I am making a Twilio app. Twilio can send a request to the server after a call is over, but it isn’t able to be associated with the logged in user of my website because Twilio is making an independent request. If I were to tell Twilio to post something at
example.com/response.html?token=ba38pgab38g4agdusoehle8qihxs&data=somedata
and then use this token as a way of verifying that this Twilio request is associated with a user, is that secure?
I have seen this technique used before on password reset forms. An email will contain a link, and the user’s identity is confirmed only using the token.
Is doing this in my Twilio app secure? Are there any gotchas to note?
It’s as secure as any other request to your server from a remote HTTP client (like a browser). If you want to make sure that no one between Twilio’s servers and yours can read the request, you should use HTTPS/SSL.
For this use case, it’s probably better to associate the CallSid value that’s sent with every request to your server with the user in your system. When the StatusCallback for a completed call fires, look up the user associated with that call and act accordingly.