SMS Worker (Text Me The App)

Table of Contents

Overview
Source
API Endpoint
- POST /{campaign_id}
TMTA Flow
Campaign System
Phone Number Validation
Abuse Prevention and Rate Limiting
Twilio Integration
Environment Variables
Local Development
See Also

Overview

The SMS Cloudflare Worker implements the Text Me The App (TMTA) feature. When a prospective user visits floatme.io or floatme.com on desktop and enters their phone number, the web page calls this worker, which sends an SMS containing the app download link via Twilio.

The worker is deployed at sms.floatme.io (prod) and sms.test.floatme.io (test).

Source

cloudflare/workers/sms/

File Purpose

File	Purpose
`index.ts`	Entry point, CORS handling, phone validation, Twilio dispatch
`spec.yaml`	OpenAPI 3.0.3 spec defining the single `/{campaign_id}` endpoint
`wrangler.toml`	Worker name, routes, and environment variables (non-secret)
`secrets.sh`	Uploads `DATADOG_API_KEY` and `TWILIO_AUTH_TOKEN` via `wrangler secret put`

index.ts

Entry point, CORS handling, phone validation, Twilio dispatch

spec.yaml

OpenAPI 3.0.3 spec defining the single /{campaign_id} endpoint

wrangler.toml

Worker name, routes, and environment variables (non-secret)

secrets.sh

Uploads DATADOG_API_KEY and TWILIO_AUTH_TOKEN via wrangler secret put

API Endpoint

Full spec: cloudflare/workers/sms/spec.yaml (server: https://tmta.floatme.io).

Method Path Description

Method	Path	Description
`OPTIONS`	`/{campaign_id}`	CORS preflight check
`POST`	`/{campaign_id}`	Send the app download link to the given phone number
`*`	`*`	All other methods return `403 Forbidden`

OPTIONS

/{campaign_id}

CORS preflight check

POST

/{campaign_id}

Send the app download link to the given phone number

*

All other methods return 403 Forbidden

`POST /{campaign_id}`

Table 1. Request body (JSON)
Field	Type	Notes
`to`	string	Destination phone number; any format accepted by the `phone` library

Table 2. Responses
Status	Meaning
`201 Created`	SMS dispatched successfully via Twilio
`403 Forbidden`	Origin not allowed, body malformed, `to` missing, or phone number invalid / non-US
`500 Internal Server Error`	Twilio call failed

TMTA Flow

Browser (floatme.io)
  │
  ├─ OPTIONS /{campaign_id}   (CORS preflight)
  │    worker validates Origin header against allowlist
  │    → 204 No Content + CORS headers   OR   403 Forbidden
  │
  └─ POST /{campaign_id}
       worker validates Origin header
       worker parses { to } from JSON body
       worker validates phone number (phone library)  ──→  403 if invalid or non-US
       worker extracts campaign_id from URL path
       worker calls Twilio Messages API
         ├─ success → 201 Created
         └─ failure → 500 Internal Server Error

Campaign System

The URL path doubles as a campaign selector. The campaign_id is extracted from the last path segment (before any . extension). Known campaigns and their message text:

Campaign ID SMS message body

Campaign ID	SMS message body
`tt`	`Download FloatMe - Instant Payday Cash Advance https://app.floatme.com/ol/xroo/smslandertiktok`
`fbig`	`Download FloatMe - Instant Payday Cash Advance https://app.floatme.com/ol/xroo/smslanderfb`

tt

Download FloatMe - Instant Payday Cash Advance https://app.floatme.com/ol/xroo/smslandertiktok

fbig

Download FloatMe - Instant Payday Cash Advance https://app.floatme.com/ol/xroo/smslanderfb

If the campaign ID is not found in the map, getCampaign() returns undefined and Twilio will receive an empty body, resulting in an API error.

Phone Number Validation

The worker uses the phone npm library for validation and normalization.

Parse the raw to string with phone(to).
Reject if phoneNumber.isValid is false.
Reject if phoneNumber.countryIso2 is not US (only US numbers are allowed).
Normalize to E.164 format (phoneNumber.phoneNumber, e.g. +12105551234) before passing to Twilio.

Abuse Prevention and Rate Limiting

The worker implements several layers of abuse prevention:

Origin Allowlist (CORS)

Only requests from the following origins are accepted:

https://*.floatme.io
https://www.floatme.io
https://*.floatme.com
https://www.floatme.com

All other origins receive 403 Forbidden immediately, before any phone validation or Twilio call. Both the CORS preflight (OPTIONS) and the actual POST independently check the Origin header.

The isOriginAllowed function uses an exact string match (allowedHosts.includes(origin)), so the wildcard entries (https://*.floatme.io, https://*.floatme.com) are matched literally and will not match subdomains like https://staging.floatme.io. Only https://www.floatme.io and https://www.floatme.com are effectively allowed. This is a known code bug.

Country Restriction

Only US phone numbers are accepted (countryIso2 === "US"). International numbers are rejected with 403 Forbidden at validation time, before any Twilio call.

Input Validation

Missing or unparseable JSON body → 403 Forbidden (error logged to Datadog).
Missing to field → 403 Forbidden.
Invalid phone number format → 403 Forbidden.

There is no explicit per-IP or per-number rate limit implemented in the worker itself. Abuse prevention beyond the allowlist and country restriction relies on Cloudflare WAF rules applied at the zone level.

Twilio Integration

Twilio calls are made via the shared service client at cloudflare/services/twilio/index.ts.

The client POSTs to https://api.twilio.com/2010-04-01/Accounts/{accountSID}/Messages.json using HTTP Basic auth (accountSID:authToken, Base64-encoded).

Table 3. Twilio parameters used
Parameter	Source
`Body`	Campaign message string (from `campaigns` map, keyed by `campaign_id`)
`From`	`SMS_TMTA_FROM_NUMBER` env var (`+12108641371`)
`To`	Normalized E.164 phone number from `phone()` library
`MessagingServiceSid`	`SMS_TMTA_TWILIO_MESSAGING_SID` env var

Prod and test environments share the same Twilio account SID, auth token, from number, and messaging service SID. There is no separate test Twilio environment.

Environment Variables

Variable Kind Description

Variable	Kind	Description
`WORKER_ENV`	var	`prod` or `test`
`SMS_TMTA_FROM_NUMBER`	var	Twilio sender phone number in E.164 format
`SMS_TMTA_TWILIO_MESSAGING_SID`	var	Twilio Messaging Service SID
`TWILIO_ACCOUNT_SID`	var	Twilio account SID (same for prod and test)
`TWILIO_AUTH_TOKEN`	secret	Twilio auth token (Cloudflare secret, not in toml)
`DATADOG_API_KEY`	secret	Datadog ingest key for structured log shipping

WORKER_ENV

var

prod or test

SMS_TMTA_FROM_NUMBER

var

Twilio sender phone number in E.164 format

SMS_TMTA_TWILIO_MESSAGING_SID

var

Twilio Messaging Service SID

TWILIO_ACCOUNT_SID

var

Twilio account SID (same for prod and test)

TWILIO_AUTH_TOKEN

secret

Twilio auth token (Cloudflare secret, not in toml)

DATADOG_API_KEY

secret

Datadog ingest key for structured log shipping

Upload secrets with:

make secrets.sms.host

Local Development

make sms.local

This invokes:

wrangler dev cloudflare/workers/sms/index.ts \
  -c cloudflare/workers/sms/wrangler.toml

No --env flag is passed; wrangler uses the top-level defaults from wrangler.toml (worker name sms-local, route localhost/*). Provide TWILIO_AUTH_TOKEN and DATADOG_API_KEY via a .dev.vars file or your shell environment.

Wrangler starts a local HTTP server (default port 8787). Example test request:

curl -X POST http://localhost:8787/tt \
  -H "Origin: https://www.floatme.io" \
  -H "Content-Type: application/json" \
  -d '{"to": "+12105551234"}'