From 7ca3866a865ee8e654bbabaaed22c0ad97a7d39d Mon Sep 17 00:00:00 2001
From: Grégoire Duchêne <gduchene@awhk.org>
Date: Sun, 4 Apr 2021 21:29:15 +0100
Subject: Return 403 if request signatures do not match

---
 pkg/twilio/filter.go      | 6 +++++-
 pkg/twilio/filter_test.go | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/pkg/twilio/filter.go b/pkg/twilio/filter.go
index 7d5f6b5..90e84cc 100644
--- a/pkg/twilio/filter.go
+++ b/pkg/twilio/filter.go
@@ -67,7 +67,11 @@ func (th *Filter) CheckRequestSignature(r *http.Request) error {
 func (th *Filter) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if err := th.CheckRequestSignature(r); err != nil {
 		log.Println("Failed to check Twilio signature:", err)
-		w.WriteHeader(http.StatusBadRequest)
+		if err == ErrSignatureMismatch {
+			w.WriteHeader(http.StatusForbidden)
+		} else {
+			w.WriteHeader(http.StatusBadRequest)
+		}
 		return
 	}
 	th.Handler.ServeHTTP(w, r)
diff --git a/pkg/twilio/filter_test.go b/pkg/twilio/filter_test.go
index c0c737c..764d423 100644
--- a/pkg/twilio/filter_test.go
+++ b/pkg/twilio/filter_test.go
@@ -83,7 +83,7 @@ func TestFilter_ServeHTTP(t *testing.T) {
 		r := newRequest(Post)
 		r.Header.Set("X-Twilio-Signature", "dpE7iSS3LEQo72hCT34eBRt3UEI=")
 		th.ServeHTTP(w, r)
-		assert.Equal(t, http.StatusBadRequest, w.Code)
+		assert.Equal(t, http.StatusForbidden, w.Code)
 	})
 }
 
-- 
cgit v1.2.3-70-g09d2