search

mingchaoma / Auth0-Passwordless-Login-with-Twilio-Verify

4 stars 0 forks source link

Verification SID is not received by Auth0s Webhook #1

Open Noitham opened 3 months ago

Noitham commented 3 months ago

Hello @mingchaoma,

First of all, thanks a lot for the guide on how to integrate Twilio's Verify service with Auth0's SMS passwordless login :+1:

I've been going through the setup, and reaching the step of

Call Verify Feedback API and enable Twilio Verify Fraud Guard

Where we have to update the status of the verification so that we can benefit of the "Fraud Guard" feature.

I've set up the Webhook on Auth0 and received the "Token Exchange - Success" event on a Twilio function. The issue is, in order to mark the verification as "verified" a verification SID is needed, but that's not part of the event data.

Token Exchange - Success - event.data - received by Twilio /webhook/incoming function

{ 
  date: '2024-03-20T15:32:23.623Z', 
  type: 'seacft', 
  description: '', 
  connection_id: '', 
  client_id: 'w9VXXXX', 
  client_name: 'All Applications', 
  ip: 'XX.XXX.XXX.XX', 
  user_agent: 'Node-oauth', 
  details: { code: '******************************************zr2' }, 
  hostname: 'XXXXX.eu.auth0.com', 
  user_id: 'sms|XXXXXXXXXXXXXXXX', 
  user_name: '+XXXXXXXXXX', 
  '$event_schema': { version: '1.0.0' }, 
  log_id: 'XXXXXXXXX' 
}

I was wondering what's the right way to update the verification status using the webhook. Did I miss some steps?

Thanks

sdacunha commented 2 months ago

Hi @mingchaoma ,

Also having the above issue. Unsure how to pass the verification SID to the feedback endpoint, any help would be greatly appreciated!

EDIT: Ended up using the phone number that is passed in user_name to send the event.

Noitham commented 2 months ago

@sdacunha, If you're using the phone number (user_name), are you logging in to your Auth0 management on the Twilio function?? I didn't think that'd be a great idea.

mingchaoma commented 2 months ago

thanks everyone for your feedback. There are two ways of calling the feedback API. @Noitham as the user_name is the phone number, you can use the phone number to call the feedback API. Detail below. I will also add it to the readme.

Also why you think it wasn't a good idea of calling Auth0 management API in Twilio Function? Twilio Function acts as your backend service, of course, if you do not trust Cloud environment or your company security policy disallow, you can always host the code within your own infrastructure.

Use phone number in e164 format:

curl -X POST "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Verifications/+4478xxx"

--data-urlencode "Status=approved"

-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN

or use Verification Sid:

curl -X POST "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Verifications/VEXXX..."

--data-urlencode "Status=approved"

-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN