Sorry, you need to enable JavaScript to visit this website.

You are here

Security and validation of callbacks to notifyURL

8 posts / 0 new
Last post

Matthew's picture
by Matthew

Security and validation of callbacks to notifyURL
The API docs are not clear on the callback data when provisioning a number and using the notifyURL. I am following the blog supplied to me in email via David Freeman (https://dev.telstra.com/content/understanding-messaging-api-callbacks-part-2) and it includes the JSON format for reference. However, when I provision the number there is an option to include 'callbackData' which is described as (string) 'A JSON that will be sent as the body in the POST to the notifyURL. This can be any meaningful data relevant to your application.' I am not getting the callbackData string when I send a message to the provisioned number in either the body or the headers. The only form of validating the message is from Telstra would be to whitelist the IP addresses such as the POST from 203.52.67.212 for the test I did. (Please do share your IP range if this is the only option at present) Are you working on improving this security, even if I could have a passcode in the JSON via the callbackData it would be a start, but would be even better if you had the ability for me to provide you with OAuth client credentials for my server and have the authentication at the same level in both directions. Alternatively, drop the message information and POST to my notifyURL 'You have a new message' and I will call it manually in response.

DeveloperSteve's picture
by DeveloperSteve

Hi Matthew

Sorry not sure if you are asking a question, feedback or making a statement (all 3?). 

Are you having issues with the notifyURL post data? 

 

Matthew's picture
by Matthew

The first question (which may
The first question (which may address the bigger issue) is regarding provisioning a number where there is an optional 'callbackData' which is described as (string) "A JSON that will be sent as the body in the POST to the notifyURL. This can be any meaningful data relevant to your application". Why is the callbackData not in the body of the POST to my notifyURL? It is not in the example in the blog either.

DeveloperSteve's picture
by DeveloperSteve

Hi Matthew

The callback data in question is additional data that can be included with the body postback, This adds to the data that is sent back to the notifyURL which looks something like this and is sent as a POST variable.
 

{"to":"+61400000000","from":"+61400000000","body":"Test","sentTimestamp":"2018-05-11T15:27:01","messageId":"NMASApiA0000000817"}

 

Matthew's picture
by Matthew

So I provision a number with
So I provision a number with the JSON { "activeDays":"30", "notifyURL":"https://example.com" , "callbackData": { "name" : "value"}} I expect to see my name/value callbackData in the postback.... the API and your comment say in the 'body'.. however the body is where I receive the actual message content sent in the sms. I send a test message saying 'Is this thing on?' and my notifyURL receives a POST like your example, but no sign of the callbackData. {"to":"+614XXXXXXXX","from":"+614XXXXXXXX","body":"Is this thing on?","sentTimestamp":"2018-07-02TXX:XX:XX","messageId":"XXXXXX"} Can you show me an example of where I can see the callbackData other than when I input it to provision a number? Thanks

DeveloperSteve's picture
by DeveloperSteve

Hi Matthew

Had a chat to the messaging team about this, its a depreciated function that hasnt yet moved out of the swagger spec (so shouldnt be in there). Getting them updated but did you have a need for a function like this? 

Matthew's picture
by Matthew

Thank for the

Thank for the clarification. Which brings me to the second part of the question and a request for you to improve the security...

The only form of validating the notifyURL POST is from Telstra would be to whitelist the IP addresses of the server making the POST (Example: 203.52.67.212)

Are you working on improving this security and validation? It would be better if you had the ability for me to provide you with OAuth client credentials for my server and have the authentication at the same level in both directions sending/receiving messages. Alternatively, can you give an option to drop the message information (from & body) and POST to my notifyURL with the messageId of the new message and allow me to GET the message information after being authenticated.

DeveloperSteve's picture
by DeveloperSteve

Hi Matthew

Thanks for the feedback, for PAYG plans and up we can set up certs and keys to generate a JWT token.

Log in or register to post comments