Merge #301: A bit more secure I'd say

Check `X-Telegram-Bot-Api-Secret-Token` in Webhook
xooniverse · Oct 23, 2024 · 62f81b8 · 62f81b8
2 parents df8b610 + 699e5eb
commit 62f81b8
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+# 1.26.6
+
+- Check `Webhook.secretToken` with the header `X-Telegram-Bot-Api-Secret-Token` before processing the incoming webhook update.
+
 # 1.26.5
 
 - Fixed in `ReactionTypeCustomEmoji.customEmojiId`

diff --git a/lib/src/televerse/fetch/webhook.dart b/lib/src/televerse/fetch/webhook.dart
@@ -258,6 +258,7 @@ class Webhook extends Fetcher {
 
   /// Handles incoming HTTP requests.
   Future<void> _handleRequest(io.HttpRequest request) async {
+    const secretTokenHeader = "X-Telegram-Bot-Api-Secret-Token";
     final Map<String, dynamic> error = {
       'ok': false,
       'error_code': 404,
@@ -276,6 +277,14 @@ class Webhook extends Fetcher {
       return;
     }
 
+    if (secretToken != null &&
+        request.headers.value(secretTokenHeader) != secretToken) {
+      error["description"] = "Unauthorized request";
+      error["error_code"] = 401;
+      _sendResponse(request, error["error_code"], error);
+      return;
+    }
+
     final body = await request
         .cast<List<int>>()
         .transform(

diff --git a/pubspec.yaml b/pubspec.yaml
@@ -1,6 +1,6 @@
 name: televerse
 description: Televerse lets you create your own efficient Telegram bots with ease in Dart. Supports latest Telegram Bot API - 7.10!
-version: 1.26.5
+version: 1.26.6
 homepage: https://televerse.xooniverse.com
 repository: https://github.com/xooniverse/televerse
 topics: