Request middleware fails on validate set to false

[khalilchoudhry]

X-Twilio-Signature check is added before checking the validate option. The request will fail even if validate option is set to false. If a request is sent from POSTMAN on dev/test environment, which means the validate option is false, so there is no need to check if the header is present or not. Similarly, if a test is written for Express route in my code, the middleware will fail despite the fact that validate option is false.

It also checks for X-Twilio-Signature here which will not fail with validate option set to false. If validate option is true and X-Twilio-Signature is undefined, empty string is set as a default value which will then obviously differ from expected twilio signature and fail.
Contributing to Twilio

All third-party contributors acknowledge that any contributions they provide will be made under the same open-source license that the open-source project is provided under.

• I acknowledge that all my contributions will be made under the project's license.

[khalilchoudhry]

@childish-sambino Please review this.

[childish-sambino]

Instead of removing the check from webhook(), how about just moving it down to somewhere within the validation block? This would then support the functionality you're looking for and provide a more specific error message and proper response code. I prefer to be more specific in the message as long as it's not a security risk.

[khalilchoudhry]

Isn't X-Twilio-Signature is expected from Twilio only? How can someone create or set X-Twilio-Signature on dev environment or during testing? Why is it asked here in docs to disable validation during testing then ?

[childish-sambino]

If you move the header check to within the if (opts.validate) { block, then it will not be checked during dev/test.

[khalilchoudhry]

done

[childish-sambino]

👍