search

tdlib / telegram-bot-api

Telegram Bot API server
https://core.telegram.org/bots
Boost Software License 1.0
3.19k stars 601 forks source link

Add authentication via HTTP header #138

Closed KnorpelSenf closed 3 years ago

KnorpelSenf commented 3 years ago

Problem Description

While it's pretty simple to have the token in the URL (easy to get started with bots), it has a number of drawbacks. Most importantly, the token will accidentally be written to logs if the log output of bots and can easily be revealed. Some bot frameworks even go so far as to sanitize log output to mitigate this issue.

In fact, token leaks are so common that the @BotTalk group regularly sees this sticker. [1] This is not solely related to logs, but it still happens often enough. (Also it is a bit annoying that bot logs contain confidential data, because they now have to be kept secure, or no requests can be logged in detail.)

Desired Solution

It would be nice to be able to authenticate requests via HTTP header (e.g. via Authorization: Bearer <token> or via X-Telegram-Bot-Api: <token>) as an additional way of sending the token.

[1] image

levlam commented 3 years ago

Tokens leak because of carelessness of the bot owners. The proposed measures are very unlikely to change that.

Between, bot logs need to be kept private by default and mentioned "requests details" often need even more protection then the bot's token itself, which can be replaced in no time.