The existing hashing implementation for Twilio secrets is problematic because bcrypt only uses the first 72 bytes of a string to generate the resultant hash. This resulted in a bug in the Postman application where different sets of Twilio secrets produced the exact same hash, causing the secrets to be overwritten due to hash collisions.
Approach
After the initial hash is generated from the user-submitted Twilio secrets, the hash is never subsequently used again to verify the authenticity of the credentials. The hash is only used to identify and fetch the particular set of credentials from AWS Secrets Manager.
Since the hash is only used for identification of the secrets, we can circumvent the hash collision problem by generating a uuid for the Twilio secrets instead.
Bug Fixes:
backend/src/sms/middlewares/sms.middleware.ts: credentialName is now generated via uuid instead of bcrypt
Tests
No new test were written for this change. Manual testing was performed in staging to verify the changes and old tests were updated.
Context
The existing hashing implementation for Twilio secrets is problematic because
bcryptonly uses the first 72 bytes of a string to generate the resultant hash. This resulted in a bug in the Postman application where different sets of Twilio secrets produced the exact same hash, causing the secrets to be overwritten due to hash collisions.Approach
After the initial hash is generated from the user-submitted Twilio secrets, the hash is never subsequently used again to verify the authenticity of the credentials. The hash is only used to identify and fetch the particular set of credentials from AWS Secrets Manager.
Since the hash is only used for identification of the secrets, we can circumvent the hash collision problem by generating a
uuidfor the Twilio secrets instead.Bug Fixes:
backend/src/sms/middlewares/sms.middleware.ts:credentialNameis now generated viauuidinstead ofbcryptTests
No new test were written for this change. Manual testing was performed in staging to verify the changes and old tests were updated.
Test updated:
backend/src/sms/routes/tests/sms-campaign.routes.test.tsbackend/src/sms/routes/tests/sms-settings.routes.test.ts