X-Twilio-Signature is an HMAC over the URL as Twilio saw it; behind a TLS-terminating edge the FOB must rebuild that URL from X-Forwarded-Proto/Host — but ONLY from the operator-configured edge (CIDR list; empty default = headers IGNORED, fail-closed), or any internet peer chooses the URL its own forgery is checked against (spec §3.1 invariant 5). Scoped honestly: signature validation does not exist in the tree yet. This lands the trusted-proxy half — pure reconstruct_public_url in rutster-trunk (fail-closed Err contract, outermost-hop comma handling) with tests, the config.rs fail-fast parser, and the AppState access point — so the trunk slice consumes it instead of growing its own. New direct dep ipnet 2 (workspace-pinned; already in Cargo.lock via reqwest; MIT/Apache-2.0, cargo-deny clean). Signed-off-by: Aaron D. Lee <himself@adlee.work>
3.9 KiB
3.9 KiB