Can't authenticate Twilio Authy webhook callbacks

Question

I am trying to set up webhooks for Authy OneTouch push authentication. I manage to successfully register to one_touch_request_responded events, save the webhook signing key from the subscription call, but I have still not managed to verify the requests: any attacker could forge fake requests and easily bypass the 2FA check.

The API documentation is quite confusing to me, given the callback requests don't match the format mentioned (especially they don't have the X-Authy-Signature header), and only have the following headers:

{
  host: 'XXX.ngrok.io',
  'user-agent': 'Authy-api-webhooks/1.0',
  'content-length': '2211',
  'accept-encoding': 'gzip',
  'content-type': 'application/json',
  'x-forwarded-for': '3.89.35.175',
  'x-forwarded-proto': 'http'
}

I have also tried to verify the signature of the JWT token, still to no avail (incoming POST request: {"body":"a_jwt_token"} ): I alway get an invalid signature (same using https://jwt.io/ ).

const jwt = require("jsonwebtoken");
jwt.verify(req.body.body, Buffer.from(MY_SECRET_KEY, "base64"), { algorithm: ["HS256"] });

What is the proper way of checking the authenticity of the webhook POST callbacks?

Thanks!

Answer 1

Twilio developer evangelist here.

It looks to me as though you've found the Authy webhooks session that you can subscribe to in order to get updated about various parts of your users' usage of the Authy APIs.

In order to get webhooks for OneTouch push notifications, you should set your webhook URL in the Twilio console under the push notifications settings for the Authy application.

Once you have set the webhook URL, you will find webhook events coming through to your application for push authentication approvals and denials. Those requests will also come with the X-Authy-Signature-Nonce and X-Authy-Signature headers and you will be able to re-create the signature using the method explained here .

Sorry that got confusing, hopefully this clears it up for you.