# Pull Request Template
## Description
This PR addresses an issue where users were unable to view images sent
via WhatsApp on Chatwoot due to incorrect Twilio authentication
configuration.
https://app.chatwoot.com/app/accounts/1/conversations/50824
The problem stemmed from how authentication was being handled for Twilio
API requests. The user had configured their inbox using api_key_sid, but
the backend logic used only auth_token, leading to failed
authentication. Further investigation showed that some customers might
input api_secret into the auth_token field unintentionally.
## Type of change
- [x] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality not to work as expected)
- [ ] This change requires a documentation update
## How Has This Been Tested?
- Tested on console with Client(api_key_sid, auth_token, account_sid)
and validated successful authentication for the customer (Twilio channel
ID: 2702).
- Simulated toggling the “Use API Key Authentication” checkbox to ensure
backend behavior matches UI intent
- Verified image rendering by testing with the same image URL that was
previously failing for the user.
## Checklist:
- [x] My code follows the style guidelines of this project
- [x] I have performed a self-review of my code
- [x] I have commented on my code, particularly in hard-to-understand
areas
- [x] I have made corresponding changes to the documentation
- [x] My changes generate no new warnings
- [x] I have added tests that prove my fix is effective or that my
feature works
- [x] New and existing unit tests pass locally with my changes
- [x] Any dependent changes have been merged and published in downstream
modules
---------
Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
We received customer reports that attachments in Twilio messages
required page reloads to appear. This issue occurred because in the old
Twilio builder, we saved the message and attachment in two stages. The
new builders follow a streamlined approach, where both are saved in a
single transaction. This update aligns the Twilio channel with the new
builder format and resolves the issue.
### Testing:
Tests cover the attachment cases, ensuring that all original tests pass
with these changes.
In the previous release, we enabled "HTTP Basic Authentication" to secure all attachments requiring HTTP authentication. This is particularly important for media files that may contain sensitive data, as recommended by Twilio. However, some users experienced issues because they did not enable this option despite our alerts prompting them to do so. If the authenticated attachment download call fails, add another call to download the attachment without authentication.
We've had some messages come in from a few different phone numbers that had null bytes in them. I don't know how this happens. They don't seem to be malicious.
They currently cause the Postgres gem to raise an error when Chatwoot attempts to save the message body to the database:
ArgumentError (string contains null byte)
Related Rails GitHub issue: rails/rails#26891
