Twilio Authyコールバックを検証する
For new development, we encourage you to use the Verify API instead of the Authy API. The Verify API is an evolution of the Authy API with continued support for SMS, voice, and email one-time passcodes, an improved developer experience and new features including:
- Twilio helper libraries in JavaScript, Java, C#, Python, Ruby, and PHP
- Access via the Twilio CLI
- Improved Visibility and Insights
- Push authentication SDK embeddable in your own application
You are currently viewing the Authy API. The Authy API will continue to be maintained, but any new features and development will be on the Verify API. Check out the FAQ for more information and Verify API Reference to get started.
When using Webhooks with push authentications, Twilio will send a callback to your application's exposed URL when a user interacts with your ApprovalRequest
. While testing, you can accept all incoming webhooks, but in production, you'll need to verify the authenticity of incoming requests.
Twilio sends an HTTP Header X-Authy-Signature
with every outgoing request to your application. X-Authy-Signature
is a HMAC signature of the full message body sent from Twilio hashed with your Application API Key (from Authy in the Twilio Console).
You can find complete code snippets here on Github.
Twilio Authyコールバックを検証する
Checking the authenticity of the X-Authy-Signature
HTTP Header is a 6 step process.
- Create a string using the
Webhook
URL
without any parameters
- Flatten the received JSON body and sort this list in case-sensitive order and convert them to URL format
- Grab the nonce from the
X-Authy-Signature
HTTP Header
- ノンス、HTTPメソッド(「
POST
」)、そしてソート済みのパラメーターを縦棒(「|」)で区切って結合します。
- アプリケーションAPIキーを使用する文字列のハッシュには、HMAC-SHA256を使用します
- ダイジェストをBase64でエンコードします (RFC 4648に記載された方法を使用し、改行文字を含めてはいけません)
全体のプロセスを俯瞰できるように、以下に全手順を要約しておきます。
Once you have encoded the digest, you can compare the resulting string with the X-Authy-Signature
HTTP Header. If they match, the incoming request is from Twilio. If there is a mismatch, you should reject the request as fraudulent.
ヘルプが必要ですか?
誰しもが一度は考える「コーディングって難しい」。そんな時は、お問い合わせフォームから質問してください。 または、Stack Overflow でTwilioタグのついた情報から欲しいものを探してみましょう。