Sandbox API is deprecated

[terribleplan]

According to conversations I've had with twilio/authy the sandbox API is deprecated.

Due to this I implemented a mocked authy server for testing purposes, but I was unable to use this library without nasty workarounds due to the (in my opinion) overly strict validation of the hosts being used.

At the very least you should note that the sandbox is deprecated, or prevent people from using it outright, and I would greatly appreciate it if you allowed for other endpoints than the official one.

I could whip up a PR for this if you tell me which route is preferable, but it seems like it would be a simple fix either way.

[ruimarinho]

Tough choice. The validation avoids typos and other similar errors when configuring the client. It won't be that much different than connecting to a non-existing server, but it's one less request with a specific error and a non-cryptic message.

I guess we could be looking at two PRs - one that adds the note on the README and another one removing the choice assertion. I'll merge the first when you're ready and give the second one another thought.

[ruimarinho]

@josh-authy can you provide some insight here?

[ruimarinho]

No additional feedback from Authy. @terribleplan closing until we have official word from Authy on this.

[josh-authy]

Sorry, just saw this. There is no longer a sandbox.

Our suggestion is to create multiple Authy accounts (YOURAPP-DEV & YOURAPP) and to use the associated API keys in each respective location. You can also leverage sub-accounts via the Twilio console if you want to really segregate users and apps. @ruimarinho @terribleplan

[ruimarinho]

@josh-authy the current sandbox API continues to reply successfully just as it used to though. Is there any active deprecation plan?

[josh-authy]

We have some customers who use it as part of an old build cycle so no active deprecation plans AFAIK TO

We discourage it's use as it provides no real value IMO.

On Feb 12, 2018 4:32 PM, "Rui Marinho" notifications@github.com wrote:

@josh-authy https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_josh-2Dauthy&d=DwMCaQ&c=x_Y1Lz9GyeGp2OvBCa_eow&r=nqeJYLUM9sPJTa8h7an_b2bqS6OBTKo7dJnufzNm2bw&m=P0Ut-SQ1InmZFf8qioP4g0-A3XESb2Mya2XSS6aJEDk&s=pvnWHUPtbUjVAy7M98ec9p2GWzkUWUmdQB80FwEu_6A&e= the current sandbox API continues to reply successfully just as it used to though. Is there any active deprecation plan?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ruimarinho_authy-2Dclient_issues_34-23issuecomment-2D365110693&d=DwMCaQ&c=x_Y1Lz9GyeGp2OvBCa_eow&r=nqeJYLUM9sPJTa8h7an_b2bqS6OBTKo7dJnufzNm2bw&m=P0Ut-SQ1InmZFf8qioP4g0-A3XESb2Mya2XSS6aJEDk&s=CTQtmPKgbxBM0bVc7dO4GXGS8fPDO5ZuTMY_GugYpAY&e=, or mute the thread https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_ASf7aDqpQogPFKX1qsI7evcvyJzR1x-2DEks5tUNgIgaJpZM4L8dVl&d=DwMCaQ&c=x_Y1Lz9GyeGp2OvBCa_eow&r=nqeJYLUM9sPJTa8h7an_b2bqS6OBTKo7dJnufzNm2bw&m=P0Ut-SQ1InmZFf8qioP4g0-A3XESb2Mya2XSS6aJEDk&s=wt_w2UcyVOaBkeLs0Zgf-CH1hhMhVw7Ro5UeB2XccUI&e= .

[ruimarinho]

Ok thanks, added a PR to lift that restriction up.

[RickyMarou]

@josh-authy it provides some real value for people that want to run tests on CI

[challamzinniagroup]

Dirtying up your production account with test data. Spinning an entire second account to use as a pseudo-sandbox to keep your production data clean.

These are the options we're being offered, and you say "sandbox offers no value"...? wow...

[josh-authy]

Have you actually gone through this process? When you do, you'll notice it takes only a few seconds to create an additional Verify or Authy app. We'd suggest naming them appropriately. YOUR_APP, YOUR_APP QA, YOUR_APP DEV. You'll have a unique API key for each allowing you to bin data separately.

No, you don't spin up a second account. No, you do not dirty your production account with test data.

You can also create a sub-account or even a Project if you'd like to segment your data and traffic even further.

[challamzinniagroup]

Yes, I have gone through the process. I don't make it a habit to comment publicly on topics I know nothing about. Twilio SMS/Voice APIs all provide LIVE/TEST creds. Authy seems to consider their own "no benefit from" opinion of sandbox - not their customers. It's not that big of a deal to run separate Authy apps - it just feels wrong. Like something a junior dev does before they realize 99% of all APIs out there actually offer sandbox functionality.

Edit to add: And your primary point is a matter of semantics. You're technically correct it isn't a separate account, it's a separate Authy app within the Twilio account. Tomato/tomatoe imho...

[josh-authy]

How do you think a sandbox would work with Authy?

We have an example testing framework you can use for CI found here: https://github.com/AuthySE/authy-testing-sample

[challamzinniagroup]

In the scope of work I've just come off, I used:

• Twilio API for SMS send only
• Authy API to create User records
• Authy API to fetch User status
• Authy API to gen User QR codes to link Authy user record with Authenticator app
• Authy API to validate TOTP

While I can certainly spin dual Authy apps within the Twilio account to accomplish dev/testing of the Authy API calls mentioned, this is far less than ideal for a few reasons:

• It is very common to trickle down and sanitize Dbs from Prod->Staging->Dev->Local. In a dual Authy app scenario; this breaks the Authy Ids between any environments that are configured to hit different Authy apps.
• The lower the environment, the higher quantity of "ancillary user accounts" that get created. By this I mean Prod will have only real accounts. Staging will have real plus some dev/testing accounts, and dev/local environments will have a high number of test, dummy, and garbage accounts. I hope I don't need to explain how or why it is bad to have all these accounts cluttering up the primary, prod Authy app User records. Which would happen with a single Authy app.

What I ended up having to do was a dual Authy app scenario; and add code, which lives on in the code base, to check every user AuthyId and against that environment's Authy app and re-fetch if it doesn't match.

If I could have simply plugged in a sandbox Url, or token, then all Authy user records could share an AuthyId between environments and yet remain segregated between prod and sandbox. It's rather unfortunate that I have to explain this; this is production-system 101 imo.