Telegram website login widget, signature check sample using Node.js

check_telegram_signature.js

// Copied by https://gist.github.com/dotcypress/8fd12d6e886cd74bba8f1aa8dbd346aa,
// thanks for improving code style

const { createHash, createHmac } = require('crypto');
const TOKEN = "ABC:12345...";

// I prefer get the secret's hash once but check the gist linked
// on line 1 if you prefer passing the bot token as a param
const secret = createHash('sha256')
  .update(TOKEN)
  .digest()

function checkSignature ({ hash, ...data }) {
  const checkString = Object.keys(data)
    .sort()
    .filter((k) => data[k])
    .map(k => (`${k}=${data[k]}`))
    .join('\n');
  const hmac = createHmac('sha256', secret)
    .update(checkString)
    .digest('hex');
  return hmac === hash;
}

// Sample usage
const payload = {
  id: '424242424242',
  first_name: 'John',
  last_name: 'Doe',
  username: 'username',
  photo_url: 'https://t.me/i/userpic/320/username.jpg',
  auth_date: '1519400000',
  hash: '87e5a7e644d0ee362334d92bc8ecc981ca11ffc11eca809505'
}
checkSignature(payload)

Hi for me it did nit work without WebAppData

  const originalHash = Buffer.from(data.hash, 'hex');
    delete data.hash;
    const checkString = Object.keys(data)
      .sort()
      .map((key) => `${key}=${data[key]}`)
      .join('\n'); 
 
    const hmacKey = crypto
      .createHmac('sha256', 'WebAppData')
      .update(Buffer.from(botToken, 'utf8'))
      .digest();
    const hmac = crypto.createHmac('sha256', hmacKey);
    hmac.update(checkString);
    const computedHash = hmac.digest();
    return crypto.timingSafeEqual(computedHash, originalHash);