Improvements

[devzorg]

Add some comments to config Add ENV vars to readme Add environments to middleware to pass requests for dev purposes Add secret_token to avoid leak of real bot token (it uses bot token right in url but need only to determine authorized request for controller so any uniq string enough for these puproses)

[TiiFuchs]

Could you please elaborate

a) how you think the webhook url can be leaked, and

b) why it's more secure to leak a new secret that needs to be shared between BotFather/Telegram and your application instead of the bot token secret that is already known to both sides?

c) Why do you think it's necessary to include dev and development. Why are you not using the default "local" for local development?

d) For whom did you add those comments in the config file? The normal user will (normally) never see it. We should explain this in the .env.example file or better yet: In the README, where you added those already.

[noplanman]

I think it makes sense to add an explanation for the environment variables to the readme, but as @TiiFuchs says, the other parts don't make it more secure, as far as I can tell.

@devzorg Please do elaborate if you disagree, we're all interested in providing the best solution.

[TiiFuchs]

We will add a better explanation for environment and other needed setup procedures, but the proposed changes here are not helping, so I'm closing this. Thanks anyway!