Skip to contentSkip to navigationSkip to topbar
Rate this Page:

Protect your Function with JSON Web Token


(warning)

Warning

This example uses headers and cookies, which are only accessible when your Function is running @twilio/runtime-handler version 1.2.0 or later. Consult the Runtime Handler guide to learn more about the latest version and how to update.

When protecting your public Functions and any sensitive data that they can expose, from unwanted requests and bad actors, it is important to consider some form of authentication(link takes you to an external page) to validate that only intended users are making requests. In this example, we'll be covering one of the most common forms of authentication: Bearer Authentication(link takes you to an external page) using JSON Web Token (JWT)(link takes you to an external page).

If you want to learn an alternative approach, you can also see this example of using Basic Auth.

Let's create a Function that will only accept requests with valid JWTs, and reject all other traffic.


Create and host a Function

create-and-host-a-function page anchor

In order to run any of the following examples, you will first need to create a Function into which you can paste the example code. You can create a Function using the Twilio Console or the Serverless Toolkit as explained below:

ConsoleServerless Toolkit

If you prefer a UI-driven approach, creating and deploying a Function can be done entirely using the Twilio Console and the following steps:

  1. Log in to the Twilio Console and navigate to the Functions tab(link takes you to an external page) . If you need an account, you can sign up for a free Twilio account here(link takes you to an external page) !
  2. Functions are contained within Services . Create a Service by clicking the Create Service(link takes you to an external page) button and providing a name such as test-function .
  3. Once you've been redirected to the new Service, click the Add + button and select Add Function from the dropdown.
  4. This will create a new Protected Function for you with the option to rename it. The name of the file will be path it is accessed from.
  5. Copy any one of the example code snippets from this page that you want to experiment with, and paste the code into your newly created Function. You can quickly switch examples by using the dropdown menu of the code rail.
  6. Click Save to save your Function's contents.
  7. Click Deploy All to build and deploy the Function. After a short delay, your Function will be accessible from: https://<service-name>-<random-characters>-<optional-domain-suffix>.twil.io/<function-path>
    For example: test-function-3548.twil.io/hello-world .

Your Function is now ready to be invoked by HTTP requests, set as the webhook of a Twilio phone number, invoked by a Twilio Studio Run Function Widget, and more!


Configure your Function to require Bearer Authentication

configure-your-function-to-require-bearer-authentication page anchor

First, create a new auth Service and add two Public Functions using the directions above. These will be named:

  • /jwt
  • /bearer

Replace the default contents of each Function with the JWT generation code (Generate a JSON Web Token for Function Authentication) for /jwt, and the JWT validation snippet (Authenticate Function requests using Bearer Authorization and JWT) for /bearer respectively. Save both Functions once they contain the new code.

Generate a JSON Web Token for Function Authentication

generate-a-json-web-token-for-function-authentication page anchor

_48
const jwt = require('jsonwebtoken');
_48
_48
// Hardcoded credentials for this example
_48
const creds = {
_48
username: 'twilio',
_48
password: 'ahoy',
_48
};
_48
// Hardcoded secret for this example. In a real app, you would
_48
// generate this and store it securely as an environment variable
_48
// and access it via context.SECRET or similar
_48
const secret = 'secret_key';
_48
_48
// Function to generate a JWT token
_48
exports.handler = (context, event, callback) => {
_48
// Retrieve the username and password from the request
_48
const { username, password } = event;
_48
// Prepare a new Twilio response
_48
const response = new Twilio.Response();
_48
_48
// If the provided credentials are invalid, return 401 Unauthorized.
_48
// In a real app you would check the credentials against your database.
_48
if (username !== creds.username || password !== creds.password) {
_48
response
_48
.setBody('Username or password is incorrect')
_48
.setStatusCode(401);
_48
_48
return callback(null, response);
_48
}
_48
_48
// Create a new signed JWT for the user that will expire in 1 day.
_48
// To understand more about JWT and what sub, iss, and these
_48
// other options are, see https://jwt.io/
_48
const token = jwt.sign(
_48
{
_48
sub: username,
_48
iss: 'twil.io',
_48
org: 'twilio',
_48
perms: ['read'],
_48
},
_48
secret,
_48
{ expiresIn: '1d' }
_48
);
_48
_48
// Set the token as the access_token header and return the response
_48
response.setBody('OK').appendHeader('access_token', token);
_48
_48
return callback(null, response);
_48
};

Authenticate Function requests using Bearer Authorization and JWT

authenticate-function-requests-using-bearer-authorization-and-jwt page anchor

_58
const jwt = require('jsonwebtoken');
_58
_58
const employeeSalaries = [
_58
{
_58
username: 'jdoe',
_58
salary: '$2000.00',
_58
},
_58
{
_58
username: 'mturner',
_58
salary: '$2500.00',
_58
},
_58
];
_58
const secret = 'secret_key'; // keep this in env variables
_58
_58
// Function that exposes sensitive information and requires
_58
// a valid JWT token to be present in the request header to access.
_58
exports.handler = (context, event, callback) => {
_58
// Grab the auth token from the request header
_58
const authHeader = event.request.headers.authorization;
_58
// Prepare a new Twilio response
_58
const response = new Twilio.Response();
_58
// Reject requests that don't have an Authorization header
_58
if (!authHeader) return callback(null, setUnauthorized(response));
_58
_58
// The auth type and token are separated by a space, split them
_58
const [authType, authToken] = authHeader.split(' ');
_58
// If the auth type is not Bearer, return a 401 Unauthorized response
_58
if (authType.toLowerCase() !== 'bearer')
_58
return callback(null, setUnauthorized(response));
_58
_58
try {
_58
// Verify the token against the secret. If the token is invalid,
_58
// jwt.verify will throw an error and we'll proceed to the catch block
_58
jwt.verify(authToken, secret);
_58
// At this point, the request has been validated and you could do
_58
// whatever you want with the request.
_58
// For this example, we'll just return the employee salaries
_58
return callback(null, employeeSalaries);
_58
} catch (e) {
_58
// If an error was thrown, the token is invalid and we should
_58
// return a 401 Unauthorized response
_58
return callback(null, setUnauthorized(response));
_58
}
_58
};
_58
_58
// Helper method to format the response as a 401 Unauthorized response
_58
// with the appropriate headers and values
_58
const setUnauthorized = (response) => {
_58
response
_58
.setBody('Unauthorized')
_58
.setStatusCode(401)
_58
.appendHeader(
_58
'WWW-Authenticate',
_58
'Bearer realm="Access to read salaries"'
_58
);
_58
_58
return response;
_58
};

(information)

Info

Remember to change the visibility of your new Function to be Public. By default, the Console UI will create new Functions as Protected, which will prevent access to your Function except by Twilio requests.

Next, notice that the code snippets require the jsonwebtoken(link takes you to an external page) dependency. Be sure to add this as a Dependency to your Service.

Once all Functions have been saved and your Dependencies have been set, deploy the Function by clicking on Deploy All in the Console UI.


Verify that Bearer Authentication is working

verify-that-bearer-authentication-is-working page anchor

We can check that authentication is working first by sending an unauthenticated request to our deployed Function. You can get the URL of your Function by clicking the Copy URL button next to the Function.

Then, using your client of choice, make a GET or POST request to your Function. It should return a 401 Unauthorized since the request contains no valid Authorization header.


_10
curl -i -L -X POST 'https://auth-4173-dev.twil.io/bearer'

Result:


_10
$ curl -i -L -X POST 'https://auth-4173-dev.twil.io/bearer' -i
_10
_10
HTTP/2 401
_10
date: Tue, 03 Aug 2021 23:01:55 GMT
_10
content-type: application/octet-stream
_10
content-length: 12
_10
www-authenticate: Bearer realm="Access to read salaries"
_10
x-shenanigans: none
_10
_10
Unauthorized

Great! Requests are successfully being blocked from non-authenticated requests.

To make an authenticated request and get back a 200 OK, we'll need to first generate a valid JWT by calling /jwt. We can then include that token in the Authorization header of our request to /bearer.

To get a valid JWT, we'll need to submit a valid username and password to the /jwt Function. Right now, these are hardcoded in the Function as twilio and ahoy respectively. The JWT generator Function is expecting the username and password to be passed in the body of the request, so you'll need to create a POST request with a JSON body composed of those values. Using cURL, that would look like this:


_10
curl -i -L -X POST 'https://auth-4173-dev.twil.io/jwt' \
_10
-H 'Content-Type: application/json' \
_10
--data-raw '{
_10
"username": "twilio",
_10
"password": "ahoy"
_10
}'

and the response would be:


_17
$ curl -i -L -X POST 'https://auth-4173-dev.twil.io/jwt' \
_17
-H 'Content-Type: application/json' \
_17
--data-raw '{
_17
"username": "twilio",
_17
"password": "ahoy"
_17
}'
_17
_17
HTTP/2 200
_17
date: Tue, 03 Aug 2021 23:16:35 GMT
_17
content-type: application/octet-stream
_17
content-length: 2
_17
access_token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0d2lsaW8iLCJpc3MiOiJ0d2lsLmlvIiwib3JnIjoidHdpbGlvIiwicGVybXMiOlsicmVhZCJdLCJpYXQiOjE2MjgwMzI1OTUsImV4cCI6MTYyODExODk5NX0.uZzHuN5PpK6qM5wCu01_S8lkFPDpIcxQJq6A7sDr6gc
_17
x-shenanigans: none
_17
x-content-type-options: nosniff
_17
x-xss-protection: 1; mode=block
_17
_17
OK

The header access_token contains the valid JWT that was just generated for us. Go ahead and try your request to /bearer again, but this time including the Authorization header including this JWT:


_10
curl -i -L -X POST 'https://auth-4173-dev.twil.io/bearer' \
_10
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0d2lsaW8iLCJpc3MiOiJ0d2lsLmlvIiwib3JnIjoidHdpbGlvIiwicGVybXMiOlsicmVhZCJdLCJpYXQiOjE2MjgwMzA3ODIsImV4cCI6MTYyODExNzE4Mn0.gBusSFmlRt_o3H3E2UB4GGxjbZJLOOS0bKFXTxAgnlw'

the response should be:


_12
$ curl -i -L -X POST 'https://auth-4173-dev.twil.io/bearer' \
_12
-H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ0d2lsaW8iLCJpc3MiOiJ0d2lsLmlvIiwib3JnIjoidHdpbGlvIiwicGVybXMiOlsicmVhZCJdLCJpYXQiOjE2MjgwMzA3ODIsImV4cCI6MTYyODExNzE4Mn0.gBusSFmlRt_o3H3E2UB4GGxjbZJLOOS0bKFXTxAgnlw'
_12
_12
HTTP/2 200
_12
date: Tue, 03 Aug 2021 23:20:10 GMT
_12
content-type: application/json
_12
content-length: 84
_12
x-shenanigans: none
_12
x-content-type-options: nosniff
_12
x-xss-protection: 1; mode=block
_12
_12
[{"username":"jdoe","salary":"$2000.00"},{"username":"mturner","salary":"$2500.00"}]

At this point, Bearer Authentication is working for your Function!

To make this example your own, you could experiment with the following:

  • Refactor the common 'secret_key' into an Environment Variable so that it is stored securely and only needs to be changed in one place.
  • Use Environment Variables to store the approved credentials, or even create a database of approved usernames and passwords to support multiple users.
  • Instead of using a hardcoded array of data, retrieve values from a database.

Rate this Page: