Telegram website login widget, signature check sample using Node.js

check_telegram_signature.js

// Copied by https://gist.github.com/dotcypress/8fd12d6e886cd74bba8f1aa8dbd346aa,
// thanks for improving code style

const { createHash, createHmac } = require('crypto');
const TOKEN = "ABC:12345...";

// I prefer get the secret's hash once but check the gist linked
// on line 1 if you prefer passing the bot token as a param
const secret = createHash('sha256')
  .update(TOKEN)
  .digest()

function checkSignature ({ hash, ...data }) {
  const checkString = Object.keys(data)
    .sort()
    .map(k => (`${k}=${data[k]}`))
    .join('\n');
  const hmac = createHmac('sha256', secret)
    .update(checkString)
    .digest('hex');
  return hmac === hash;
}

// Sample usage
const payload = {
  id: '424242424242',
  first_name: 'John',
  last_name: 'Doe',
  username: 'username',
  photo_url: 'https://t.me/i/userpic/320/username.jpg',
  auth_date: '1519400000',
  hash: '87e5a7e644d0ee362334d92bc8ecc981ca11ffc11eca809505'
}
checkSignature(payload)