[英]Sending data without encription to Twilio getToken function
We are using Twilio CLIENT to make voice calls from browser to phone numbers.我们正在使用Twilio CLIENT从浏览器向电话号码进行语音呼叫。
On the Twilio server side we build a getToken function, based in this article: https://www.twilio.com/blog/generate-access-token-twilio-chat-video-voice-using-twilio-functions On the Twilio server side we build a getToken function, based in this article: https://www.twilio.com/blog/generate-access-token-twilio-chat-video-voice-using-twilio-functions
On the client side, do you think sending ' identity ', ' secretKey ', ' accountSid ' without encription is correct, in terms of security?在客户端,就安全性而言,您认为不带加密发送 ' identity '、' secretKey '、' accountSid ' 是否正确?
Is this the recommended way to do this?这是推荐的方法吗?
Here is the function 'getToken':这是 function 'getToken':
exports.handler = function(context, event, callback) {
let response = new Twilio.Response();
const identity = event.identity;
const secretKey = event.secretKey;
const accountSid = event.accountSid;
const twilioAccountSid = context.ACCOUNT_SID;
const twilioApiKey = context.API_KEY;
const twilioApiSecret = context.API_SECRET;
if (identity !== undefined && twilioApiKey !== undefined
&& secretKey !== undefined && twilioApiSecret !== undefined && secretKey === twilioApiSecret
&& accountSid !== undefined && twilioAccountSid !== undefined && accountSid === twilioAccountSid ) {
const AccessToken = Twilio.jwt.AccessToken;
const token = new AccessToken(
twilioAccountSid,
twilioApiKey,
twilioApiSecret,
{identity: identity}
);
const VoiceGrant = AccessToken.VoiceGrant;
const voiceGrant = new VoiceGrant({
outgoingApplicationSid: context.TWIML_APP_SID,
incomingAllow: false
});
token.addGrant(voiceGrant);
let headers = {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET",
"Content-Type": "application/json"
};
response.setHeaders(headers);
response.setBody({
'token': token.toJwt()
});
response.setStatusCode(200);
} else {
response.setBody({
'mensaje': 'Unauthorized',
'codigo': 403
});
response.setStatusCode(403);
}
callback(null, response);
};
Twilio developer evangelist here. Twilio 开发人员布道师在这里。
I do not recommend that you expose your secretKey in the client-side at all.我不建议您在客户端公开您的 secretKey。
If you are looking to limit access to this endpoint, then I would start by restricting the origins from which you can access it.如果您希望限制对该端点的访问,那么我将从限制您可以访问它的来源开始。 Right now you are allowing requests from all origins, with the
*
operator.现在,您使用
*
运算符允许来自所有来源的请求。
let headers = {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET",
"Content-Type": "application/json"
};
Update the Access-Control-Allow-Origin
header to restrict to your domain:更新
Access-Control-Allow-Origin
header 以限制到您的域:
Access-Control-Allow-Origin: https://example.com
You could also use a different secret, not the one from your Twilio Account or API Key, to protect the endpoint.您还可以使用不同的密钥来保护端点,而不是 Twilio 帐户或 API 密钥中的密钥。
exports.handler = function(context, event, callback) {
let response = new Twilio.Response();
const identity = event.identity;
const secret = event.secret;
const twilioAccountSid = context.ACCOUNT_SID;
const twilioApiKey = context.API_KEY;
const twilioApiSecret = context.API_SECRET;
const customSecret = context.CUSTOM_SECRET;
if (identity !== undefined && twilioApiKey !== undefined
&& twilioApiSecret !== undefined && twilioAccountSid !== undefined
&& secret !== undefined && customSecret !== undefined && secret === customSecret) {
// We're all good, create the token
} else {
// Unauthorised
}
callback(null, response);
};
Also, do note that when you make requests to a Twilio Function, they have HTTPS enabled by default and you should make your request using HTTPS. Also, do note that when you make requests to a Twilio Function, they have HTTPS enabled by default and you should make your request using HTTPS. That way, your parameters are encrypted over the wire.
这样,您的参数就会通过网络加密。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.