Telegram Web Bots data validation in JavaScript

Asked 26/4, 2022 at 8:32 Answered 11/11 at 9:28

javascript node.js reactjs telegram telegram-bot

I've tried to do user verification script for telegram web app for bots. I have no idea how to fix it.

import sha256 from 'js-sha256'

const telegram = window.Telegram.WebApp
const bot_token = '<bot-token>'
const data_check_string = telegram.initData

    var secret_key = sha256.hmac.create(bot_token).update("WebAppData")
    var hash = sha256.hmac.create(data_check_string).update(secret_key).hex();

   if ( hash == telegram.initDataUnsafe.hash) {
       // data is from Telegram
   }

Aggri answered 26/4, 2022 at 8:32 Comment(2)

What's your problem? Can you explain it better? – Endoderm 26/4, 2022 at 8:34

My code is not working. My hash and hash received from telegram (window.Telegram.WebApp.initDataUnsafe.hash) are different. – Aggri 26/4, 2022 at 8:41

All code samples in internet are not works. Here is working code for nodejs:

import crypto from "crypto";

function auth ( apiToken, telegramInitData ) {
    const initData = new URLSearchParams( telegramInitData );

    initData.sort();

    const hash = initData.get( "hash" );
    initData.delete( "hash" );

    const dataToCheck = [...initData.entries()].map( ( [key, value] ) => key + "=" + value ).join( "\n" );

    const secretKey = crypto.createHmac( "sha256", "WebAppData" ).update( apiToken ).digest();

    const _hash = crypto.createHmac( "sha256", secretKey ).update( dataToCheck ).digest( "hex" );

    return hash === _hash;
}

Nonsectarian answered 12/11, 2023 at 5:27 Comment(2)

God bless you! Turns out this is the most important part new URLSearchParams( telegramInitData ); – Griseofulvin 26/6 at 15:18

God bless you! This is truly the working code for NodeJs. – Sills 22/10 at 3:20

Try to look to node js implementation, I tried to well comment it using official telegram pseudocode. Maybe it helps you.

But in my convinience this validation need to execute at backend because in another case you compromise your bot secret token

https://gist.github.com/konstantin24121/49da5d8023532d66cc4db1136435a885

Lesleelesley answered 29/4, 2022 at 12:6 Comment(0)

i cannot add a comment, @zdm ‘s answer is not work for me, i changed "secretKey", now its working.

function auth(apiToken: string, telegramInitData: typeof mockData) {
  const initData = new URLSearchParams(telegramInitData);
  initData.sort();
  const hash = initData.get("hash");
  initData.delete("hash");
  const dataToCheck = [...initData.entries()].map(([key, value]) => key + "=" + value).join("\n");
  // change to createHash
  const secretKey = crypto.createHash("sha256").update(apiToken).digest();
  const _hash = crypto.createHmac("sha256", secretKey).update(dataToCheck).digest("hex");
  return hash === _hash;
}

Forensic answered 11/11 at 9:28 Comment(0)

-1

The stated code to be used for validation in the official documentation is this:

data_check_string = ...
secret_key = HMAC_SHA256(<bot_token>, "WebAppData")
if (hex(HMAC_SHA256(data_check_string, secret_key)) == hash) {
  // data is from Telegram
}

please try to implement it as it is documented.

The link referring to this problem is: Telegram API validation

Kirkendall answered 29/4, 2022 at 12:20 Comment(0)

Recommended topics

Hot tags