Validation fails with trailing host slash

[henhouse]

GetExpectedTwilioSignature will fail due to the req.URL.String() containing a beginning slash /. This seemingly breaks validation on both GET and POST requests where it is not there. If any query parameters are present, there is simply a ? and no slash before them. This can be seen in Twilio's example here on line 17: https://www.twilio.com/docs/usage/security?code-sample=code-validate-signature-of-request&code-language=java&code-sdk-version=7.x

I found this after thorough attempts to get my signatures valid at even the smallest requests. It can be reproduced by creating a super simple TwiML App, directing it to some endpoint and trying to validate the incoming request. It will always fail unless the slash is removed.

I solved it by simple modifying the package on this line to use URL[1:] but I am not sure if that is the idealistic way to do so since I'm not sure if you can always guarantee a value there. Was hoping for some input and thoughts.

[kevinburke]

We should check and see if the official libraries have test cases, then port all of them to this library as a compatibility test.

[kevinburke]

to be clear: the problem is when the request comes in to the root and the URL is "/"? Are you passing r.URL.Path to the signature validator?

[henhouse]

Hey @kevinburke, indeed it seems to only occur to the base path "/". I guess this is because req.URL.String() will write the starting slash for the path, even if there is is no URI following. If you validate at /test, for example, there is no issue since there will be no trailing slash.