-
Notifications
You must be signed in to change notification settings - Fork 472
Util
The Util module provides useful utilities for interacting with Twilio. For now there is just one class called RequestValidator, which you can use to validate that a request for TwiML is actually coming from Twilio.
An important part of any secure Twilio application is correctly performing request validation. For a complete description of how request validation works, see the Twilio security documentation. The basic idea is that Twilio builds a string based on the parameters sent to your server and then creates a hash of this string using your account's AuthToken (a shared secret). Twilio sends this hash to your server as a header in its request. You can then build the same string and create the same hash as Twilio did, and compare yours to the one Twilio sent to determine the authenticity of the request.
The RequestVlidator class simplifies this process to a single method call:
# First, instantiate a RequestValidator object with your account's AuthToken.
validator = Twilio::Util::RequestValidator.new(@auth_token)
# Then gather the data required to validate the request. The following works in
# sinatra, and something similar should work in any rack-based environment.
uri = env['REQUEST_URI']
params = env['rack.request.query_hash']
signature = env['HTTP_X_TWILIO_SIGNATURE']
# Finally, call the validator's #validate method.
validator.validate uri, params, signature #=> true if the request is from Twilio