Merge pull request #17 from aymenn/basic-auth

cweems · web-flow · commit ec1f9f00b2b1 · 2022-07-22T12:55:57.000-07:00
Add basic auth to sessions route and webhook validation to other routes
diff --git a/.env.example b/.env.example
@@ -5,4 +5,6 @@ CALL_ANNOUCEMENT_VOICE=
 CALL_ANNOUCEMENT_LANGUAGE=
 OUT_OF_SESSION_MESSAGE_FOR_CALL=
 CONNECTING_CALL_ANNOUCEMENT=
-DOMAIN=
+DOMAIN=
+AUTH_USERNAME=
+AUTH_PASSWORD=
diff --git a/README.md b/README.md
@@ -51,8 +51,9 @@ $ cp .env.example .env
 | CALL_ANNOUCEMENT_LANGUAGE       | The language to speak announcements in.                                       | "en" or any of the [supported languages](https://www.twilio.com/docs/voice/twiml/say#attributes-language).                    |
 | OUT_OF_SESSION_MESSAGE_FOR_CALL | A message to play if someone calls the number pool without an active session. | "Your session is no longer active. Goodbye."               |
 | CONNECTING_CALL_ANNOUCEMENT     | A message to play when a caller is being connected to the other party.        | "We're connecting you to your agent now."                  |
-| DOMAIN                          | The domain where the application will be hosted.                              | "mysite.com" or "https://your-domain.ngrok.io"             |
-
+| DOMAIN                          | The domain where the application will be hosted.                              | "mysite.com" or "your-domain.ngrok.io" (no https://)             |
+| AUTH_USERNAME                          | Basic auth username for request authorization                              | "mySecureUserName"           |
+| AUTH_PASSWORD                          | Basic auth password for request authorization                              | "mySecretPassword"           |
 
 Once you have your environment variables set, you can start the app with this command:
 
@@ -85,6 +86,10 @@ Two webhooks can be configured in the Twilio Console:
 - Paste your webhook (`https://[your-domain]/conversations-post-event`) into the Post-Event URL input box.
 - Click "save" at the bottom of the page.
 
+# Authentication & Webhook Validation
+The app requires basic auth on request to the `/sessions` endpoint. This prevents an unauthorized person from creating sessions. To use basic auth, make sure `DOMAIN` (e.g. mysite.com, no http://), `AUTH_USERNAME`, and `AUTH_PASSWORD` are all set in your .env file, and restart the app.
+
+Webhooks are automatically validated using the Twilio Webhook signature. This prevents an unauthorized request to start a phone call without your permission. For webhook validation to work, your app needs `DOMAIN` to be set along with `TWILIO_AUTH_TOKEN` in the .env file.
 
 # Usage
 You can create a new masked-number session between multiple users by making a post request to the `/sessions` endpoint:
@@ -146,4 +151,4 @@ To conduct a load test on the app, run:
 ```bash
 $ yarn loadtest
 ```
-This will generate 300 conversations in 20ms intervals against the app.
+This will generate 300 conversations in 20ms intervals against the app.
diff --git a/package.json b/package.json
@@ -5,6 +5,7 @@
     "cors": "^2.8.5",
     "dotenv": "^16.0.1",
     "express": "^4.18.1",
+    "express-basic-auth": "^1.2.1",
     "http-errors": "^2.0.0",
     "morgan": "^1.10.0",
     "twilio": "^3.78.0"
diff --git a/src/config/webhookValidationConfig.ts b/src/config/webhookValidationConfig.ts
@@ -0,0 +1,9 @@
+function shouldValidate () {
+  return process.env.NODE_ENV !== 'test'
+}
+
+export const webhookConfig = {
+    protocol: 'https',
+    host: process.env.DOMAIN,
+    validate: shouldValidate()
+}
diff --git a/src/routes/index.ts b/src/routes/index.ts
@@ -1,13 +1,21 @@
 import { Router } from "express";
 import * as controllers from "../controllers";
 
+import twilio from 'twilio'
+import { webhookConfig } from '../config/webhookValidationConfig'
+
+import basicAuth from 'express-basic-auth'
+const { AUTH_USERNAME, AUTH_PASSWORD } = process.env
+
 const router = Router();
 
-router.post("/conversations-post-event", controllers.conversationsPostEvent.post);
+router.post("/conversations-post-event", twilio.webhook(webhookConfig), controllers.conversationsPostEvent.post);
 
-router.post("/inbound-call", controllers.inboundCall.post);
-router.get("/join-conference", controllers.joinConference.get)
+router.post("/inbound-call", twilio.webhook(webhookConfig), controllers.inboundCall.post);
+router.post("/join-conference", twilio.webhook(webhookConfig), controllers.joinConference.get)
 
-router.post("/sessions", controllers.session.post);
+router.post("/sessions", basicAuth({
+  users: { [AUTH_USERNAME]:AUTH_PASSWORD}
+}), controllers.session.post);
 
 export default router;
diff --git a/yarn.lock b/yarn.lock
