fix: Twilio authentication handling for WhatsApp attachments (#11536)

# Pull Request Template ## Description This PR addresses an issue where users were unable to view images sent via WhatsApp on Chatwoot due to incorrect Twilio authentication configuration. https://app.chatwoot.com/app/accounts/1/conversations/50824 The problem stemmed from how authentication was being handled for Twilio API requests. The user had configured their inbox using api_key_sid, but the backend logic used only auth_token, leading to failed authentication. Further investigation showed that some customers might input api_secret into the auth_token field unintentionally. ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality not to work as expected) - [ ] This change requires a documentation update ## How Has This Been Tested? - Tested on console with Client(api_key_sid, auth_token, account_sid) and validated successful authentication for the customer (Twilio channel ID: 2702). - Simulated toggling the “Use API Key Authentication” checkbox to ensure backend behavior matches UI intent - Verified image rendering by testing with the same image URL that was previously failing for the user. ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] I have commented on my code, particularly in hard-to-understand areas - [x] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
2025-10-29 02:02:27 +00:00 · 2025-05-21 20:10:15 +07:00
parent 1602b071db
commit 3c8abd5b30
1 changed files with 10 additions and 5 deletions
--- a/app/services/twilio/incoming_message_service.rb
+++ b/app/services/twilio/incoming_message_service.rb
@@ -137,14 +137,19 @@ class Twilio::IncomingMessageService
  end

  def download_with_auth(media_url)
-    Down.download(
-      media_url,
-      http_basic_authentication: [twilio_channel.account_sid, twilio_channel.auth_token || twilio_channel.api_key_sid]
-    )
+    auth_credentials = if twilio_channel.api_key_sid.present?
+                         # When using api_key_sid, the auth token should be the api_secret_key
+                         [twilio_channel.api_key_sid, twilio_channel.auth_token]
+                       else
+                         # When using account_sid, the auth token is the account's auth token
+                         [twilio_channel.account_sid, twilio_channel.auth_token]
+                       end
+
+    Down.download(media_url, http_basic_authentication: auth_credentials)
  end

  def handle_download_attachment_error(error, media_url)
-    Rails.logger.info "Error downloading attachment from Twilio: #{error.message}: Retrying"
+    Rails.logger.info "Error downloading attachment from Twilio: #{error.message}: Retrying without auth"
    Down.download(media_url)
  rescue StandardError => e
    Rails.logger.info "Error downloading attachment from Twilio: #{e.message}: Skipping"