Add support for Telegram webhook secret token verification #36
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add support for X-Telegram-Bot-Api-Secret-Token header to authenticate that webhook requests actually come from Telegram, preventing forged POSTs from attackers who might guess chat_id/user_id values. Changes: - Add TELEGRAM_WEBHOOK_SECRET to .env.example with generation instructions - Verify secret header in webhook handler, return 401 if invalid - Pass secret_token when registering webhook with Telegram API - Add security warning in startup logs if secret not configured - Update setup-telegram.sh with security guidance 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
|
is this project alive? or we should create a fork and incorporate this PR? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Add support for Telegram's
secret_tokenwebhook authentication. When configured,the server verifies the
X-Telegram-Bot-Api-Secret-Tokenheader on incomingrequests, ensuring they originate from Telegram rather than arbitrary sources.
Without this verification, the webhook endpoint accepts any POST request containing
a valid-looking
chat_idor whitelisteduser_idin the JSON body—values thatare easily guessable integers. The secret token provides cryptographic proof that
requests actually come from Telegram's servers.
Changes
.env.example- AddTELEGRAM_WEBHOOK_SECRETwith generation instructionssrc/channels/telegram/webhook.js- Verify header on incoming requests (401 if invalid);include
secret_tokenwhen registering webhook with Telegram APIstart-telegram-webhook.js- Load secret from env, warn at startup if not configuredsetup-telegram.sh- Add secret to setup instructions with security noteBackward Compatibility
This change is fully backward compatible. If
TELEGRAM_WEBHOOK_SECRETis not set,the server continues to work as before (with a warning logged at startup).
Usage
Generate a secret and add to
.env:The secret is automatically passed to Telegram when registering the webhook and
verified on every incoming request.
Reference
secret_tokenparameter)