What's new in the Twilio helper library for ASP.NET (v8.0.0 - March 2023)

March 06, 2023
Written by
Niels Swimberghe
Contributor
Opinions expressed by Twilio contributors are their own
Reviewed by

What's new in the Twilio helper library for ASP.NET (v8.0.0 - March 2023)

The Twilio helper library for ASP.NET (Twilio.AspNet) is a community-driven open-source project to make integrating Twilio with ASP.NET easier, for both ASP.NET Core and ASP.NET MVC on .NET Framework.

Wondering what was previously introduced? You can read about v7 and prior releases here.

What's new in Twilio.AspNet v8.0.0

Version 8 is a small release, but because it contains some breaking changes, we are bumping the version to 8.

Here's an overview of the changes:

🎉 NEW FEATURES  

  • The RequestValidationHelper for Twilio.AspNet.Core now has an async method to validate HTTP requests: IsValidRequestAsync. (The async method loads the form body asynchronously.)
  • AddTwilioClient and AddTwilioRequestValidation have more overloads to configure these features as desired.

🙌 ENHANCEMENTS

  • Twilio request validation and dependency injected Twilio clients will use the most up-to-date configuration when the underlying configuration sources are changed, without requiring an application restart. (More details below) (Twilio.AspNet.Core only)
  • AddTwilioClient and AddTwilioRequestValidation now validate the configuration.
  • The request validation filters and middleware now load the form asynchronously. (Twilio.AspNet.Core only)
  • The Twilio library dependency has been updated to version 6.2.4.

⚠️ BREAKING CHANGES

  • The AllowLocal setting for request validation filters and middleware now defaults to false instead of true. ⚠️ Only set AllowLocal to true during development, as this will make your application vulnerable to Server-Side Request Forgery. (More details below)
  • The overloads for AddTwilioClient where you could provide an HttpClient have been removed. To customize the HttpClient, override the HTTP client factory with the name "Twilio" after invoking AddTwilio. (More details below)
  • The Twilio.AspNet.Core library dropped support for .NET versions prior to .NET 6, as these versions are no longer supported by Microsoft.

Automatic reloading configuration

.NET's configuration system is a flexible API that lets you provide configuration from multiple sources, and optionally have the configuration update automatically when the underlying source is updated.

AddTwilioClient and AddTwilioRequestValidation both use the .NET configuration to configure itself, but prior to version 8 these features retrieved the original configuration and all subsequent configuration changes would be ignored. If you wanted to change the configuration, you had to stop the application and start it up again. During development this unnecessary restart slows you down, and in production this could mean your application misses HTTP requests.

In version 8, these features will use the updated configuration when underlying sources are updated.

This only applies for configuration sources that support reloadOnChange and have reloadOnChange enabled. By default, in ASP.NET Core, the appsettings.json and its environment specific variants are all added with reloadOnChange set to true.

Here's a video of a TwiML API using the Twilio request validation feature:

Twilio:RequestValidation:AllowLocal configuration in appsettings.json is set to false at first, and as a result the TwiML endpoint responds with 403 Forbidden. After changing AllowLocal from false to true, the TwiML API returns the expected TwiML.

Automatically using updated configuration can be very helpful for other options, such as when you're rotating Auth Tokens and API keys or restarting your ngrok tunnel resulting in a new BaseUrlOverride.

The most up-to-date configuration is loaded and cached for the duration of the ongoing HTTP request.
Say that you're using a dependency injected Twilio client and the application is doing a lot of slow work during an HTTP request, the Twilio client will continue using the same configuration (Account SID, Auth Token, API key, etc.) even when you change its configuration in appsettings.json for the duration of that HTTP request.

AllowLocal defaults to false

Prior to version 8, the Twilio:RequestValidation:AllowLocal would default to true. Allowing HTTP requests from the local machine makes your application vulnerable to Server-Side Request Forgery. This would require your code to be vulnerable somewhere else too, but out of caution the default is now false. AllowLocal may be replaced with an on/off toggle in the future, depending on your feedback!
If you depended on AllowLocal being true by default, go and explicitly set it to true in appsettings.json or wherever you store your .NET configuration.

Customize the HTTP client used by the Twilio client

Prior to version 8, there were AddTwilioClient overloads where you could supply your own HttpClient using a lambda. This was added just in case users needed it, which is an unknown factor to this day. However, we didn't see how this overload added value to the users, so we removed it to keep the code easier to maintain.

If you still want to customize the HTTP client that is used by dependency injected Twilio clients, you can do so as shown below:

builder.Services.AddTwilioClient();
builder.Services.AddHttpClient("Twilio")
    .ConfigureHttpClient(client =>
    {
        client.BaseAddress = new Uri("YOUR_PROXY_ADDRESS");
    })
    .ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler
    {
        // same options as the Twilio C# SDK
        AllowAutoRedirect = false
    });

AddTwilioClient runs the AddHttpClient("Twilio") method by default. If you'd like to customize the behavior of the HTTP client and its factory, you can call AddHttpClient("Twilio") after AddTwilioClient.

This will override the previously configured HTTP client factory.

Go use the shiny new bits

You can take advantage of these new features and enhancements now by installing the latest version of the Twilio helper library for ASP.NET. You can find the installation instructions in the README of the Twilio.AspNet GitHub repository. If you like this library, consider giving the GitHub repo a star, submit any issues or PRs.

We can't wait to see what you'll build with Twilio.AspNet. Let us know on social media, and don't forget to mention @TwilioDevs and @RealSwimburger on Twitter or LinkedIn.

Niels Swimberghe is a Belgian American software engineer and technical content creator at Twilio, and a Microsoft MVP in Developer Technologies. Get in touch with Niels on Twitter @RealSwimburger and follow Niels’ personal blog on .NET, Azure, and web development at swimburger.net.