-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Storage: session string exposed #12
Comments
This is an urgent task as it's a blocker now for #3 and estimate it to be about 4 hours+ of work depending on the approach to be implemented Any longer than two days without direction or input and I'm going to disable the GitHub storage adapter and return to using the Supabase one so I can move that PR forward. |
rfc @0x4007 |
We can just use our existing X25519 encryption @rndquu rfc |
You mentioned during review that we'll make Global Storage private and handle it that way but yes we could use the same encryption we use in other projects if that's the method to implement. |
Trying to understand how the whole plugin works.
Does it work this way? |
|
The session string is for the MTProto API which is responsible for the
There are a lot more applications for this but after #13 is fully installed which will be later today I'll make a task and aim to really improve the docs etc for this plugin as it is a little complex |
The session string solve is easy:
|
|
Separate from that you need to also consider that the Telegram side has two "branches" we'll call them:
|
Why can't it be run in a cloudflare worker? |
As far as I understand from the docs current plugin needs to be defined 2 times in the config:
Correct? |
Basically yes.
The packages are not built for that env exactly, I did try alt libs and to find a way but I gathered we'd need something like Heroku or whatever to host the server This originally dispatched it's own workflows and required defined only once through the worker url. We needed the kernel' |
Relates to #3
The config repo is now public and GitHub layer storage is supposed to push into that repo.
This plugin has one ultra sensitive env var which is the MTProtoAPI Session String.
If that is stored in a public repo as raw text the TG can be hijacked easily.
original context
The text was updated successfully, but these errors were encountered: