securing twilio fax mediaUrl

840 views Asked by At

I am using Twilio programmable Fax api to send fax messages from my application. I am not facing any issue while sending faxes when I provide a public url with out any authentication as mediaUrl for sending the fax. But when I pass a url secured with basic authentication as the mediaUrl for the send fax api, the fax sending is getting failed.

"status": "failed",

I have debugged the code on the server on which the mediaUrl accesses, and could find that Twilio is not at all sending a request with "Authorization" header.

As per Twilio documentation,

You may provide a username and password via the following URL format.

https://username:[email protected]/my_secure_document

Twilio will authenticate to your web server using the provided username and password and will remain logged in for the duration of the call. We highly recommend that you use HTTP Authentication in conjunction with encryption. For more information on Basic and Digest Authentication, refer to your web server documentation.

If you specify a password-protected URL, Twilio will first send a request with no Authorization header. After your server responds with a 401 Unauthorized status code, a WWW-Authenticate header and a realm in the response, Twilio will make the same request with an Authorization header

I am giving the mediaUrl in the same format as required by Twilio. But the fax is getting response as failed. Kindly provide your valuable suggestions to help me resolve the issue.

My server is sending the 401 response as given below when Twilio accesses the mediaUrl without Authorization header,

Http response header for 401

  Status Code: 401 Unauthorized
    Content-Length: 34
    Content-Type: application/xml
    Date: Wed, 30 Aug 2017 12:38:41 GMT
    Server: Apache-Coyote/1.1
    WWW-Authenticate: Basic realm="My Realm"

Response body

<message>Invalid credentials</message>
2

There are 2 answers

3
philnash On BEST ANSWER

Update

Good news! Media URLs in Twilio Programmable Fax now support basic authentication. This has been implemented and deployed, so this should no longer be an issue.

Original answer

Twilio developer evangelist here.

After some internal investigation I've found out that this is a known issue.

It was in fact raised by your support ticket that you sent in. Good news is that since this is known it will be getting some attention and the team will contact you once it is sorted.

0
Tianhui Li On

To answer this question differently, I'm just using Signed URLs on Google Cloud, which provide a long token that grants temporary access for a specific file. You can set this to grant access for 10 minutes, which should be more than enough time.

AWS appears to offer a similar solution.