Skip to content

Instantly share code, notes, and snippets.

@Pitasi

Pitasi/check_telegram_signature.js

Last active January 5, 2023 07:16
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Telegram website login widget, signature check sample using Node.js
Raw
check_telegram_signature.js
// Copied by https://gist.github.com/dotcypress/8fd12d6e886cd74bba8f1aa8dbd346aa,
// thanks for improving code style
const { createHash, createHmac } = require('crypto');
const TOKEN = "ABC:12345...";
// I prefer get the secret's hash once but check the gist linked
// on line 1 if you prefer passing the bot token as a param
const secret = createHash('sha256')
.update(TOKEN)
.digest()
function checkSignature ({ hash, ...data }) {
const checkString = Object.keys(data)
.sort()
.filter((k) => data[k])
.map(k => (`${k}=${data[k]}`))
.join('\n');
const hmac = createHmac('sha256', secret)
.update(checkString)
.digest('hex');
return hmac === hash;
}
// Sample usage
const payload = {
id: '424242424242',
first_name: 'John',
last_name: 'Doe',
username: 'username',
photo_url: 'https://t.me/i/userpic/320/username.jpg',
auth_date: '1519400000',
hash: '87e5a7e644d0ee362334d92bc8ecc981ca11ffc11eca809505'
}
checkSignature(payload)
@lub0v
Copy link

lub0v commented Nov 17, 2022

@ImTheDeveloper I had the same issue and found out that when users do not specify their last_name the hash does not match. To fix the error, I've filtered out empty data for checkString:

const checkString = Object.keys(data)
    .sort()
    .filter((k) => data[k])
    .map(k => (`${k}=${data[k]}`))
    .join('\n');

@ImTheDeveloper
Copy link

ImTheDeveloper commented Nov 17, 2022 via email

@Pitasi
Copy link
Author

Pitasi commented Nov 17, 2022

Thanks @lub0v, I updated the gist with your suggestion :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment