Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Telegram website login widget, signature check sample using Node.js
// Copied by https://gist.github.com/dotcypress/8fd12d6e886cd74bba8f1aa8dbd346aa,
// thanks for improving code style
const { createHash, createHmac } = require('crypto');
const TOKEN = "ABC:12345...";
// I prefer get the secret's hash once but check the gist linked
// on line 1 if you prefer passing the bot token as a param
const secret = createHash('sha256')
.update(TOKEN)
.digest()
function checkSignature ({ hash, ...data }) {
const checkString = Object.keys(data)
.sort()
.map(k => (`${k}=${data[k]}`))
.join('\n');
const hmac = createHmac('sha256', secret)
.update(checkString)
.digest('hex');
return hmac === hash;
}
// Sample usage
const payload = {
id: '424242424242',
first_name: 'John',
last_name: 'Doe',
username: 'username',
photo_url: 'https://t.me/i/userpic/320/username.jpg',
auth_date: '1519400000',
hash: '87e5a7e644d0ee362334d92bc8ecc981ca11ffc11eca809505'
}
checkSignature(payload)
@highfeed
Copy link

highfeed commented Feb 24, 2018

It's don't work for me.

@Pitasi
Copy link
Author

Pitasi commented Feb 24, 2018

Updated.
I basically copied https://gist.github.com/dotcypress/8fd12d6e886cd74bba8f1aa8dbd346aa, thanks @highfeed for linking that to me.

@YuriyLitvin
Copy link

YuriyLitvin commented Apr 20, 2018

Thank you @Pitasi ! :-) 👍

@peramor
Copy link

peramor commented May 5, 2018

Nice, very helpful!

@rinovaonline
Copy link

rinovaonline commented Jan 19, 2019

Nice

@pitersky
Copy link

pitersky commented Jun 12, 2019

Thank you, But does not work for me either. Hashes does not match

@kshubham506
Copy link

kshubham506 commented Jul 25, 2020

Slight change is required in the code the data.hash should not be in the check string,

let input_hash = data.hash;
delete data.hash;
const checkString = Object.keys(data)
.sort()
.map(k => ${k}=${data[k]})
.join('\n')
const hmac = crypto.createHmac('sha256', secret_key)
.update(checkString)
.digest('hex')

After this compare the hmac with input_hash

@Pitasi
Copy link
Author

Pitasi commented Jul 27, 2020

Hi @kshubham506, hash is not in data since I splitted the object writing ({ hash, ...data }) 😄

@ImTheDeveloper
Copy link

ImTheDeveloper commented Oct 28, 2020

For some reason I've found this fails for some users, but works fine for others.

Essentially the hash from telegram is not coming out to be the same as the one output from hmac. However it does work for most users... so odd any ideas why?

@Pitasi
Copy link
Author

Pitasi commented Oct 29, 2020

I'm not sure. Is it possible that you are receiving requests that are not from Telegram? Did you make any change to my code?

@rbeer
Copy link

rbeer commented Jan 15, 2022

Did you actually use this token const TOKEN = "ABC:12345..."; to create the hash in payload?
The example as it is doesn't work for me. It works as soon as I use real data, i.e. a live response from Telegram and my own bot token.
I think people merely copy/pasting and expecting this to work is what leads to confusion.

Replace payload.hash with fdd4901b22ee5ea34d77caeac88b5ecba818226ab9c7c7775c8ff675d7e4cb92 and this example works.

I think the gist you copied this from always used some made-up value for the hash, to begin with. Even the length doesn't add up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment