From cd6a9436a983f15c71611ad00c55277a7b642af9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorens=20Le=C3=B3n?= Date: Mon, 20 Jan 2025 11:15:54 +0100 Subject: [PATCH] chore: appply PR suggestions --- src/webhooks/webhooks.ts | 67 ++++++++++++++++++++++++---------------- 1 file changed, 41 insertions(+), 26 deletions(-) diff --git a/src/webhooks/webhooks.ts b/src/webhooks/webhooks.ts index 2e93564e3..869e8ca52 100644 --- a/src/webhooks/webhooks.ts +++ b/src/webhooks/webhooks.ts @@ -200,32 +200,47 @@ export function validateRequest( * and with and without the legacy querystring (special chars are encoded when using `new URL()`) * since signature generation on the back end is inconsistent */ - return ( - validateSignatureWithUrl( - authToken, - twilioHeader, - removePort(urlObject), - params - ) || - validateSignatureWithUrl( - authToken, - twilioHeader, - addPort(urlObject), - params - ) || - validateSignatureWithUrl( - authToken, - twilioHeader, - withLegacyQuerystring(removePort(urlObject)), - params - ) || - validateSignatureWithUrl( - authToken, - twilioHeader, - withLegacyQuerystring(addPort(urlObject)), - params - ) + const isValidSignatureWithoutPort = validateSignatureWithUrl( + authToken, + twilioHeader, + removePort(urlObject), + params ); + + if (isValidSignatureWithoutPort) { + return true; + } + + const isValidSignatureWithPort = validateSignatureWithUrl( + authToken, + twilioHeader, + addPort(urlObject), + params + ); + + if (isValidSignatureWithPort) { + return true; + } + + const isValidSignatureWithLegacyQuerystringWithoutPort = validateSignatureWithUrl( + authToken, + twilioHeader, + withLegacyQuerystring(removePort(urlObject)), + params + ); + + if (isValidSignatureWithLegacyQuerystringWithoutPort) { + return true; + } + + const isValidSignatureWithLegacyQuerystringWithPort = validateSignatureWithUrl( + authToken, + twilioHeader, + withLegacyQuerystring(addPort(urlObject)), + params + ); + + return isValidSignatureWithLegacyQuerystringWithPort; } function validateSignatureWithUrl( @@ -233,7 +248,7 @@ function validateSignatureWithUrl( twilioHeader: string, url: string, params: Record -) { +): boolean { const signatureWithoutPort = getExpectedTwilioSignature( authToken, url,