genebean
commented
4 years ago I am really appreciative you brought this to my attention - in my rush to get this built I never considered that. I am looking into it now though.
Open alexellis opened 4 years ago
genebean
commented
4 years ago I am really appreciative you brought this to my attention - in my rush to get this built I never considered that. I am looking into it now though.
What if someone discovers the URL and starts sending you messages? I would think Twilio has the same available, but I haven't looked in depth. You want to know that the message is from Twilio and not Malory.
With GitHub and Slack incoming webhooks there's a way to verify the digest of the message using a shared key.
On this line, if I can discover your public endpoint, then I can send messages to your Slack
https://github.com/genebean/fbc-slackbot/blob/691adff1c69df038fc8cea26f2bfa528cee58789/functions/fbc-slackbot-python/handler.py#L64
See "Validating Signatures from Twilio"