search

TelegramBots / Telegram.Bot

.NET Client for Telegram Bot API
https://telegrambots.github.io/book
MIT License
3.2k stars 687 forks source link

Middleware to validate secret_token #1112

Closed karb0f0s closed 2 months ago

karb0f0s commented 2 years ago

We can ship middleware/extension method to validate secret_token in ASP.NET Core applications.

If you'd like to make sure that the webhook was set by you, you can specify secret data in the parameter secret_token. If specified, the request will contain a header “X-Telegram-Bot-Api-Secret-Token” with the secret token as content.

wiz0u commented 3 months ago

Some people start reproaching ASP.NET dependencies on our main library https://github.com/TelegramBots/book/issues/112

So I put this issue on hold as we might move all ASP.NET related code in a separate package in the future

wiz0u commented 2 months ago

Why make things complex when it can be solved by adding a single line in the controller:

    [HttpPost]
    public async Task<IActionResult> Post([FromBody] Update update)
    {
        if (Request.Headers["X-Telegram-Bot-Api-Secret-Token"] != SecretToken) return Forbid();
        // handle the update
    }

see https://github.com/TelegramBots/Telegram.Bot.Examples/blob/master/Webhook.Controllers/Controllers/BotController.cs#L24