[英]Sending data without encription to Twilio getToken function
我们正在使用Twilio CLIENT从浏览器向电话号码进行语音呼叫。
On the Twilio server side we build a getToken function, based in this article: https://www.twilio.com/blog/generate-access-token-twilio-chat-video-voice-using-twilio-functions
在客户端,就安全性而言,您认为不带加密发送 ' identity '、' secretKey '、' accountSid ' 是否正确?
这是推荐的方法吗?
这是 function 'getToken':
exports.handler = function(context, event, callback) {
let response = new Twilio.Response();
const identity = event.identity;
const secretKey = event.secretKey;
const accountSid = event.accountSid;
const twilioAccountSid = context.ACCOUNT_SID;
const twilioApiKey = context.API_KEY;
const twilioApiSecret = context.API_SECRET;
if (identity !== undefined && twilioApiKey !== undefined
&& secretKey !== undefined && twilioApiSecret !== undefined && secretKey === twilioApiSecret
&& accountSid !== undefined && twilioAccountSid !== undefined && accountSid === twilioAccountSid ) {
const AccessToken = Twilio.jwt.AccessToken;
const token = new AccessToken(
twilioAccountSid,
twilioApiKey,
twilioApiSecret,
{identity: identity}
);
const VoiceGrant = AccessToken.VoiceGrant;
const voiceGrant = new VoiceGrant({
outgoingApplicationSid: context.TWIML_APP_SID,
incomingAllow: false
});
token.addGrant(voiceGrant);
let headers = {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET",
"Content-Type": "application/json"
};
response.setHeaders(headers);
response.setBody({
'token': token.toJwt()
});
response.setStatusCode(200);
} else {
response.setBody({
'mensaje': 'Unauthorized',
'codigo': 403
});
response.setStatusCode(403);
}
callback(null, response);
};
Twilio 开发人员布道师在这里。
我不建议您在客户端公开您的 secretKey。
如果您希望限制对该端点的访问,那么我将从限制您可以访问它的来源开始。 现在,您使用*
运算符允许来自所有来源的请求。
let headers = {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET",
"Content-Type": "application/json"
};
更新Access-Control-Allow-Origin
header 以限制到您的域:
Access-Control-Allow-Origin: https://example.com
您还可以使用不同的密钥来保护端点,而不是 Twilio 帐户或 API 密钥中的密钥。
exports.handler = function(context, event, callback) {
let response = new Twilio.Response();
const identity = event.identity;
const secret = event.secret;
const twilioAccountSid = context.ACCOUNT_SID;
const twilioApiKey = context.API_KEY;
const twilioApiSecret = context.API_SECRET;
const customSecret = context.CUSTOM_SECRET;
if (identity !== undefined && twilioApiKey !== undefined
&& twilioApiSecret !== undefined && twilioAccountSid !== undefined
&& secret !== undefined && customSecret !== undefined && secret === customSecret) {
// We're all good, create the token
} else {
// Unauthorised
}
callback(null, response);
};
Also, do note that when you make requests to a Twilio Function, they have HTTPS enabled by default and you should make your request using HTTPS. 这样,您的参数就会通过网络加密。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.