Closed Haarolean closed 1 month ago
freele
commented
1 month ago Same question. For some reason, I cannot find it in the exposed files in the "Sources" tab in Chrome's development console, but I do see it in the JavaScript files in the dist folder. At this point, I don't understand how it authorizes the user when I don't see this code in the "Sources," but my main concern is: Is it okay to deploy static code with built-in secrets?
Ajaxy
commented
1 month ago It is mostly OK.
Haarolean
commented
1 month ago It is mostly OK.
@Ajaxy could you elaborate please? The aforementioned token is "forbidden to pass to 3rd parties"
Ajaxy
commented
1 month ago Yes, but it can not be avoided for a front-end party. Someone can misuse your credentials, and you can face blockages, but that happens rarely.
Hi,
more of a question actually, rather than an issue. Couldn't find the answer to my question anywhere else so decided to raise one here.
As stated in README, running the app requires an app id and secret token from my.telegram.org, where, in turn, it's stated for both id and hash, that "it's forbidden to pass this value to third parties". As far as the client is frontend-only, running it with secrets will get the tokens expose to the end user, and obfuscation here can't be called quite a secure way to prevent one from reading it.
This raises further questions, is that possible to run the app in a publicly accessible environment, or should I run it exclusively for my personal use? If the latter, how is the app being run on web.telegram.org itself?
Really hope to get the answers, thanks!