1
0
mirror of https://github.com/InsanusMokrassar/TelegramBotAPI.git synced 2024-12-22 16:47:13 +00:00

Merge pull request #573 from InsanusMokrassar/0.38.16

0.38.16
This commit is contained in:
InsanusMokrassar 2022-04-29 23:28:12 +06:00 committed by GitHub
commit 37317a1055
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 67 additions and 4 deletions

View File

@ -1,5 +1,10 @@
# TelegramBotAPI changelog
## 0.38.16
* `Core`:
* `TelegramAPIUrlsKeeper` now have two new things: properties `webAppDataSecretKey` and fun `checkWebAppLink`
## 0.38.15
* `Common`:

View File

@ -20,6 +20,6 @@ javax_activation_version=1.1.1
dokka_version=1.6.10
library_group=dev.inmo
library_version=0.38.15
library_version=0.38.16
github_release_plugin_version=2.3.7

View File

@ -0,0 +1,19 @@
package dev.inmo.tgbotapi.utils
import dev.inmo.micro_utils.crypto.SourceBytes
import dev.inmo.micro_utils.crypto.SourceString
internal expect fun SourceString.hmacSha256(key: String): String
private val HEX_ARRAY = "0123456789abcdef".toCharArray()
internal fun SourceBytes.hex(): String {
val hexChars = CharArray(size * 2)
for (j in indices) {
val v: Int = this[j].toInt() and 0xFF
hexChars[j * 2] = HEX_ARRAY[v ushr 4]
hexChars[j * 2 + 1] = HEX_ARRAY[v and 0x0F]
}
return hexChars.concatToString()
}
internal fun SourceString.hex(): String = encodeToByteArray().hex()

View File

@ -18,6 +18,10 @@ class TelegramAPIUrlsKeeper(
token: String,
hostUrl: String = telegramBotAPIDefaultUrl
) {
val webAppDataSecretKey by lazy {
token.hmacSha256("WebAppData")
}
val commonAPIUrl: String
val fileBaseUrl: String
@ -28,4 +32,10 @@ class TelegramAPIUrlsKeeper(
}
fun createFileLinkUrl(filePath: String) = "${fileBaseUrl}/$filePath"
/**
* @param rawData Data from [dev.inmo.tgbotapi.webapps.WebApp.initData]
* @param hash Data from [dev.inmo.tgbotapi.webapps.WebApp.initDataUnsafe] from the field [dev.inmo.tgbotapi.webapps.WebAppInitData.hash]
*/
fun checkWebAppLink(rawData: String, hash: String) = rawData.hmacSha256(webAppDataSecretKey).hex() == hash
}

View File

@ -0,0 +1,6 @@
package dev.inmo.tgbotapi.utils
import dev.inmo.micro_utils.crypto.CryptoJS
import dev.inmo.micro_utils.crypto.SourceString
actual fun SourceString.hmacSha256(key: String) = CryptoJS.asDynamic().HmacSHA256(this, key).toString().unsafeCast<String>()

View File

@ -0,0 +1,14 @@
package dev.inmo.tgbotapi.utils
import dev.inmo.micro_utils.crypto.SourceString
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
actual fun SourceString.hmacSha256(key: String): String {
val mac = Mac.getInstance("HmacSHA256")
val secretKey = SecretKeySpec(key.toByteArray(), "HmacSHA256")
mac.init(secretKey)
return mac.doFinal(toByteArray()).hex()
}

View File

@ -27,6 +27,13 @@ repositories {
}
kotlin {
jvm {
compilations.main {
kotlinOptions {
jvmTarget = "1.8"
}
}
}
js(IR) {
browser()
nodejs()

View File

@ -1,6 +1,7 @@
package dev.inmo.tgbotapi.webapps
import dev.inmo.micro_utils.crypto.CryptoJS
import dev.inmo.tgbotapi.utils.TelegramAPIUrlsKeeper
external class WebApp {
val initData: String
@ -76,6 +77,7 @@ fun WebApp.onMainButtonClicked(eventHandler: EventHandler) = onEvent(EventType.M
*/
fun WebApp.onViewportChanged(eventHandler: ViewportChangedEventHandler) = onEvent(EventType.ViewportChanged, eventHandler)
fun WebApp.isInitDataSafe(botToken: String) = CryptoJS.hex(
CryptoJS.HmacSHA256(botToken, "WebAppData")
) == initDataUnsafe.hash
fun WebApp.isInitDataSafe(botToken: String) = TelegramAPIUrlsKeeper(botToken).checkWebAppLink(
initData,
initDataUnsafe.hash
)