a correct answer and would solve my problem, if only this worked in Exchange Server, which is the email server I am using. I don't know if there is a way to enable this or any other workaround.
Exchange server doesn't support plus addressing natively but it is possible do achieve this with a custom MTA, e.g. http://durdle.com/regexcatchall/
Source: https://serverfault.com/questions/195276/does-exchange-support-plussed-users-e-g-mynamespamexample-com-or-a-similar
Here are a few approaches that you might be able to use:
Unique from addresses
You could you use unique "from" or "reply-to" address for each each message (or for each recipient). For example "sms-service+a6e1087b#mysite.com". In that example, the hex would be a unique identifier that can be mapped to the conversation in your database.
Gmail supports such a scheme: emails targeted to [foo]+[whatever]#gmail.com will be delivered to [foo]#gmail.com and the receiver will know also get the [whatever] back. (more on this http://lifehacker.com/144397/instant-disposable-gmail-addresses)
Identify the user, not the conversation
One option is to not identify the conversation, but identify the phone number the reply comes back from instead. In many cases, the number from where the SMS reply was sent back from is enough to connect that message to the conversation. I'm sure the SMS gateway you're using will provide you with the number from where the reply came from.
Commercial SMS gateway
You can also opt to use a commercial SMS gateway (smsglobal.com comes to mind, though there are many others). These services have well defined APIs for sending a receiving replies. This naturally comes at a price, though. But along with the price, you do get more confidence as to the reliability of the service. A free SMS gateway might get shut down without much warning.
This common problem is traditionally implemented using the semantics of From: and Reply-To: headers of e-mails. This is in fact not (directly) related to SMTP, but rather to ARPA network text messages.
RFC 5322 is the current specification of these messages. It states:
When the "Reply-To:" field is present, it indicates the address(es) to which the author of the message suggests that replies be sent. In the absence of the "Reply-To:" field, replies SHOULD by default be sent to the mailbox(es) specified in the "From:" field unless otherwise specified by the person composing the reply.
So you simply need to encode the information you need into the Reply-To: header. Since you mention your own server-side code, you might be running an SMTP server yourself. In this case, you can put any address that will be routed to your SMTP server and encode the right person's address there.
Alternatively, if you rely on another SMTP server, you might want to use aliases. Postfix, and mail services such as GMail, typically allow address extensions, i.e. addresses of the form user+foo#domain.com, and you can encode the necessary information in the address extension.
For example, let's say that alice#domain.com wants to send a text to Sprint phone (310) 987-6543 through your service, you could send an e-mail to 3109876543#messaging.sprintpcs.com with:
Reply-To: alice%40domain.com#yourservice.com
Alternatively:
Reply-To: yourservice+alice%40domain.com#gmail.com
This will allow you to route the reply properly by looking at the destination of the reply e-mail.

Twilio SMS reply in node.js

I'm writing a mobile notification system using twilio in node.js and I am currently able to send SMS messages to users. But I would like users to reply back with a response. I would need to gather the phone number the user sent the text from as well as the contents of the message (to query my mongoosedb)
I couldn't find much info on this so any help is appreciated.
Twilio evangelist here.
Check out this blog post which introduces you to our Node helper. If you scroll down to the section titled "Generating TwiML to handle inbound calls and SMS", it will walk you through receiving an SMS message from Twilio.
The basic idea is that when your user replies to your message, Twilio is going to tell you that by making an HTTP request to some URL that you have configured for your Twilio phone number. That URL is some endpoint that you have created in your Node app.
As part of that request, Twilio is going to pass some form parameters to you. In your going to use the request object that is passed into the POST function to get the parameters that Twilio passes you:
console.log(request.body.from);
console.log(request.body.to);
Heave over to this page on our website to see all of the parameters Twilio will send you when we
Hope that helps.

Resources