1
0
mirror of https://github.com/InsanusMokrassar/TelegramBotAPI.git synced 2024-11-24 19:18:44 +00:00

"TelegramAPIUrlsKeeper" now have two new things: properties "webAppDataSecretKey" and fun "checkWebAppLink"

This commit is contained in:
InsanusMokrassar 2022-04-29 19:11:38 +06:00
parent c70484076d
commit 4799617ced
8 changed files with 78 additions and 3 deletions

View File

@ -2,6 +2,9 @@
## 0.38.16 ## 0.38.16
* `Core`:
* `TelegramAPIUrlsKeeper` now have two new things: properties `webAppDataSecretKey` and fun `checkWebAppLink`
## 0.38.15 ## 0.38.15
* `Common`: * `Common`:

View File

@ -0,0 +1,7 @@
package dev.inmo.tgbotapi.utils
import dev.inmo.micro_utils.crypto.SourceString
internal expect fun SourceString.hmacSha256(key: String): String
internal expect fun SourceString.hex(): String

View File

@ -18,6 +18,10 @@ class TelegramAPIUrlsKeeper(
token: String, token: String,
hostUrl: String = telegramBotAPIDefaultUrl hostUrl: String = telegramBotAPIDefaultUrl
) { ) {
val webAppDataSecretKey by lazy {
token.hmacSha256("WebAppData")
}
val commonAPIUrl: String val commonAPIUrl: String
val fileBaseUrl: String val fileBaseUrl: String
@ -28,4 +32,10 @@ class TelegramAPIUrlsKeeper(
} }
fun createFileLinkUrl(filePath: String) = "${fileBaseUrl}/$filePath" fun createFileLinkUrl(filePath: String) = "${fileBaseUrl}/$filePath"
/**
* @param rawData Data from [dev.inmo.tgbotapi.webapps.WebApp.initData]
* @param hash Data from [dev.inmo.tgbotapi.webapps.WebApp.initDataUnsafe] from the field [dev.inmo.tgbotapi.webapps.WebAppInitData.hash]
*/
fun checkWebAppLink(rawData: String, hash: String) = rawData.hmacSha256(webAppDataSecretKey).hex() == hash
} }

View File

@ -0,0 +1,8 @@
package dev.inmo.tgbotapi.utils
import dev.inmo.micro_utils.crypto.CryptoJS
import dev.inmo.micro_utils.crypto.SourceString
actual fun SourceString.hmacSha256(key: String) = CryptoJS.asDynamic().HmacSHA256(this, key).unsafeCast<String>()
actual fun SourceString.hex() = CryptoJS.asDynamic().format.Hex(this).unsafeCast<String>()

View File

@ -0,0 +1,29 @@
package dev.inmo.tgbotapi.utils
import dev.inmo.micro_utils.crypto.SourceBytes
import dev.inmo.micro_utils.crypto.SourceString
import javax.crypto.Mac
import javax.crypto.spec.SecretKeySpec
val HEX_ARRAY = "0123456789ABCDEF".toCharArray()
private fun SourceBytes.hex(): String {
val hexChars = CharArray(size * 2)
for (j in indices) {
val v: Int = this[j].toInt() and 0xFF
hexChars[j * 2] = HEX_ARRAY[v ushr 4]
hexChars[j * 2 + 1] = HEX_ARRAY[v and 0x0F]
}
return String(hexChars)
}
actual fun SourceString.hmacSha256(key: String): String {
val mac = Mac.getInstance("HmacSHA256")
val secretKey = SecretKeySpec(key.toByteArray(), "HmacSHA256")
mac.init(secretKey)
return mac.doFinal(toByteArray()).hex()
}
actual fun SourceString.hex(): String = toByteArray().hex()

View File

@ -27,6 +27,13 @@ repositories {
} }
kotlin { kotlin {
jvm {
compilations.main {
kotlinOptions {
jvmTarget = "1.8"
}
}
}
js(IR) { js(IR) {
browser() browser()
nodejs() nodejs()

View File

@ -0,0 +1,9 @@
package dev.inmo.tgbotapi.webapps
import dev.inmo.tgbotapi.utils.*
/**
* @param rawData Data from [dev.inmo.tgbotapi.webapps.WebApp.initData]
* @param hash Data from [dev.inmo.tgbotapi.webapps.WebApp.initDataUnsafe] from the field [dev.inmo.tgbotapi.webapps.WebAppInitData.hash]
*/
fun TelegramAPIUrlsKeeper.checkWebAppLink(rawData: String, hash: String) = rawData.hmacSha256(webAppDataSecretKey).hex() == hash

View File

@ -1,6 +1,7 @@
package dev.inmo.tgbotapi.webapps package dev.inmo.tgbotapi.webapps
import dev.inmo.micro_utils.crypto.CryptoJS import dev.inmo.micro_utils.crypto.CryptoJS
import dev.inmo.tgbotapi.utils.TelegramAPIUrlsKeeper
external class WebApp { external class WebApp {
val initData: String val initData: String
@ -76,6 +77,7 @@ fun WebApp.onMainButtonClicked(eventHandler: EventHandler) = onEvent(EventType.M
*/ */
fun WebApp.onViewportChanged(eventHandler: ViewportChangedEventHandler) = onEvent(EventType.ViewportChanged, eventHandler) fun WebApp.onViewportChanged(eventHandler: ViewportChangedEventHandler) = onEvent(EventType.ViewportChanged, eventHandler)
fun WebApp.isInitDataSafe(botToken: String) = CryptoJS.hex( fun WebApp.isInitDataSafe(botToken: String) = TelegramAPIUrlsKeeper(botToken).checkWebAppLink(
CryptoJS.HmacSHA256(botToken, "WebAppData") initData,
) == initDataUnsafe.hash initDataUnsafe.hash
)