Last active
November 13, 2024 10:38
-
-
Save konstantin24121/49da5d8023532d66cc4db1136435a885 to your computer and use it in GitHub Desktop.
Telegram Bot 6.0 Validating data received via the Web App node implementation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const TELEGRAM_BOT_TOKEN = '110201543:AAHdqTcvCH1vGWJxfSeofSAs0K5PALDsaw'; // https://core.telegram.org/bots#creating-a-new-bot | |
export const verifyTelegramWebAppData = async (telegramInitData: string): boolean => { | |
// The data is a query string, which is composed of a series of field-value pairs. | |
const encoded = decodeURIComponent(telegramInitData); | |
// HMAC-SHA-256 signature of the bot's token with the constant string WebAppData used as a key. | |
const secret = crypto | |
.createHmac('sha256', 'WebAppData') | |
.update(TELEGRAM_BOT_TOKEN); | |
// Data-check-string is a chain of all received fields'. | |
const arr = encoded.split('&'); | |
const hashIndex = arr.findIndex(str => str.startsWith('hash=')); | |
const hash = arr.splice(hashIndex)[0].split('=')[1]; | |
// sorted alphabetically | |
arr.sort((a, b) => a.localeCompare(b)); | |
// in the format key=<value> with a line feed character ('\n', 0x0A) used as separator | |
// e.g., 'auth_date=<auth_date>\nquery_id=<query_id>\nuser=<user> | |
const dataCheckString = arr.join('\n'); | |
// The hexadecimal representation of the HMAC-SHA-256 signature of the data-check-string with the secret key | |
const _hash = crypto | |
.createHmac('sha256', secret.digest()) | |
.update(dataCheckString) | |
.digest('hex'); | |
// if hash are equal the data may be used on your server. | |
// Complex data types are represented as JSON-serialized objects. | |
return _hash === hash; | |
}; |
Python implementation
For anyone who have tried @S0mbre's solution - but NOT WORK
import hmac
import hashlib
from urllib.parse import parse_qs
TELEGRAM_BOT_TOKEN = ""
def verify_telegram_web_app_data(telegram_init_data):
# Get hash_value from the query string
init_data = parse_qs(telegram_init_data)
hash_value = init_data.get('hash', [None])[0]
data_to_check = []
# Sort key-value pair by alphabet
sorted_items = sorted((key, val[0]) for key, val in init_data.items() if key != 'hash')
data_to_check = [f"{key}={value}" for key, value in sorted_items]
# HMAC Caculation
secret = hmac.new(b"WebAppData", TELEGRAM_BOT_TOKEN.encode(), hashlib.sha256).digest()
_hash = hmac.new(secret, "\n".join(data_to_check).encode(), hashlib.sha256).hexdigest()
return _hash == hash_value
@TheBlackHacker thanks, that one works great!
You can use the init-data-py library for Python.
Install init-data-py library:
pip install init-data-py
This library allows you to validate
, parse
, create
, and sign
Telegram Mini App data. below is an example of how to validate the data:
from init_data_py import InitData
bot_token = "" # Bot token from which the mini app is launched
query_string = "" # window.Telrgram.WebApp.initData
init_data = InitData.parse(query_string)
init_data.validate(bot_token, lifetime=60)
Thanks man
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thx