Twilio SMS Twiml with Test Credentials - testing

I'm using twilio with the test credentials and I send a simple sms from the test number +15005550006 to my twilio number. When I execute it I get an sid. On my twilio number I have set up a request url to receive the twiml request but it never gets hit. I'm able to access that url from the internet (not localhost) myself but never when sending a test sms.
Since I am using test credentials, is twilio sending a request to my url? And is there a way to see from the twilio report/alert to see if it is actually trying to connect to that url?

Twilio developer evangelist here.
The test credentials won't deliver any SMS messages. Think of it as having the ability to exercise any requests, but not actually making them for real. Test credentials are useful for developing if you're concerned about making API requests.
To get the messages delivered you will need to use you real credentials.
Let me know if you have any questions.

Related

Meaningful response when using SMS gateway with Auth0

Is it possible to somehow configure a custom message in Auth0 for fails in a custom SMS gateway.
My gateway will throw 400 if it fails to send sms (invalid phone number for example).
And the default message doesn't help users. (Unexpected response while calling the SMS gateway)
I see here that it will not read the body but maybe you have any ideas to workaround it.
https://auth0.com/docs/authenticate/passwordless/authentication-methods/use-sms-gateway-passwordless#error-handling

How to send sms to a twilio number

I have configured a twilio number. Now I want to send an SMS from rest API to this twilio number. An incoming message to a twilio number. I am very new to twilio. So any help would be appreciated. Thanks
Twilio developer evangelist here.
When you have a Twilio number you can send messages from the Twilio number using the REST API. You would normally receive messages sent to the Twilio number from users using their messaging app on their mobile device.
To understand further I recommend you follow some Twilio tutorials:
Here is a quickstart guide for sending and receiving SMS with Twilio
A guide on sending SMS messages with Twilio
The API's Message resource reference
An overview of TwiML and receiving messages sent to your Twilio number
Hopefully they get you started on a path to understanding.

Is it a security vulnerability to put TWITTER_CONSUMER_KEY / SECRET in client for oAuth1 Twitter Login?

All of the React Native Twitter Login Clients that I'm finding seem to be hard-coding the TWITTER_CONSUMER_KEY and TWITTER_CONSUMER_SECRET into the the client code, rather than relying on a server to generate tokens and/or a twitter redirect URL.
Is this safe? (e.g. couldn't a consumer then DOS the API with the TWITTER_CONSUMER_KEY, causing the app to be rate limited?)
Is this the correct way to do it?
Is there a better / more secure way?
According to twitter's documentation, it seems like this is NOT the correct way to do this:
"In the event that you believe that your API keys has been exposed, you should regenerate your API keys by following these steps" - Authentication best practices
Examples which specify that the consumer key/secret should be hardcoded:
https://rnfirebase.io/docs/v5.x.x/auth/social-auth#Twitter
https://github.com/GoldenOwlAsia/react-native-twitter-signin/blob/master/Example/TwitterButton.js#L14
Related questions:
Twitter consumer secret really a secret?
Is it a security vulnerability
Yes.
Your app can be rate limited or flagged as malware/spam etc.
Is there a better / more secure way?
Basically only to have your own site auth (oauth2) done correctly and proxy specific requests from your clients, after validation or a simplified locked down site API that is then translated to the Twitter API.
Why is this, Twitter app-only auth supports OAuth2, allows a secure negotiated handshake and then requests made using a Bearer token. In this mode you can make requests on behalf of your App, but without a logged in user. So can't post tweets or see private accounts or read DMs.
For user-auth, Twitter only support OAuth1 and both the App and User are authenticated, but using a model that assumed plaintext http, so can't share a single token. Every single request needs to be made using consumer key/secret and signing the request. So there isn't a way to do this from a javascript client safely.
Is this safe?
Absolutely not. A bad actor can get users to authenticate via Twitter to receive their token credentials and then use your app's consumer key/secret (which would be available in plain text) to masquerade as your app to do all kinds of nasty stuff.
Is this the correct way to do it?
Given the security vulnerability described above, no.
Is there a better / more secure way?
I'm currently in the process of trying to figure out how to securely achieve authentication with Twitter. This involved a lot of reading, but it appears as though it's simply not possible without your own backend. I'll try and explain why:
Your goal is to receive the user's email/Twitter-ID
To achieve (1), you need to send a request to the GET account/verify_credentials endpoint (https://developer.twitter.com/en/docs/twitter-api/v1/accounts-and-users/manage-account-settings/api-reference/get-account-verify_credentials).
To do (2), you need to provide an authorisation header, which is constructed out of several items, including the user's OAuth tokens as well as your app's consumer key/secret. More info here: https://developer.twitter.com/en/docs/authentication/oauth-1-0a/authorizing-a-request.
You retrieve the user's OAuth tokens using the 3-legged OAuth flow
described here: https://developer.twitter.com/en/docs/authentication/oauth-1-0a/obtaining-user-access-tokens. The first step of this process is to send a POST request to the oauth/request_token endpoint (https://developer.twitter.com/en/docs/authentication/api-reference/request_token).
This endpoint itself requires an authorisation header constructed using
your app's consumer key/secret.
Obviously you can't perform step (4) because that implies you would have your consumer secret available in the client; even if it's not hardcoded, it would have to be in memory at runtime, at some point
Once you have your own backend service, one option would be for your client app to open a browser and direct to an endpoint (let's call it /auth/twitter) on this service which will perform all the steps mentioned above.
This same service could also implement another endpoint (/auth/twitter/token) which handles requests to the callback URL, which you set in your Twitter app settings. This callback URL is used as part of the same 3-legged flow. This endpoint would have all the information needed to then go ahead and retrieve the user's email/Twitter-ID.
Finally, /auth/twitter/token can redirect to a custom URL which your client app would need to handle as part of its URL schemes. It can include enough information by way of parameters for your app to continue as needed post-auth.

Should Twitter API requests be sent from the server or from the client?

I want to create a Twitter application which would use 'Sign in with Twitter' in order to get the users' access tokens. I then want to perform calls to the API on their behalf.
Should the API requests be sent from the client side, or from the server side?
Rate limits shouldn't make a difference because they are measured per user access token.
But I'm wondering if I'm forgetting other important factors because I'm very new to this.
If your client is a web browser, then the answer is no. Twitter API does not support CORS headers. Have the client connect to a server, and make your requests on the backend.

Authenticating Skype Bot through an API

I am using Microsoft Bot Framework to build a bot that receives messages from a user and then connects to a a banking service he already registered. (In case you don't know Bot Framework, is just a Web Api where you post messages and it answers you according to the behaviour you specified in advance).
So the banking service knows his user and password. And let's say it also knows the user Skype's username, because the bot will be connected to a Skype Channel via Bot Framework Connector.
My question is: how can I authenticate (in the banking service) the user that sending messages to the bot? The idea of this is of course not to make the user send his credentials (user and password) via messages.
Making the bot send a link where the user can write his credentials and then trigger a callback is not an option. I need to make the authorization flow the most transparent I could do it for the user.
The only examples I currently have of Auth involve invoking a browser for the authenticating service where the user can enter their service-specific credentials, such as Mat Velloso's AuthBot sample on github: https://github.com/matvelloso/authbot
I assume your last statement means this isn't a valid option?