Merge pull request #573 from InsanusMokrassar/0.38.16

0.38.16
fixes
2024-11-22 16:23:48 +00:00 · 2022-04-29 23:28:12 +06:00 · 2022-04-29 19:50:02 +06:00 · 2022-04-29 19:18:22 +06:00 · 2022-04-29 19:11:38 +06:00 · 2022-04-29 18:56:38 +06:00
8 changed files with 67 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,10 @@
 # TelegramBotAPI changelog

+## 0.38.16
+
+* `Core`:
+    * `TelegramAPIUrlsKeeper` now have two new things: properties `webAppDataSecretKey` and fun `checkWebAppLink`
+
 ## 0.38.15

 * `Common`:
--- a/gradle.properties
+++ b/gradle.properties
@ -20,6 +20,6 @@ javax_activation_version=1.1.1
 dokka_version=1.6.10

 library_group=dev.inmo
-library_version=0.38.15
+library_version=0.38.16

 github_release_plugin_version=2.3.7
--- a/tgbotapi.core/src/commonMain/kotlin/dev/inmo/tgbotapi/utils/Crypto.kt
+++ b/tgbotapi.core/src/commonMain/kotlin/dev/inmo/tgbotapi/utils/Crypto.kt
@ -0,0 +1,19 @@
+package dev.inmo.tgbotapi.utils
+
+import dev.inmo.micro_utils.crypto.SourceBytes
+import dev.inmo.micro_utils.crypto.SourceString
+
+internal expect fun SourceString.hmacSha256(key: String): String
+private val HEX_ARRAY = "0123456789abcdef".toCharArray()
+
+internal fun SourceBytes.hex(): String {
+    val hexChars = CharArray(size * 2)
+    for (j in indices) {
+        val v: Int = this[j].toInt() and 0xFF
+        hexChars[j * 2] = HEX_ARRAY[v ushr 4]
+        hexChars[j * 2 + 1] = HEX_ARRAY[v and 0x0F]
+    }
+    return hexChars.concatToString()
+}
+
+internal fun SourceString.hex(): String = encodeToByteArray().hex()
--- a/tgbotapi.core/src/commonMain/kotlin/dev/inmo/tgbotapi/utils/TelegramAPIUrlsKeeper.kt
+++ b/tgbotapi.core/src/commonMain/kotlin/dev/inmo/tgbotapi/utils/TelegramAPIUrlsKeeper.kt
@ -18,6 +18,10 @@ class TelegramAPIUrlsKeeper(
    token: String,
    hostUrl: String = telegramBotAPIDefaultUrl
 ) {
+    val webAppDataSecretKey by lazy {
+        token.hmacSha256("WebAppData")
+    }
+
    val commonAPIUrl: String
    val fileBaseUrl: String

@ -28,4 +32,10 @@ class TelegramAPIUrlsKeeper(
    }

    fun createFileLinkUrl(filePath: String) = "${fileBaseUrl}/$filePath"
+
+    /**
+     * @param rawData Data from [dev.inmo.tgbotapi.webapps.WebApp.initData]
+     * @param hash Data from [dev.inmo.tgbotapi.webapps.WebApp.initDataUnsafe] from the field [dev.inmo.tgbotapi.webapps.WebAppInitData.hash]
+     */
+    fun checkWebAppLink(rawData: String, hash: String) = rawData.hmacSha256(webAppDataSecretKey).hex() == hash
 }
--- a/tgbotapi.core/src/jsMain/kotlin/dev/inmo/tgbotapi/utils/CryptoActual.kt
+++ b/tgbotapi.core/src/jsMain/kotlin/dev/inmo/tgbotapi/utils/CryptoActual.kt
@ -0,0 +1,6 @@
+package dev.inmo.tgbotapi.utils
+
+import dev.inmo.micro_utils.crypto.CryptoJS
+import dev.inmo.micro_utils.crypto.SourceString
+
+actual fun SourceString.hmacSha256(key: String) = CryptoJS.asDynamic().HmacSHA256(this, key).toString().unsafeCast<String>()
--- a/tgbotapi.core/src/jvmMain/kotlin/dev/inmo/tgbotapi/utils/CryptoActual.kt
+++ b/tgbotapi.core/src/jvmMain/kotlin/dev/inmo/tgbotapi/utils/CryptoActual.kt
@ -0,0 +1,14 @@
+package dev.inmo.tgbotapi.utils
+
+import dev.inmo.micro_utils.crypto.SourceString
+import javax.crypto.Mac
+import javax.crypto.spec.SecretKeySpec
+
+actual fun SourceString.hmacSha256(key: String): String {
+    val mac = Mac.getInstance("HmacSHA256")
+
+    val secretKey = SecretKeySpec(key.toByteArray(), "HmacSHA256")
+    mac.init(secretKey)
+
+    return mac.doFinal(toByteArray()).hex()
+}
--- a/tgbotapi.webapps/build.gradle
+++ b/tgbotapi.webapps/build.gradle
@ -27,6 +27,13 @@ repositories {
 }

 kotlin {
+    jvm {
+        compilations.main {
+            kotlinOptions {
+                jvmTarget = "1.8"
+            }
+        }
+    }
    js(IR) {
        browser()
        nodejs()
--- a/tgbotapi.webapps/src/jsMain/kotlin/dev/inmo/tgbotapi/webapps/WebApp.kt
+++ b/tgbotapi.webapps/src/jsMain/kotlin/dev/inmo/tgbotapi/webapps/WebApp.kt
@ -1,6 +1,7 @@
 package dev.inmo.tgbotapi.webapps

 import dev.inmo.micro_utils.crypto.CryptoJS
+import dev.inmo.tgbotapi.utils.TelegramAPIUrlsKeeper

 external class WebApp {
    val initData: String
@ -76,6 +77,7 @@ fun WebApp.onMainButtonClicked(eventHandler: EventHandler) = onEvent(EventType.M
 */
 fun WebApp.onViewportChanged(eventHandler: ViewportChangedEventHandler) = onEvent(EventType.ViewportChanged, eventHandler)

-fun WebApp.isInitDataSafe(botToken: String) = CryptoJS.hex(
-    CryptoJS.HmacSHA256(botToken, "WebAppData")
-) == initDataUnsafe.hash
+fun WebApp.isInitDataSafe(botToken: String) = TelegramAPIUrlsKeeper(botToken).checkWebAppLink(
+    initData,
+    initDataUnsafe.hash
+)
Author	SHA1	Message	Date
InsanusMokrassar	37317a1055	Merge pull request #573 from InsanusMokrassar/0.38.16 0.38.16	2022-04-29 23:28:12 +06:00
InsanusMokrassar	60c21002e1	fixes	2022-04-29 19:50:02 +06:00
InsanusMokrassar	78a7a3546a	remove checking of webapp data from webapp module due to its existing in core	2022-04-29 19:18:22 +06:00
InsanusMokrassar	4799617ced	"TelegramAPIUrlsKeeper" now have two new things: properties "webAppDataSecretKey" and fun "checkWebAppLink"	2022-04-29 19:11:38 +06:00
InsanusMokrassar	c70484076d	start 0.38.16	2022-04-29 18:56:38 +06:00