Open painkkiller opened 2 months ago
Have you checked this yet?
https://github.com/feathers-studio/telegraf-docs/tree/master/examples/mini-apps#validating-initdata
Have you checked this yet?
https://github.com/feathers-studio/telegraf-docs/tree/master/examples/mini-apps#validating-initdata
I've provided the link to this document in my question
Ah, you're right. Let me fix that. Give me a few minutes.
This code works for me (it correctly handles user object in WebApp.initDataUnsafe)
app.post('/api/validate', function (req, res) {
const hash = req.body.hash;
delete req.body.hash;
const dataCheckString = Object.entries(req.body).sort().map(([k, v]) => {
if (typeof v === "object" && v !== null) {
v = JSON.stringify(v);
}
return `${k}=${v}`;
}).join("\n");
const secret = createHmac("sha256", "WebAppData").update(process.env.BOT_TOKEN ?? "");
const _hash = createHmac("sha256", secret.digest()).update(dataCheckString).digest("hex");
console.log('|', dataCheckString, '|', hash, _hash);
if (hash === _hash) {
return res.json(req.body);
}
return res.status(401).json({});
});
Something has changed. This algo got broken during this week.
I am using @twa-dev/sdk and when my TWA application starts I am getting WebApp.initDataUnsafe. I need to validate it according the docs. And I use code from the docs. The main problem that my hashes never equal. In my WebApp.initDataUnsafe there is object user, and looks that it ignored during this check, it included in the checkstring as user=>[object Object] and probably thats the cause of the problem. But removing it doesn't solve the issue. So it needs to clarify the format of the object required for valudation.