From 3c8abd5b301baa829fe87ac5cf2667fb392f7c4f Mon Sep 17 00:00:00 2001 From: Tanmay Deep Sharma <32020192+tds-1@users.noreply.github.com> Date: Wed, 21 May 2025 20:10:15 +0700 Subject: [PATCH] fix: Twilio authentication handling for WhatsApp attachments (#11536) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit # Pull Request Template ## Description This PR addresses an issue where users were unable to view images sent via WhatsApp on Chatwoot due to incorrect Twilio authentication configuration. https://app.chatwoot.com/app/accounts/1/conversations/50824 The problem stemmed from how authentication was being handled for Twilio API requests. The user had configured their inbox using api_key_sid, but the backend logic used only auth_token, leading to failed authentication. Further investigation showed that some customers might input api_secret into the auth_token field unintentionally. ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality not to work as expected) - [ ] This change requires a documentation update ## How Has This Been Tested? - Tested on console with Client(api_key_sid, auth_token, account_sid) and validated successful authentication for the customer (Twilio channel ID: 2702). - Simulated toggling the “Use API Key Authentication” checkbox to ensure backend behavior matches UI intent - Verified image rendering by testing with the same image URL that was previously failing for the user. ## Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [x] I have commented on my code, particularly in hard-to-understand areas - [x] I have made corresponding changes to the documentation - [x] My changes generate no new warnings - [x] I have added tests that prove my fix is effective or that my feature works - [x] New and existing unit tests pass locally with my changes - [x] Any dependent changes have been merged and published in downstream modules --------- Co-authored-by: Muhsin Keloth --- app/services/twilio/incoming_message_service.rb | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/app/services/twilio/incoming_message_service.rb b/app/services/twilio/incoming_message_service.rb index 7a335c87d..c38577599 100644 --- a/app/services/twilio/incoming_message_service.rb +++ b/app/services/twilio/incoming_message_service.rb @@ -137,14 +137,19 @@ class Twilio::IncomingMessageService end def download_with_auth(media_url) - Down.download( - media_url, - http_basic_authentication: [twilio_channel.account_sid, twilio_channel.auth_token || twilio_channel.api_key_sid] - ) + auth_credentials = if twilio_channel.api_key_sid.present? + # When using api_key_sid, the auth token should be the api_secret_key + [twilio_channel.api_key_sid, twilio_channel.auth_token] + else + # When using account_sid, the auth token is the account's auth token + [twilio_channel.account_sid, twilio_channel.auth_token] + end + + Down.download(media_url, http_basic_authentication: auth_credentials) end def handle_download_attachment_error(error, media_url) - Rails.logger.info "Error downloading attachment from Twilio: #{error.message}: Retrying" + Rails.logger.info "Error downloading attachment from Twilio: #{error.message}: Retrying without auth" Down.download(media_url) rescue StandardError => e Rails.logger.info "Error downloading attachment from Twilio: #{e.message}: Skipping"