wp-plugins/twilio-wp-plugin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security enhancement: Remove frontend browser phone interface

Browse Source 
- Updated shortcode to redirect to admin browser phone page for enhanced security
- Removed frontend browser phone assets (108KB total):
  - assets/js/browser-phone-frontend.js (85KB)
  - assets/css/browser-phone-frontend.css (23KB)
- Modified shortcode to show secure redirect interface with authentication checks
- Added new shortcode attributes: title, button_text, target
- Enhanced documentation with security improvements and new behavior
- Reduced frontend attack surface by eliminating JavaScript exposure
- Improved performance with minimal asset loading for shortcode pages

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
jknapp
2025-09-02 11:40:49 -07:00
parent 6e01e27cb9
commit 345ef43740
5 changed files with 147 additions and 3961 deletions
Download Patch File Download Diff File Expand all files Collapse all files

82
README.md
View File

@@ -46,7 +46,8 @@ This plugin **requires** the Twilio PHP SDK v8.7.0 to function. The plugin will
- **Queue Notifications**: SMS alerts to designated numbers when calls enter queues
### 🌐 Browser Phone (WebRTC)
- **In-Browser Calling**: Make and receive calls directly from WordPress admin or frontend
- **Admin-Only Access**: Secure browser phone interface available only in WordPress admin area
- **Enhanced Security**: All browser phone functionality moved from frontend for improved security
- **Twilio Voice SDK v2**: Uses latest SDK for WebRTC functionality
- **Visual Dialpad**: Click-to-dial interface with DTMF support
- **Call Controls**: Mute, hold indicators, call timer
@@ -54,7 +55,7 @@ This plugin **requires** the Twilio PHP SDK v8.7.0 to function. The plugin will
- **Queue Integration**: Accept calls from specific queues
- **Token Management**: Automatic token refresh for uninterrupted service
- **Mobile-Friendly**: Responsive design optimized for smartphones and tablets
- **Shortcode Support**: Embed browser phone on any page with `[twp_browser_phone]`
- **Shortcode Redirect**: `[twp_browser_phone]` shortcode provides secure redirect to admin interface
### 🕒 Business Hours Management
- **Schedule-based Routing**: Different call flows for business hours vs after-hours
@@ -113,7 +114,15 @@ This plugin **requires** the Twilio PHP SDK v8.7.0 to function. The plugin will
## Recent Updates
### MAJOR RELEASE v2.3.0 (September 2025) - Enterprise Ready
Comprehensive system overhaul with production-ready reliability improvements.
Comprehensive system overhaul with production-ready reliability improvements and enhanced security.
#### 🔒 Security Enhancement: Frontend Browser Phone Removal
- **Security-First Approach**: Removed full browser phone interface from frontend shortcode
- **Admin-Only Access**: All browser phone functionality now restricted to secure WordPress admin area
- **Asset Reduction**: Eliminated 108KB of frontend assets (browser-phone-frontend.js and CSS)
- **Reduced Attack Surface**: Minimized frontend JavaScript exposure and potential security vectors
- **Performance Boost**: Improved page load times with reduced frontend asset loading
- **Professional Redirect**: Shortcode now provides clean redirect interface to admin browser phone
#### 🚀 Extension Transfer System - Complete Solution
- **FIXED: Direct Voicemail Issue**: Extension transfers no longer go directly to voicemail for available agents
@@ -326,11 +335,16 @@ Comprehensive redesign of hold, transfer, and requeue functionality with profess
- Enter TwiML App SID
- Save settings
3. **Access Browser Phone**:
- Navigate to **Twilio** → **Browser Phone**
3. **Access Browser Phone** (Admin Only):
- Navigate to **WordPress Admin** → **Twilio** → **Browser Phone**
- Select caller ID from available numbers
- Start making/receiving calls
4. **Frontend Access** (Optional):
- Use `[twp_browser_phone]` shortcode on any page
- Shortcode provides secure redirect to admin interface
- Requires user login and appropriate permissions
### Agent Configuration
1. **Create Agent Groups** (Twilio → Agent Groups)
2. **Add Agents** to groups with priorities
@@ -356,37 +370,41 @@ Comprehensive redesign of hold, transfer, and requeue functionality with profess
- **Queue Timeouts**: Alert when calls wait too long (configurable threshold)
- **Missed Calls**: Alert when calls are abandoned or timeout
## Frontend Browser Phone
## Browser Phone Access
### Shortcode Usage
The browser phone can be embedded on any WordPress page using the `[twp_browser_phone]` shortcode. This is perfect for creating dedicated agent pages or customer service portals.
### Shortcode Usage (Redirect Interface)
The `[twp_browser_phone]` shortcode now provides a **secure redirect interface** that directs users to the WordPress admin browser phone page for enhanced security.
**Basic Usage:**
```
[twp_browser_phone]
```
**With Options:**
**With Custom Options:**
```
[twp_browser_phone title="Customer Service Phone" show_title="true" compact="false"]
[twp_browser_phone title="Customer Service Phone" button_text="Access Phone System" target="_blank"]
```
### Shortcode Parameters
- **title**: Custom title for the phone widget (default: "Browser Phone")
- **show_title**: Display the title above the phone (default: "true")
- **compact**: Use compact layout for smaller spaces (default: "false")
- **title**: Custom title for the redirect interface (default: "Browser Phone")
- **button_text**: Text for the admin link button (default: "Access Browser Phone")
- **target**: Link target behavior (default: "_blank" - opens in new tab)
### Permission Requirements
- Users must be **logged in** to access the browser phone
- Users need the **`twp_access_browser_phone`** capability or **`manage_options`**
- Phone Agent role users have access by default
### Security Features
- **Authentication Required**: Users must be logged in to see the redirect interface
- **Permission Validation**: Requires `twp_access_browser_phone` capability or `manage_options`
- **Clear Error Messages**: Informative feedback for unauthorized access attempts
- **Admin-Only Interface**: All browser phone functionality restricted to WordPress admin area
### Mobile Optimization
- **Responsive Design**: Adapts to all screen sizes
- **Touch-Friendly**: Large buttons optimized for mobile devices
- **Haptic Feedback**: Vibration on button press (where supported)
- **Auto-Zoom Prevention**: Proper viewport handling for mobile browsers
- **Dark Mode Support**: Automatically adapts to user's system preference
### Browser Phone Interface (Admin Area)
Access the full browser phone interface at: **WordPress Admin → Twilio → Browser Phone**
#### Features:
- **Enhanced Security**: Protected by WordPress admin authentication
- **Full Functionality**: Complete browser phone features available in secure environment
- **Responsive Design**: Adapts to all screen sizes within admin interface
- **Professional Interface**: Integrated with WordPress admin styling
- **No Frontend Assets**: Eliminates security risks from frontend JavaScript exposure
## Voice Configuration
@@ -407,10 +425,12 @@ The browser phone can be embedded on any WordPress page using the `[twp_browser_
### Common Issues
#### Browser Phone "Client version not supported"
- **Fixed in latest version**: Upgraded to Voice SDK v2
- Clear browser cache and reload page
- Check TwiML App SID is configured
#### Browser Phone Access Issues
- **Access via Admin Only**: Browser phone moved to WordPress admin area for security
- **Shortcode Redirect**: Frontend shortcode now provides redirect to admin interface
- **Permission Required**: Ensure user has `twp_access_browser_phone` or `manage_options` capability
- **Login Required**: Users must be logged in to access browser phone functionality
- Check TwiML App SID is configured in WordPress admin settings
#### "Twilio SDK classes not available"
```bash
@@ -519,6 +539,10 @@ All webhooks are REST API endpoints under `/wp-json/twilio-webhook/v1/`:
- **Mobile Browsers**: Limited WebRTC support
### Security Considerations
- **Admin-Only Browser Phone**: All browser phone functionality restricted to WordPress admin area
- **Frontend Asset Elimination**: Removed 108KB of frontend JavaScript and CSS to reduce attack surface
- **Authentication Required**: Shortcode requires user login and appropriate permissions
- **Secure Redirects**: Frontend shortcode provides authenticated redirect to admin interface
- All webhooks use WordPress nonce verification
- Phone numbers validated and sanitized
- SQL queries use prepared statements
@@ -528,6 +552,10 @@ All webhooks are REST API endpoints under `/wp-json/twilio-webhook/v1/`:
## Version History
### v2.3.0 (Current - September 2025) - ENTERPRISE READY
- **SECURITY ENHANCEMENT**: Removed frontend browser phone interface, moved to admin-only access for enhanced security
- **ASSET REDUCTION**: Eliminated 108KB of frontend assets (browser-phone-frontend.js and CSS files)
- **SHORTCODE SECURITY**: Browser phone shortcode now provides secure redirect with authentication checks
- **ATTACK SURFACE REDUCTION**: Minimized frontend JavaScript exposure and potential security vectors
- **EXTENSION TRANSFER SYSTEM**: Complete overhaul with queue-based routing, 2-minute timeout, and automatic voicemail fallback
- **BROWSER PHONE UNIVERSAL**: Firefox support, permission management, call stability, and cross-browser compatibility
- **AGENT STATUS AUTOMATION**: 1-minute auto-revert system with WordPress cron job integration