From 58c1f2ee6af355d4567e595d9471ce6675f65dfc Mon Sep 17 00:00:00 2001 From: InsanusMokrassar Date: Tue, 17 May 2022 19:51:14 +0600 Subject: [PATCH] fixes in TelegramAPIUrlsKeeper#checkWebAppLink --- CHANGELOG.md | 5 +++++ gradle.properties | 2 +- tgbotapi.core/build.gradle | 4 ++-- .../tgbotapi/utils/TelegramAPIUrlsKeeper.kt | 22 ++++++++++++++----- 4 files changed, 25 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 89f0ff080e..96438400f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,11 @@ ## 1.1.1 +* `Versions`: + * `MicroUtils.Crypto` will not be provided with that library anymore. Instead, it is recommended to use `Korlibs.Krypto`. You still can add crypto from microutils using next groovy dependency: `dev.inmo:micro_utils.crypto:$micro_utils_version` +* `Core`: + * Improvements in `TelegramAPIUrlsKeeper#checkWebAppLink` + * New field in `TelegramAPIUrlsKeeper#webAppDataSecretKeyHash` * `Behaviour Builder`: * Extension `TelegramBot#buildBehaviour` now returns `BehaviourContext` diff --git a/gradle.properties b/gradle.properties index bccf3f2a91..2d0fa06f61 100644 --- a/gradle.properties +++ b/gradle.properties @@ -8,7 +8,7 @@ kotlin.incremental.js=true kotlin_version=1.6.21 kotlin_coroutines_version=1.6.1 kotlin_serialisation_runtime_version=1.3.3 -klock_version=2.7.0 +korlibs_version=2.7.0 uuid_version=0.4.0 ktor_version=2.0.1 diff --git a/tgbotapi.core/build.gradle b/tgbotapi.core/build.gradle index cb2273c5f7..28889e2fb0 100644 --- a/tgbotapi.core/build.gradle +++ b/tgbotapi.core/build.gradle @@ -47,10 +47,10 @@ kotlin { api "org.jetbrains.kotlinx:kotlinx-serialization-json:$kotlin_serialisation_runtime_version" api "org.jetbrains.kotlinx:kotlinx-serialization-properties:$kotlin_serialisation_runtime_version" - api "com.soywiz.korlibs.klock:klock:$klock_version" + api "com.soywiz.korlibs.klock:klock:$korlibs_version" + api "com.soywiz.korlibs.krypto:krypto:$korlibs_version" api "com.benasher44:uuid:$uuid_version" - api "dev.inmo:micro_utils.crypto:$micro_utils_version" api "dev.inmo:micro_utils.coroutines:$micro_utils_version" api "dev.inmo:micro_utils.serialization.base64:$micro_utils_version" api "dev.inmo:micro_utils.serialization.encapsulator:$micro_utils_version" diff --git a/tgbotapi.core/src/commonMain/kotlin/dev/inmo/tgbotapi/utils/TelegramAPIUrlsKeeper.kt b/tgbotapi.core/src/commonMain/kotlin/dev/inmo/tgbotapi/utils/TelegramAPIUrlsKeeper.kt index 1dfe697c08..83f390cf94 100644 --- a/tgbotapi.core/src/commonMain/kotlin/dev/inmo/tgbotapi/utils/TelegramAPIUrlsKeeper.kt +++ b/tgbotapi.core/src/commonMain/kotlin/dev/inmo/tgbotapi/utils/TelegramAPIUrlsKeeper.kt @@ -1,7 +1,8 @@ package dev.inmo.tgbotapi.utils -import dev.inmo.micro_utils.crypto.hex -import dev.inmo.micro_utils.crypto.hmacSha256 +import com.soywiz.krypto.* +import io.ktor.http.decodeURLQueryComponent +import io.ktor.utils.io.core.toByteArray const val telegramBotAPIDefaultUrl = "https://api.telegram.org" @@ -22,9 +23,11 @@ class TelegramAPIUrlsKeeper( hostUrl: String = telegramBotAPIDefaultUrl, urlsSuffixes: String = "" ) { - val webAppDataSecretKey by lazy { - token.hmacSha256("WebAppData") + val webAppDataSecretKeyHash by lazy { + HMAC.hmacSHA256("WebAppData".toByteArray(), token.toByteArray()) } + val webAppDataSecretKey + get() = webAppDataSecretKeyHash.hexLower val commonAPIUrl: String val fileBaseUrl: String @@ -47,5 +50,14 @@ class TelegramAPIUrlsKeeper( * @param rawData Data from [dev.inmo.tgbotapi.webapps.WebApp.initData] * @param hash Data from [dev.inmo.tgbotapi.webapps.WebApp.initDataUnsafe] from the field [dev.inmo.tgbotapi.webapps.WebAppInitData.hash] */ - fun checkWebAppLink(rawData: String, hash: String) = rawData.hmacSha256(webAppDataSecretKey).hex() == hash + fun checkWebAppLink(rawData: String, hash: String): Boolean { + val preparedData = rawData + .decodeURLQueryComponent() + .split("&") + .filterNot { it.startsWith("hash=") } + .sorted() + .joinToString("\n") + + return HMAC.hmacSHA256(webAppDataSecretKeyHash.bytes, preparedData.toByteArray()).hexLower == hash.lowercase() + } }