feathers-studio / telegraf-docs

Documentation for Telegraf - the modern Bot API framework
https://telegraf.js.org
MIT License
303 stars 32 forks source link

Question about docs, how to validate WebApp.initDataUnsafe ? #21

Open painkkiller opened 2 months ago

painkkiller commented 2 months ago

I am using @twa-dev/sdk and when my TWA application starts I am getting WebApp.initDataUnsafe. I need to validate it according the docs. And I use code from the docs. The main problem that my hashes never equal. In my WebApp.initDataUnsafe there is object user, and looks that it ignored during this check, it included in the checkstring as user=>[object Object] and probably thats the cause of the problem. But removing it doesn't solve the issue. So it needs to clarify the format of the object required for valudation.

MKRhere commented 2 months ago

Have you checked this yet?

https://github.com/feathers-studio/telegraf-docs/tree/master/examples/mini-apps#validating-initdata

painkkiller commented 2 months ago

Have you checked this yet?

https://github.com/feathers-studio/telegraf-docs/tree/master/examples/mini-apps#validating-initdata

I've provided the link to this document in my question

MKRhere commented 2 months ago

Ah, you're right. Let me fix that. Give me a few minutes.

painkkiller commented 2 months ago

This code works for me (it correctly handles user object in WebApp.initDataUnsafe)


  app.post('/api/validate', function (req, res) {

        const hash = req.body.hash;

        delete req.body.hash;

        const dataCheckString = Object.entries(req.body).sort().map(([k, v]) => {
            if (typeof v === "object" && v !== null) {
                v = JSON.stringify(v);
            }

            return `${k}=${v}`;
        }).join("\n");

        const secret = createHmac("sha256", "WebAppData").update(process.env.BOT_TOKEN ?? "");
        const _hash = createHmac("sha256", secret.digest()).update(dataCheckString).digest("hex");

        console.log('|', dataCheckString, '|', hash, _hash);

        if (hash === _hash) {
            return res.json(req.body);
        }

        return res.status(401).json({});
    });
painkkiller commented 1 week ago

Something has changed. This algo got broken during this week.