1
0
mirror of https://github.com/InsanusMokrassar/TelegramBotAPI.git synced 2024-11-25 19:48:43 +00:00

fixes in TelegramAPIUrlsKeeper#checkWebAppLink

This commit is contained in:
InsanusMokrassar 2022-05-17 19:51:14 +06:00
parent 9d16ca3b7e
commit 58c1f2ee6a
4 changed files with 25 additions and 8 deletions

View File

@ -2,6 +2,11 @@
## 1.1.1 ## 1.1.1
* `Versions`:
* `MicroUtils.Crypto` will not be provided with that library anymore. Instead, it is recommended to use `Korlibs.Krypto`. You still can add crypto from microutils using next groovy dependency: `dev.inmo:micro_utils.crypto:$micro_utils_version`
* `Core`:
* Improvements in `TelegramAPIUrlsKeeper#checkWebAppLink`
* New field in `TelegramAPIUrlsKeeper#webAppDataSecretKeyHash`
* `Behaviour Builder`: * `Behaviour Builder`:
* Extension `TelegramBot#buildBehaviour` now returns `BehaviourContext` * Extension `TelegramBot#buildBehaviour` now returns `BehaviourContext`

View File

@ -8,7 +8,7 @@ kotlin.incremental.js=true
kotlin_version=1.6.21 kotlin_version=1.6.21
kotlin_coroutines_version=1.6.1 kotlin_coroutines_version=1.6.1
kotlin_serialisation_runtime_version=1.3.3 kotlin_serialisation_runtime_version=1.3.3
klock_version=2.7.0 korlibs_version=2.7.0
uuid_version=0.4.0 uuid_version=0.4.0
ktor_version=2.0.1 ktor_version=2.0.1

View File

@ -47,10 +47,10 @@ kotlin {
api "org.jetbrains.kotlinx:kotlinx-serialization-json:$kotlin_serialisation_runtime_version" api "org.jetbrains.kotlinx:kotlinx-serialization-json:$kotlin_serialisation_runtime_version"
api "org.jetbrains.kotlinx:kotlinx-serialization-properties:$kotlin_serialisation_runtime_version" api "org.jetbrains.kotlinx:kotlinx-serialization-properties:$kotlin_serialisation_runtime_version"
api "com.soywiz.korlibs.klock:klock:$klock_version" api "com.soywiz.korlibs.klock:klock:$korlibs_version"
api "com.soywiz.korlibs.krypto:krypto:$korlibs_version"
api "com.benasher44:uuid:$uuid_version" api "com.benasher44:uuid:$uuid_version"
api "dev.inmo:micro_utils.crypto:$micro_utils_version"
api "dev.inmo:micro_utils.coroutines:$micro_utils_version" api "dev.inmo:micro_utils.coroutines:$micro_utils_version"
api "dev.inmo:micro_utils.serialization.base64:$micro_utils_version" api "dev.inmo:micro_utils.serialization.base64:$micro_utils_version"
api "dev.inmo:micro_utils.serialization.encapsulator:$micro_utils_version" api "dev.inmo:micro_utils.serialization.encapsulator:$micro_utils_version"

View File

@ -1,7 +1,8 @@
package dev.inmo.tgbotapi.utils package dev.inmo.tgbotapi.utils
import dev.inmo.micro_utils.crypto.hex import com.soywiz.krypto.*
import dev.inmo.micro_utils.crypto.hmacSha256 import io.ktor.http.decodeURLQueryComponent
import io.ktor.utils.io.core.toByteArray
const val telegramBotAPIDefaultUrl = "https://api.telegram.org" const val telegramBotAPIDefaultUrl = "https://api.telegram.org"
@ -22,9 +23,11 @@ class TelegramAPIUrlsKeeper(
hostUrl: String = telegramBotAPIDefaultUrl, hostUrl: String = telegramBotAPIDefaultUrl,
urlsSuffixes: String = "" urlsSuffixes: String = ""
) { ) {
val webAppDataSecretKey by lazy { val webAppDataSecretKeyHash by lazy {
token.hmacSha256("WebAppData") HMAC.hmacSHA256("WebAppData".toByteArray(), token.toByteArray())
} }
val webAppDataSecretKey
get() = webAppDataSecretKeyHash.hexLower
val commonAPIUrl: String val commonAPIUrl: String
val fileBaseUrl: String val fileBaseUrl: String
@ -47,5 +50,14 @@ class TelegramAPIUrlsKeeper(
* @param rawData Data from [dev.inmo.tgbotapi.webapps.WebApp.initData] * @param rawData Data from [dev.inmo.tgbotapi.webapps.WebApp.initData]
* @param hash Data from [dev.inmo.tgbotapi.webapps.WebApp.initDataUnsafe] from the field [dev.inmo.tgbotapi.webapps.WebAppInitData.hash] * @param hash Data from [dev.inmo.tgbotapi.webapps.WebApp.initDataUnsafe] from the field [dev.inmo.tgbotapi.webapps.WebAppInitData.hash]
*/ */
fun checkWebAppLink(rawData: String, hash: String) = rawData.hmacSha256(webAppDataSecretKey).hex() == hash fun checkWebAppLink(rawData: String, hash: String): Boolean {
val preparedData = rawData
.decodeURLQueryComponent()
.split("&")
.filterNot { it.startsWith("hash=") }
.sorted()
.joinToString("\n")
return HMAC.hmacSHA256(webAppDataSecretKeyHash.bytes, preparedData.toByteArray()).hexLower == hash.lowercase()
}
} }