"To" vs "to" in request params

twilio / voice-quickstart-android

Quickstart app for the Voice Android SDK

https://www.twilio.com/docs/api/voice-sdk/android/getting-started

MIT License

187 stars 141 forks source link

"To" vs "to" in request params #448

Closed rahulserver closed 3 years ago

rahulserver commented 3 years ago

When I make a call using the app, I see that we are setting(in VoiceActivity.java)

params.put("to", contact.getText().toString()); And this leads to following request being sent to backend twilio function:

So what is the difference between this "to" and "To" in above?

I searched through docs but couldn't find anywhere the two params are differentiated. I am asking this question because I am using a plugin(which is supposed to be a wrapper over the quickstart) that sets the "To" field instead of the "to" field. And thats not working. Would help if its clarified what params to use when.

kbagchiGWC commented 3 years ago

To & to both are parameters sent to your application AP0c898093225aa190e16a7e3d21a6527d via the values added here.

For example:

params.put("to", contact.getText().toString());
params.put("To", "");

I see the TwiMl returned by your app AP0c898093225aa190e16a7e3d21a6527d for callsid CA7934525cc77f322b6d9e1ffebd47fbae is as the following:

<?xml version="1.0" encoding="UTF-8"?>
<Response>
<Dial callerId="client:alice">
<Client>alice</Client>
</Dial>
</Response>

If you are using a plugin that sets the key name as To, in your application you should read the value for this key instead of to. i.e. https://github.com/twilio/voice-quickstart-android/blob/master/Server/functions/make-call.js#L7 should be updated to var to = event.To;

rahulserver commented 3 years ago

Hey thanks! that really works. Another question if you don't mind @kbagchiGWC What is a typical access token generation flow like for mobile apps? I am currently working on an ionic app and currently we have to call the /access-token endpoint for getting the token. Shouldn't we use the twilio sdk(twilio npm module) and generate the token in the ionic app itlself?

Because /access-token endpoint is public and anyone could call it to use our app. Do I need to protect this endpoint myself? Or can I do it in apps using twilio npm module(thereby sending the ACCOUNT_SID and AUTH_TOKEN in the app itself)

kbagchiGWC commented 3 years ago

@rahulserver

We are not security experts to guide on securing sensitive data. In my opinion, packaging sensitive data in the mobile app is not a good idea. You can explore an authentication mechanism i.e. password protected, to secure your server and programmatically fetch the token.

rahulserver commented 3 years ago

ok thats fine. Thank you for the answer. I will close the ticket now.