Protected functions should be protected locally

[philnash]

When starting to test the support for protected functions, I expected that I would receive a 401 response when calling my protected function locally without a signature.

I understand that when deploying protected functions will be protected, but to make that more obvious when developing, I think that protected functions should still be protected. This will give confidence to developers when testing functions with webhooks and ngrok.

To make for easier testing, we could add a flag that unprotects protected functions locally.

[dkundel]

So here's the issue I found with this one:
If someone uses the Twilio CLI to initialize the project we don't actually have the Auth Token to verify the signature. We could send them a warning in the case that ACCOUNT_SID and AUTH_TOKEN are actually API_KEY and API_SECRET. This should probably go into a bigger discussion in a separate issue about how we handle that case. Because there's another situation that is impacted by this.

[SpicyPete]

How does one create a protected function with this tool?
I see in the docs that it's possible, but it does not outline how in any way.

[philnash]

@SpicyPete To make your function protected you need to name it function-name.protected.js. Then, when it is deployed it will require the incoming request to be signed with a X-Twilio-Signature header.

This issue just points out that when running locally, protected functions are not protected. So protection is only manifested when deployed.

[SpicyPete]

@philnash Great thank you, that is useful to know.
Is there anywhere in the documentation which mentions how this is done where I can read further? I've been looking everywhere

[philnash]

@SpicyPete There's a bit on it here: https://www.twilio.com/docs/labs/serverless-toolkit/general-usage#functions.

But we could definitely surface that elsewhere too to make things easier.