twilio-ruby 3.11.6 → 3.12.0

checksums.yaml

@@ -1,15 +1,15 @@
 ---
 !binary "U0hBMQ==":
   metadata.gz: !binary |-
-    OGUxMzc0ZmMwMjk0ZDY5MTU4ZDY0NGY3MGM3MmI1NmZlODBmODM5Nw==
+    ZWZkNmViOGVhYzA4YzlhOWRkYzFjZDZhMTY1NTY1NmE5ZmVjZWI4MQ==
   data.tar.gz: !binary |-
-    MGFhNTM3Nzg4YzVlOGYxYmExMTQyNjQyMjQ3M2Q1YmM1NTY1Nzk5NA==
+    ODBhOTdkNTE2NjE0OGUzZmJhY2U3NzdhMTM2ODU0N2EwNzNlZTYyOA==
 SHA512:
   metadata.gz: !binary |-
-    MTVlZDc3MzFlOGRjYTk4N2FkYzg5MGRmZDZjZTg0MzUwYmRhODNhNmFjMDli
-    N2ZhNGQ1MWQ3N2FiN2QyNDcyODFmNWY5MTE0Njk1NzZkYjZmZjBmNzQ2NTg0
-    YjVlMTI0M2I4ZDg0Y2Q1OWE3MmM3OTFlMTcwMDJjZmNlNTEzZGE=
+    OTY0NDM4N2Q3ODA1MDdmYTc2OTY3ODE2OGE4YjBlMjExMDBmZTBkYzkzZWE2
+    MThkMGZhZWY4MDhiZWIxOTE0OGVjZjQ2NjQ3OTBlNzcwZjhiMWI4ZTcxOGU0
+    MzQ3ZTQ3MjcyYmYzNjdkZjFiZTYxOTQxODI5YjViMzI2YTE2MzE=
   data.tar.gz: !binary |-
-    YjE1ODY5NTEzNTI2ZTYwZGJlNGY2NGMyYTVkZDY2MDEwOGQ0OTk3ZDYwMjI2
-    YzI5Y2JiNmQ2ZWYzNjQwODI5ODA3YzVjYjUxMTgyZjgyOWExMmU2MGRiZGI0
-    N2EzMTFjMzA5MDRiNmViN2MzZWE1MThiY2MzZDNmZGNlNDZlODE=
+    ZDgwN2ZhOWQzMzYzMGQ3MzJkY2EyNzZiOTk5MDA5ZGZmZjEwZjE0ODc2NDdl
+    ODE1M2FmNTUwMGVjNjgwNzc5MzIxZjRkZGE2ZmJkZjdjYTllMzY4ZTYzMjQ4
+    ZGVjZGIyMzkwZjMxZWRkOTcwYTE5MmIzNjQ4OTVjYTkyZjdkOTI=

data/CHANGES.md

@@ -1,6 +1,12 @@
 twilio-ruby changelog
 =====================
 
+Version 3.12.0
+- Add Rack middleware for Twilio request-signature validation
+- Upgrade dependencies and clean up project files
+- Documentation fixes
+- Add `text` alias for `to_xml` method on TwiML generator objects
+
 Version 3.11.6
 
 Released July 25, 2014

data/Gemfile

@@ -4,7 +4,7 @@ gemspec
 
 group :test do
   gem 'rake', '~> 10.1'
-  gem 'rspec', '~> 2.6'
+  gem 'rspec', '~> 3.0'
   gem 'fakeweb', '~> 1.3'
   gem 'rack', '~> 1.3'
 end

data/docs/usage/validation.rst

@@ -53,7 +53,6 @@ actually from Twilio.
         puts "NOT VALID.  It might have been spoofed!"
     end
 
-
 Trailing Slashes
 ==================
 
@@ -69,3 +68,30 @@ https://mycompany.com/twilio and you may have built the hash using
 https://mycompany.com/twilio/. More information can be found in our
 documentation on validating requests.
 
+Rack Middleware
+===============
+
+If you are serving up your site using a Rack based framework, such as Sinatra or
+Rails, you can use the Rack middleware that is included in the gem to protect
+from spoofing attempts.
+
+To use the middleware, you need to set it up with your Twilio Auth Token and a
+set of paths to watch. For example, here is how you would use the middleware in
+a Sinatra application:
+
+.. code-block:: ruby
+
+    require 'sinatra'
+    require 'twilio-ruby'
+
+    auth_token = 'YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY'
+
+    use Rack::TwilioWebhookAuthentication, auth_token, /\/messages/
+
+    post '/messages' do
+      # response with TwiML
+    end
+
+Now, any POST request to /messages in your application that doesn't validate as
+a Twilio request, will automatically respond with a 403 status code and your
+action will not be hit.

data/lib/rack/twilio_webhook_authentication.rb

@@ -0,0 +1,40 @@
+module Rack
+  # Middleware that authenticates webhooks from Twilio using the request
+  # validator.
+  #
+  # The middleware takes an auth token with which to set up the request
+  # validator and any number of paths. When a path matches the incoming request
+  # path, the request will be checked for authentication.
+  #
+  # Example:
+  #
+  # require 'rack'
+  # use Rack::TwilioWebhookAuthentication, ENV['AUTH_TOKEN'], /\/messages/
+  #
+  # The above appends this middleware to the stack, using an auth token saved in
+  # the ENV and only against paths that match /\/messages/. If the request
+  # validates then it gets passed on to the action as normal. If the request
+  # doesn't validate then the middleware responds immediately with a 403 status.
+
+  class TwilioWebhookAuthentication
+    def initialize(app, auth_token, *paths)
+      @app = app
+      @auth_token = auth_token
+      @path_regex = Regexp.union(paths)
+    end
+
+    def call(env)
+      return @app.call(env) unless env["PATH_INFO"].match(@path_regex)
+      validator = Twilio::Util::RequestValidator.new(@auth_token)
+      request = Rack::Request.new(env)
+      original_url = request.url
+      params = request.post? ? request.POST : {}
+      signature = env['HTTP_X_TWILIO_SIGNATURE']
+      if validator.validate(original_url, params, signature)
+        @app.call(env)
+      else
+        [403, {'Content-Type' => 'text/plain'}, ["Twilio Request Validation Failed."]]
+      end
+    end
+  end
+end

data/lib/twilio-ruby.rb

@@ -56,3 +56,4 @@ require 'twilio-ruby/rest/recordings'
 require 'twilio-ruby/rest/transcriptions'
 require 'twilio-ruby/rest/notifications'
 require 'twilio-ruby/rest/client'
+require 'rack/twilio_webhook_authentication'

data/lib/twilio-ruby/version.rb

@@ -1,3 +1,3 @@
 module Twilio
-  VERSION = '3.11.6'
+  VERSION = '3.12.0'
 end

data/spec/rack/twilio_webhook_authentication_spec.rb

@@ -0,0 +1,76 @@
+require 'spec_helper'
+require 'rack/mock'
+
+describe Rack::TwilioWebhookAuthentication do
+  before do
+    @app = lambda {|env| [200, {'Content-Type' => 'text/plain'}, ['Hello']] }
+  end
+
+  describe 'new' do
+    it 'should initialize with an app, auth token and a path' do
+      expect {
+        Rack::TwilioWebhookAuthentication.new(@app, 'ABC', /\/voice/)
+      }.not_to raise_error
+    end
+
+    it 'should initialize with an app, auth token and paths' do
+      expect {
+        Rack::TwilioWebhookAuthentication.new(@app, 'ABC', /\/voice/, /\/sms/)
+      }.not_to raise_error
+    end
+  end
+
+  describe 'calling against one path' do
+    before do
+      @middleware = Rack::TwilioWebhookAuthentication.new(@app, 'ABC', /\/voice/)
+    end
+
+    it 'should not intercept when the path doesn\'t match' do
+      expect(Twilio::Util::RequestValidator).to_not receive(:validate)
+      request = Rack::MockRequest.env_for('/sms')
+      status, headers, body = @middleware.call(request)
+      expect(status).to be(200)
+    end
+
+    it 'should allow a request through if it validates' do
+      expect_any_instance_of(Twilio::Util::RequestValidator).to receive(:validate).and_return(true)
+      request = Rack::MockRequest.env_for('/voice')
+      status, headers, body = @middleware.call(request)
+      expect(status).to be(200)
+    end
+
+    it 'should short circuit a request to 403 if it does not validate' do
+      expect_any_instance_of(Twilio::Util::RequestValidator).to receive(:validate).and_return(false)
+      request = Rack::MockRequest.env_for('/voice')
+      status, headers, body = @middleware.call(request)
+      expect(status).to be(403)
+    end
+  end
+
+  describe 'calling against many paths' do
+    before do
+      @middleware = Rack::TwilioWebhookAuthentication.new(@app, 'ABC', /\/voice/, /\/sms/)
+    end
+
+    it 'should not intercept when the path doesn\'t match' do
+      expect(Twilio::Util::RequestValidator).to_not receive(:validate)
+      request = Rack::MockRequest.env_for('icesms')
+      status, headers, body = @middleware.call(request)
+      expect(status).to be(200)
+    end
+
+    it 'shold allow a request through if it validates' do
+      expect_any_instance_of(Twilio::Util::RequestValidator).to receive(:validate).and_return(true)
+      request = Rack::MockRequest.env_for('/sms')
+      status, headers, body = @middleware.call(request)
+      expect(status).to be(200)
+    end
+
+    it 'should short circuit a request to 403 if it does not validate' do
+      expect_any_instance_of(Twilio::Util::RequestValidator).to receive(:validate).and_return(false)
+      request = Rack::MockRequest.env_for('/sms')
+      status, headers, body = @middleware.call(request)
+      expect(status).to be(403)
+    end
+  end
+end

data/twilio-ruby.gemspec

@@ -23,13 +23,10 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency('multi_json', '>= 1.3.0')
   spec.add_dependency('builder', '>= 2.1.2')
-  spec.add_dependency('jwt', '>= 0.1.2')
+  spec.add_dependency('jwt', '~> 1.0.0')
   spec.add_dependency('jruby-openssl') if RUBY_PLATFORM == 'java'
   # Workaround for RBX <= 2.2.1, should be fixed in next version
   spec.add_dependency('rubysl') if defined?(RUBY_ENGINE) && RUBY_ENGINE == 'rbx'
 
-  spec.add_development_dependency 'rspec',   '~> 2.14'
-  spec.add_development_dependency 'fakeweb', '~> 1.3.0'
-  spec.add_development_dependency 'rack',    '~> 1.3.0'
   spec.add_development_dependency 'bundler', '~> 1.5'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: twilio-ruby
 version: !ruby/object:Gem::Version
-  version: 3.11.6
+  version: 3.12.0
 platform: ruby
 authors:
 - Andrew Benton
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-07-26 00:00:00.000000000 Z
+date: 2014-08-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json
@@ -41,59 +41,17 @@ dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
   requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 0.1.2
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 0.1.2
-- !ruby/object:Gem::Dependency
-  name: rspec
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: '2.14'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: '2.14'
-- !ruby/object:Gem::Dependency
-  name: fakeweb
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: 1.3.0
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: 1.3.0
-- !ruby/object:Gem::Dependency
-  name: rack
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: 1.3.0
-  type: :development
+        version: 1.0.0
+  type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 1.3.0
+        version: 1.0.0
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -166,6 +124,7 @@ files:
 - docs/usage/validation.rst
 - examples/examples.rb
 - examples/print-call-log.rb
+- lib/rack/twilio_webhook_authentication.rb
 - lib/twilio-ruby.rb
 - lib/twilio-ruby/rest/accounts.rb
 - lib/twilio-ruby/rest/applications.rb
@@ -216,6 +175,7 @@ files:
 - lib/twilio-ruby/util/capability.rb
 - lib/twilio-ruby/util/request_validator.rb
 - lib/twilio-ruby/version.rb
+- spec/rack/twilio_webhook_authentication_spec.rb
 - spec/rest/account_spec.rb
 - spec/rest/call_spec.rb
 - spec/rest/client_spec.rb
@@ -263,6 +223,7 @@ specification_version: 4
 summary: A simple library for communicating with the Twilio REST API, building TwiML,
   and generating Twilio Client Capability Tokens
 test_files:
+- spec/rack/twilio_webhook_authentication_spec.rb
 - spec/rest/account_spec.rb
 - spec/rest/call_spec.rb
 - spec/rest/client_spec.rb