mirror of
				https://github.com/InsanusMokrassar/TelegramBotAPI.git
				synced 2025-10-26 17:50:15 +00:00 
			
		
		
		
	"TelegramAPIUrlsKeeper" now have two new things: properties "webAppDataSecretKey" and fun "checkWebAppLink"
This commit is contained in:
		| @@ -2,6 +2,9 @@ | |||||||
|  |  | ||||||
| ## 0.38.16 | ## 0.38.16 | ||||||
|  |  | ||||||
|  | * `Core`: | ||||||
|  |     * `TelegramAPIUrlsKeeper` now have two new things: properties `webAppDataSecretKey` and fun `checkWebAppLink` | ||||||
|  |  | ||||||
| ## 0.38.15 | ## 0.38.15 | ||||||
|  |  | ||||||
| * `Common`: | * `Common`: | ||||||
|   | |||||||
| @@ -0,0 +1,7 @@ | |||||||
|  | package dev.inmo.tgbotapi.utils | ||||||
|  |  | ||||||
|  | import dev.inmo.micro_utils.crypto.SourceString | ||||||
|  |  | ||||||
|  | internal expect fun SourceString.hmacSha256(key: String): String | ||||||
|  |  | ||||||
|  | internal expect fun SourceString.hex(): String | ||||||
| @@ -18,6 +18,10 @@ class TelegramAPIUrlsKeeper( | |||||||
|     token: String, |     token: String, | ||||||
|     hostUrl: String = telegramBotAPIDefaultUrl |     hostUrl: String = telegramBotAPIDefaultUrl | ||||||
| ) { | ) { | ||||||
|  |     val webAppDataSecretKey by lazy { | ||||||
|  |         token.hmacSha256("WebAppData") | ||||||
|  |     } | ||||||
|  |  | ||||||
|     val commonAPIUrl: String |     val commonAPIUrl: String | ||||||
|     val fileBaseUrl: String |     val fileBaseUrl: String | ||||||
|  |  | ||||||
| @@ -28,4 +32,10 @@ class TelegramAPIUrlsKeeper( | |||||||
|     } |     } | ||||||
|  |  | ||||||
|     fun createFileLinkUrl(filePath: String) = "${fileBaseUrl}/$filePath" |     fun createFileLinkUrl(filePath: String) = "${fileBaseUrl}/$filePath" | ||||||
|  |  | ||||||
|  |     /** | ||||||
|  |      * @param rawData Data from [dev.inmo.tgbotapi.webapps.WebApp.initData] | ||||||
|  |      * @param hash Data from [dev.inmo.tgbotapi.webapps.WebApp.initDataUnsafe] from the field [dev.inmo.tgbotapi.webapps.WebAppInitData.hash] | ||||||
|  |      */ | ||||||
|  |     fun checkWebAppLink(rawData: String, hash: String) = rawData.hmacSha256(webAppDataSecretKey).hex() == hash | ||||||
| } | } | ||||||
|   | |||||||
| @@ -0,0 +1,8 @@ | |||||||
|  | package dev.inmo.tgbotapi.utils | ||||||
|  |  | ||||||
|  | import dev.inmo.micro_utils.crypto.CryptoJS | ||||||
|  | import dev.inmo.micro_utils.crypto.SourceString | ||||||
|  |  | ||||||
|  | actual fun SourceString.hmacSha256(key: String) = CryptoJS.asDynamic().HmacSHA256(this, key).unsafeCast<String>() | ||||||
|  |  | ||||||
|  | actual fun SourceString.hex() = CryptoJS.asDynamic().format.Hex(this).unsafeCast<String>() | ||||||
| @@ -0,0 +1,29 @@ | |||||||
|  | package dev.inmo.tgbotapi.utils | ||||||
|  |  | ||||||
|  | import dev.inmo.micro_utils.crypto.SourceBytes | ||||||
|  | import dev.inmo.micro_utils.crypto.SourceString | ||||||
|  | import javax.crypto.Mac | ||||||
|  | import javax.crypto.spec.SecretKeySpec | ||||||
|  |  | ||||||
|  | val HEX_ARRAY = "0123456789ABCDEF".toCharArray() | ||||||
|  |  | ||||||
|  | private fun SourceBytes.hex(): String { | ||||||
|  |     val hexChars = CharArray(size * 2) | ||||||
|  |     for (j in indices) { | ||||||
|  |         val v: Int = this[j].toInt() and 0xFF | ||||||
|  |         hexChars[j * 2] = HEX_ARRAY[v ushr 4] | ||||||
|  |         hexChars[j * 2 + 1] = HEX_ARRAY[v and 0x0F] | ||||||
|  |     } | ||||||
|  |     return String(hexChars) | ||||||
|  | } | ||||||
|  |  | ||||||
|  | actual fun SourceString.hmacSha256(key: String): String { | ||||||
|  |     val mac = Mac.getInstance("HmacSHA256") | ||||||
|  |  | ||||||
|  |     val secretKey = SecretKeySpec(key.toByteArray(), "HmacSHA256") | ||||||
|  |     mac.init(secretKey) | ||||||
|  |  | ||||||
|  |     return mac.doFinal(toByteArray()).hex() | ||||||
|  | } | ||||||
|  |  | ||||||
|  | actual fun SourceString.hex(): String = toByteArray().hex() | ||||||
| @@ -27,6 +27,13 @@ repositories { | |||||||
| } | } | ||||||
|  |  | ||||||
| kotlin { | kotlin { | ||||||
|  |     jvm { | ||||||
|  |         compilations.main { | ||||||
|  |             kotlinOptions { | ||||||
|  |                 jvmTarget = "1.8" | ||||||
|  |             } | ||||||
|  |         } | ||||||
|  |     } | ||||||
|     js(IR) { |     js(IR) { | ||||||
|         browser() |         browser() | ||||||
|         nodejs() |         nodejs() | ||||||
|   | |||||||
| @@ -0,0 +1,9 @@ | |||||||
|  | package dev.inmo.tgbotapi.webapps | ||||||
|  |  | ||||||
|  | import dev.inmo.tgbotapi.utils.* | ||||||
|  |  | ||||||
|  | /** | ||||||
|  |  * @param rawData Data from [dev.inmo.tgbotapi.webapps.WebApp.initData] | ||||||
|  |  * @param hash Data from [dev.inmo.tgbotapi.webapps.WebApp.initDataUnsafe] from the field [dev.inmo.tgbotapi.webapps.WebAppInitData.hash] | ||||||
|  |  */ | ||||||
|  | fun TelegramAPIUrlsKeeper.checkWebAppLink(rawData: String, hash: String) = rawData.hmacSha256(webAppDataSecretKey).hex() == hash | ||||||
| @@ -1,6 +1,7 @@ | |||||||
| package dev.inmo.tgbotapi.webapps | package dev.inmo.tgbotapi.webapps | ||||||
|  |  | ||||||
| import dev.inmo.micro_utils.crypto.CryptoJS | import dev.inmo.micro_utils.crypto.CryptoJS | ||||||
|  | import dev.inmo.tgbotapi.utils.TelegramAPIUrlsKeeper | ||||||
|  |  | ||||||
| external class WebApp { | external class WebApp { | ||||||
|     val initData: String |     val initData: String | ||||||
| @@ -76,6 +77,7 @@ fun WebApp.onMainButtonClicked(eventHandler: EventHandler) = onEvent(EventType.M | |||||||
|  */ |  */ | ||||||
| fun WebApp.onViewportChanged(eventHandler: ViewportChangedEventHandler) = onEvent(EventType.ViewportChanged, eventHandler) | fun WebApp.onViewportChanged(eventHandler: ViewportChangedEventHandler) = onEvent(EventType.ViewportChanged, eventHandler) | ||||||
|  |  | ||||||
| fun WebApp.isInitDataSafe(botToken: String) = CryptoJS.hex( | fun WebApp.isInitDataSafe(botToken: String) = TelegramAPIUrlsKeeper(botToken).checkWebAppLink( | ||||||
|     CryptoJS.HmacSHA256(botToken, "WebAppData") |     initData, | ||||||
| ) == initDataUnsafe.hash |     initDataUnsafe.hash | ||||||
|  | ) | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user