twilio security not working on my .net core 3.0/3.1 application properly

[KamranShahid]

I have implemented validation as per https://www.twilio.com/docs/usage/tutorials/how-to-secure-your-csharp-aspnet-core-app-by-validating-incoming-twilio-requests

I have my .net core 3.0 application where callback url is like https://mydomain.com:81/Twilio/TwilioAction

Request validator seems always rejecting the validation.

Same code with my other deployment where my address is like
https://myotherdomain.com/Twilio/TwilioAction is working fine.

It looks like due to following implementation in twilio RequestValidator

private string RemovePort(UriBuilder uri)
        {
            // UriBuilder.ToString() will not display the port 
            // if the Port property is set to -1
            uri.Port = -1;
            return uri.ToString();
        }

        private string AddPort(UriBuilder uri)
        {
            if (uri.Port != -1)
            {          
                return uri.ToString();
            }
            **uri.Port = uri.Scheme == "https" ? 443 : 80;**          
            return uri.ToString();
        }

I have even upgraded to release 5.37.1 but issue still exists

[thinkingserious]

Hello @KamranShahid,

Thanks for bringing this to our attention!

This issue has been added to our internal backlog to be prioritized. Pull requests and +1s on the issue summary will help it move up the backlog.

With best regards,

Elmer

[childish-sambino]

What sort of callback is this not working for?

[KamranShahid]

this is request validation as per recommendation from twilio.

[childish-sambino]

Yes, but which particular webhook is the request validation failing for? SMS, Voice, Conference, or something else?

[KamranShahid]

SMS

[KamranShahid]

If someone can hint what change i would do in https://github.com/twilio/twilio-csharp/blob/master/src/Twilio/Security/RequestValidator.cs then i will try out it locally in my project

[childish-sambino]

I don't know yet what the change would be. The line you've highlighted about adding a default port only applies if the URL doesn't contain a port, which in your case it should.

You can try debugging by seeing if the URL being fed into the validator matches the URL exactly as you've configured it in your SMS webhook.

[KamranShahid]

I don't know yet what the change would be. The line you've highlighted about adding a default port only applies if the URL doesn't contain a port, which in your case it should.

You can try debugging by seeing if the URL being fed into the validator matches the URL exactly as you've configured it in your SMS webhook.

then i might have to check what the value of my token with my url/form element compare to the one expected with X-Twilio-Signature and my token.
Done this thing quite a while back and looks like i needed to do it again :(

[childish-sambino]

I would ignore the token for now and just focus on the first part: does the URL (protocol, host, port) being fed into the validator match what's configured in the SMS webhook?

[KamranShahid]

my url in web hook is like
https://mysite.com:81/twilio/mytwilioaction
as per above
protocol https
host mysite.com
port 81

please try out this type of url

[childish-sambino]

There are unit tests that verify such URLs. What I'm asking is what URL is actually being fed into the validator? From the validation example, the code looks like this:

private static string RequestRawUrl(HttpRequest request)
{
    return $"{request.Scheme}://{request.Host}{request.Path}{request.QueryString}";
}

Is this what your code is doing? If so, what's the result?

[KamranShahid]

yes it is exactly like this and it is even working for my urls like
https://mysite.com/twilio/mytwilioaction
but not for
https://mysite.com:81/twilio/mytwilioaction

I know about this validation and even did it in one of my old asp.net WCF application.

[KamranShahid]

Any update on this issue?

[childish-sambino]

I've not had a chance to come back to this yet to try to recreate what's going on here.

[KamranShahid]

I've not had a chance to come back to this yet to try to recreate what's going on here.

Ok Sambino

[yroush]

Im having the same issue with the code Twilio provides for .net core request validation.

It fails every time.

[KamranShahid]

Im having the same issue with the code Twilio provides for .net core request validation.

It fails every time.

give some details. what's the callback url? is it https or http

[yroush]

Im having the same issue with the code Twilio provides for .net core request validation.
It fails every time.

give some details. what's the callback url? is it https or http

http callback url.

I tried hosting that url on both port 80 and another port, but the request validator still does not work.

The RequestRawURL function works properly, so I at least know that it isn't part of the problem.

[winzig]

Spent a few hours now trying to figure this out, and I also cannot get Twilio's signature validation library to work on .NET 3.x. Using Twilio 5.39.0 on .NET 3.x.