sfreiberg / gotwilio

According to this code, only POST requests are supported. However, Twilio accesses fax media files using a GET request. As far as I can see and have roughly tested, simply allowing the function to continue even if its a GET request correctly validates the signature.

gotwilio/util.go

Lines 62 to 69 in 06f83df

    
           func (twilio *Twilio) CheckRequestSignature(r *http.Request, baseURL string) (bool, error) { 
        
           	if r.Method != "POST" { 
        
           		return false, errors.New("Checking signatures on non-POST requests is not implemented") 
        
           	} 
        
           	if err := r.ParseForm(); err != nil { 
        
           		return false, err 
        
           	}

Browsing the Twilio documentation, it says that appending the full raw query to the URL is sufficient. Likewise, r.URL.String() includes the entire raw query. Any POST parameters are appended to that. If we call ParseForm on a GET request, the request Body is not read, and r.PostForm is initialized to a non-nil, empty value. So GenerateSignature still functions as it should.

	func (twilio Twilio) CheckRequestSignature(r http.Request, baseURL string) (bool, error) {
	if r.Method != "POST" {
	return false, errors.New("Checking signatures on non-POST requests is not implemented")
	}

	if err := r.ParseForm(); err != nil {
	return false, err
	}

Supporting GET request signature validation