fixes in TelegramAPIUrlsKeeper#checkWebAppLink

2022-05-17 19:51:14 +06:00 · 2022-05-17 19:51:14 +06:00 · 58c1f2ee6a
parent 9d16ca3b7e
commit 58c1f2ee6a
4 changed files with 25 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,11 @@

 ## 1.1.1

+* `Versions`:
+    * `MicroUtils.Crypto` will not be provided with that library anymore. Instead, it is recommended to use `Korlibs.Krypto`. You still can add crypto from microutils using next groovy dependency: `dev.inmo:micro_utils.crypto:$micro_utils_version`
+* `Core`:
+    * Improvements in `TelegramAPIUrlsKeeper#checkWebAppLink`
+    * New field in `TelegramAPIUrlsKeeper#webAppDataSecretKeyHash`
 * `Behaviour Builder`:
    * Extension `TelegramBot#buildBehaviour` now returns `BehaviourContext`

--- a/gradle.properties
+++ b/gradle.properties
@ -8,7 +8,7 @@ kotlin.incremental.js=true
 kotlin_version=1.6.21
 kotlin_coroutines_version=1.6.1
 kotlin_serialisation_runtime_version=1.3.3
-klock_version=2.7.0
+korlibs_version=2.7.0
 uuid_version=0.4.0
 ktor_version=2.0.1

--- a/tgbotapi.core/build.gradle
+++ b/tgbotapi.core/build.gradle
@ -47,10 +47,10 @@ kotlin {
                api "org.jetbrains.kotlinx:kotlinx-serialization-json:$kotlin_serialisation_runtime_version"
                api "org.jetbrains.kotlinx:kotlinx-serialization-properties:$kotlin_serialisation_runtime_version"

-                api "com.soywiz.korlibs.klock:klock:$klock_version"
+                api "com.soywiz.korlibs.klock:klock:$korlibs_version"
+                api "com.soywiz.korlibs.krypto:krypto:$korlibs_version"
                api "com.benasher44:uuid:$uuid_version"

-                api "dev.inmo:micro_utils.crypto:$micro_utils_version"
                api "dev.inmo:micro_utils.coroutines:$micro_utils_version"
                api "dev.inmo:micro_utils.serialization.base64:$micro_utils_version"
                api "dev.inmo:micro_utils.serialization.encapsulator:$micro_utils_version"
--- a/tgbotapi.core/src/commonMain/kotlin/dev/inmo/tgbotapi/utils/TelegramAPIUrlsKeeper.kt
+++ b/tgbotapi.core/src/commonMain/kotlin/dev/inmo/tgbotapi/utils/TelegramAPIUrlsKeeper.kt
@ -1,7 +1,8 @@
 package dev.inmo.tgbotapi.utils

-import dev.inmo.micro_utils.crypto.hex
-import dev.inmo.micro_utils.crypto.hmacSha256
+import com.soywiz.krypto.*
+import io.ktor.http.decodeURLQueryComponent
+import io.ktor.utils.io.core.toByteArray

 const val telegramBotAPIDefaultUrl = "https://api.telegram.org"

@ -22,9 +23,11 @@ class TelegramAPIUrlsKeeper(
    hostUrl: String = telegramBotAPIDefaultUrl,
    urlsSuffixes: String = ""
 ) {
-    val webAppDataSecretKey by lazy {
-        token.hmacSha256("WebAppData")
+    val webAppDataSecretKeyHash by lazy {
+        HMAC.hmacSHA256("WebAppData".toByteArray(), token.toByteArray())
    }
+    val webAppDataSecretKey
+        get() = webAppDataSecretKeyHash.hexLower

    val commonAPIUrl: String
    val fileBaseUrl: String
@ -47,5 +50,14 @@ class TelegramAPIUrlsKeeper(
     * @param rawData Data from [dev.inmo.tgbotapi.webapps.WebApp.initData]
     * @param hash Data from [dev.inmo.tgbotapi.webapps.WebApp.initDataUnsafe] from the field [dev.inmo.tgbotapi.webapps.WebAppInitData.hash]
     */
-    fun checkWebAppLink(rawData: String, hash: String) = rawData.hmacSha256(webAppDataSecretKey).hex() == hash
+    fun checkWebAppLink(rawData: String, hash: String): Boolean {
+        val preparedData = rawData
+            .decodeURLQueryComponent()
+            .split("&")
+            .filterNot { it.startsWith("hash=") }
+            .sorted()
+            .joinToString("\n")
+
+        return HMAC.hmacSHA256(webAppDataSecretKeyHash.bytes, preparedData.toByteArray()).hexLower == hash.lowercase()
+    }
 }