Skip to content

Commit

Permalink
docs: add CSRF protection configuration instructions for Telegram web…
Browse files Browse the repository at this point in the history
…hooks in README

feat: implement sendText method in Chat class for sending messages as HTML
  • Loading branch information
arodu committed Dec 12, 2024
1 parent a3fa813 commit 6c9a408
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 1 deletion.
34 changes: 33 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,38 @@ export WEBHOOK_BASE="your_base_url_here"
- **WEBHOOK_OBFUSCATION**: Obfuscates the webhook URL, adding an additional security layer.
- **WEBHOOK_BASE**: Sets the base domain for the webhook URL. If not specified, `127.0.0.1` is used, which is incompatible with the Telegram API.

Here's the translated version of the section:

---

### Configuring CSRF Protection

CakePHP includes built-in protection against Cross-Site Request Forgery (CSRF) attacks. However, to allow Telegram webhooks to work properly with TeBo, you need to exclude requests coming from the plugin from this protection.

To do this, adjust the middleware configuration in the `src/Application.php` file. Modify the `middleware` method to include the following logic:

```php
public function middleware(MiddlewareQueue $middlewareQueue): MiddlewareQueue
{
$csrf = new CsrfProtectionMiddleware(['httponly' => true]);

$csrf->skipCheckCallback(function ($request) {
// Exclude requests from the TeBo plugin from CSRF protection
if ($request->getParam('plugin') === 'TeBo') {
return true;
}
});

$middlewareQueue->add($csrf);

return $middlewareQueue;
}
```

> [!WARNING]
> ***Why Is This Necessary?***
> Telegram cannot send custom headers (such as CSRF tokens), which would cause webhook requests to be rejected if CSRF protection is enabled. By configuring this exclusion, we allow Telegram to interact with our application without compromising the overall security.
## Bot Testing

Once the webhook and token are configured, the bot should be ready to work. You can test it on Telegram using the following commands:
Expand Down Expand Up @@ -82,7 +114,7 @@ return [
],
];
```
> [!NOTE]
> [!NOTE]
> You can find more information about this file on `config/tebo.php` in the plugin's directory.
## Usage
Expand Down
1 change: 1 addition & 0 deletions src/Telegram/Chat.php
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@
use Cake\Log\Log;
use InvalidArgumentException;
use TeBo\Enum\TelegramMethod;
use TeBo\Response\HtmlMessage;
use TeBo\Response\ResponseInterface;
use TeBo\Utility\Bot;
use TeBo\Utility\Trait\DataManageTrait;
Expand Down

0 comments on commit 6c9a408

Please sign in to comment.