Merge pull request #565 from crashiura/validate-web-app

Validate web app
2022-10-19 20:35:52 -04:00 · 2022-10-19 20:35:52 -04:00 · 4126fa6112
commit 4126fa6112
parent 2fa77043ad 189292093b
2 changed files with 68 additions and 0 deletions
--- a/helpers.go
+++ b/helpers.go
@ -1,7 +1,14 @@
 package tgbotapi

 import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
 	"net/url"
+	"sort"
+	"strings"
 )

 // NewMessage creates a new Message.
@ -943,3 +950,38 @@ func NewDeleteMyCommandsWithScope(scope BotCommandScope) DeleteMyCommandsConfig
 func NewDeleteMyCommandsWithScopeAndLanguage(scope BotCommandScope, languageCode string) DeleteMyCommandsConfig {
 	return DeleteMyCommandsConfig{Scope: &scope, LanguageCode: languageCode}
 }
+
+// ValidateWebAppData validate data received via the Web App
+// https://core.telegram.org/bots/webapps#validating-data-received-via-the-web-app
+func ValidateWebAppData(token, telegramInitData string) (bool, error) {
+	initData, err := url.ParseQuery(telegramInitData)
+	if err != nil {
+		return false, fmt.Errorf("error parsing data %w", err)
+	}
+
+	dataCheckString := make([]string, 0, len(initData))
+	for k, v := range initData {
+		if k == "hash" {
+			continue
+		}
+		if len(v) > 0 {
+			dataCheckString = append(dataCheckString, fmt.Sprintf("%s=%s", k, v[0]))
+		}
+	}
+
+	sort.Strings(dataCheckString)
+
+	secret := hmac.New(sha256.New, []byte("WebAppData"))
+	secret.Write([]byte(token))
+
+	hHash := hmac.New(sha256.New, secret.Sum(nil))
+	hHash.Write([]byte(strings.Join(dataCheckString, "\n")))
+
+	hash := hex.EncodeToString(hHash.Sum(nil))
+
+	if initData.Get("hash") != hash {
+		return false, errors.New("hash not equal")
+	}
+
+	return true, nil
+}