search

mgilangjanuar / teledrive

The Google Drive/OneDrive/etc alternative using Telegram API
https://teledriveapp.com
GNU General Public License v3.0
2.05k stars 950 forks source link

Saving TG Session in DB seems Inappropriate? #133

Closed lx200916 closed 2 years ago

lx200916 commented 2 years ago

Is your feature request related to a problem? Please describe.

    if (file.sharing_options?.length && !key) {
      key = AES.encrypt(JSON.stringify({ file: { id: file.id }, session: req.tg.session.save() }), process.env.FILES_JWT_SECRET).toString()
    }

Seems like user`s TG Session will be saved in DB when they share files.This behaviour may lack their credentials and identity with DB hacked... And the owner may get Telegram credentials of user saved in DB as long as they share files.

Describe the solution you'd like Forwording files to a certain bot for file sharing and getting them with bot API may avoid lack user credentials.

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Additional context Add any other context or screenshots about the feature request here.

mgilangjanuar commented 2 years ago

Yes, I agree with the problem. But, it will not easy for anyone who gets the database access unless he knows the environment variable of the server too.

And the solution for using a bot, it only can send files with 50MB filesize (https://core.telegram.org/bots/faq#how-do-i-upload-a-large-file).

Another solution is to disable the public share and change the strategy of sharing files using the forward messages method to specific users. Or, something else we'll figure out to solve this security debt 🤔

mgilangjanuar commented 2 years ago

Oh, I know, we'll build the forward feature to differentiate with the share feature and add some noticeable alert before users share files. Sounds good? 🤔

edit: I think using bot for forward the message files sound good too 🤔

lx200916 commented 2 years ago

Yes, exactly. When someone to share files, they send them to a certain bot ,so the bot can access them with BotAPI and bypass the 50MB Limit. Also the bot can forword the messages to receivers if possible.

mgilangjanuar commented 2 years ago

Yes, one thing that doubts me. How do the unlogged-in users download the public files if they don't have access to the bot? 🤔 But, I'll try it first.

Edit: nvm, it sounds feasible lol, thank you!

mgilangjanuar commented 2 years ago

The file with size more than 50MB is can't downloaded with the bot API. It returns: {"ok":false,"error_code":400,"description":"Bad Request: file is too big"}

mgilangjanuar commented 2 years ago

I'll execute this idea:

we'll build the forward feature to differentiate with the share feature and add some noticeable alert before users share files. Sounds good? 🤔

image image image