Sending data without encription to Twilio getToken function

Question

We are using Twilio CLIENT to make voice calls from browser to phone numbers.

On the Twilio server side we build a getToken function, based in this article: https://www.twilio.com/blog/generate-access-token-twilio-chat-video-voice-using-twilio-functions

On the client side, do you think sending ' identity ', ' secretKey ', ' accountSid ' without encription is correct, in terms of security?

Is this the recommended way to do this?

Here is the function 'getToken':

exports.handler = function(context, event, callback) {  
    let response = new Twilio.Response();
        
    const identity = event.identity;    
    const secretKey = event.secretKey;
    const accountSid = event.accountSid;

    const twilioAccountSid = context.ACCOUNT_SID;   
    const twilioApiKey = context.API_KEY;
    const twilioApiSecret = context.API_SECRET;

    if (identity !== undefined && twilioApiKey !== undefined
        && secretKey !== undefined && twilioApiSecret !== undefined && secretKey === twilioApiSecret
        && accountSid !== undefined && twilioAccountSid !== undefined && accountSid === twilioAccountSid ) {

        const AccessToken = Twilio.jwt.AccessToken;

        const token = new AccessToken(
            twilioAccountSid,
            twilioApiKey,
            twilioApiSecret,
            {identity: identity}
        );

        const VoiceGrant = AccessToken.VoiceGrant;
        
        const voiceGrant = new VoiceGrant({
            outgoingApplicationSid: context.TWIML_APP_SID,
            incomingAllow: false
        });

        token.addGrant(voiceGrant);     
                        
        let headers = {
            "Access-Control-Allow-Origin": "*",
            "Access-Control-Allow-Methods": "GET",
            "Content-Type": "application/json"
        };
        
        response.setHeaders(headers);
        
        response.setBody({
            'token': token.toJwt()
        });
        response.setStatusCode(200);
    } else {
        response.setBody({
            'mensaje': 'Unauthorized',
            'codigo': 403
        });
        response.setStatusCode(403);
    }   
    
    callback(null, response);
};

Answer 1

Twilio developer evangelist here.

I do not recommend that you expose your secretKey in the client-side at all.

If you are looking to limit access to this endpoint, then I would start by restricting the origins from which you can access it. Right now you are allowing requests from all origins, with the * operator.

        let headers = {
            "Access-Control-Allow-Origin": "*",
            "Access-Control-Allow-Methods": "GET",
            "Content-Type": "application/json"
        };

Update the Access-Control-Allow-Origin header to restrict to your domain:

Access-Control-Allow-Origin: https://example.com

You could also use a different secret, not the one from your Twilio Account or API Key, to protect the endpoint.

exports.handler = function(context, event, callback) {  
    let response = new Twilio.Response();
        
    const identity = event.identity;    
    const secret = event.secret;

    const twilioAccountSid = context.ACCOUNT_SID;   
    const twilioApiKey = context.API_KEY;
    const twilioApiSecret = context.API_SECRET;
    const customSecret = context.CUSTOM_SECRET;

    if (identity !== undefined && twilioApiKey !== undefined
        && twilioApiSecret !== undefined && twilioAccountSid !== undefined
        && secret !== undefined && customSecret !== undefined && secret === customSecret) {

      // We're all good, create the token
    } else {
      // Unauthorised
    }

    callback(null, response);
};

Also, do note that when you make requests to a Twilio Function, they have HTTPS enabled by default and you should make your request using HTTPS. That way, your parameters are encrypted over the wire.