Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Telegram website login widget, signature check sample using Node.js
// Copied by,
// thanks for improving code style
const { createHash, createHmac } = require('crypto');
const TOKEN = "ABC:12345...";
// I prefer get the secret's hash once but check the gist linked
// on line 1 if you prefer passing the bot token as a param
const secret = createHash('sha256')
function checkSignature ({ hash, }) {
const checkString = Object.keys(data)
.map(k => (`${k}=${data[k]}`))
const hmac = createHmac('sha256', secret)
return hmac === hash;
// Sample usage
const payload = {
id: '424242424242',
first_name: 'John',
last_name: 'Doe',
username: 'username',
photo_url: '',
auth_date: '1519400000',
hash: '87e5a7e644d0ee362334d92bc8ecc981ca11ffc11eca809505'
Copy link

Kradre commented Feb 19, 2018

Thanks for good string object.
Change one thing:
const hmac = crypto.createHmac('sha256', secret.digest('latin1'))
And everything should work
Node version: 4.2.6

Copy link

highfeed commented Feb 24, 2018

It's don't work for me.

Copy link

Pitasi commented Feb 24, 2018

I basically copied, thanks @highfeed for linking that to me.

Copy link

YuriyLitvin commented Apr 20, 2018

Thank you @Pitasi ! :-) 👍

Copy link

peramor commented May 5, 2018

Nice, very helpful!

Copy link

rinovaonline commented Jan 19, 2019


Copy link

pitersky commented Jun 12, 2019

Thank you, But does not work for me either. Hashes does not match

Copy link

kshubham506 commented Jul 25, 2020

Slight change is required in the code the data.hash should not be in the check string,

let input_hash = data.hash;
delete data.hash;
const checkString = Object.keys(data)
.map(k => ${k}=${data[k]})
const hmac = crypto.createHmac('sha256', secret_key)

After this compare the hmac with input_hash

Copy link

Pitasi commented Jul 27, 2020

Hi @kshubham506, hash is not in data since I splitted the object writing ({ hash, }) 😄

Copy link

ImTheDeveloper commented Oct 28, 2020

For some reason I've found this fails for some users, but works fine for others.

Essentially the hash from telegram is not coming out to be the same as the one output from hmac. However it does work for most users... so odd any ideas why?

Copy link

Pitasi commented Oct 29, 2020

I'm not sure. Is it possible that you are receiving requests that are not from Telegram? Did you make any change to my code?

Copy link

rbeer commented Jan 15, 2022

Did you actually use this token const TOKEN = "ABC:12345..."; to create the hash in payload?
The example as it is doesn't work for me. It works as soon as I use real data, i.e. a live response from Telegram and my own bot token.
I think people merely copy/pasting and expecting this to work is what leads to confusion.

Replace payload.hash with fdd4901b22ee5ea34d77caeac88b5ecba818226ab9c7c7775c8ff675d7e4cb92 and this example works.

I think the gist you copied this from always used some made-up value for the hash, to begin with. Even the length doesn't add up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment