fix: Added checking the hash in Telegram auth response

modules/auth/telegram/main.go

@@ -1,14 +1,20 @@
 package telegram
 
 import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/hex"
 	"git.ddd.rip/ptrcnull/modweb"
 	"github.com/gofiber/fiber/v2"
 	"html/template"
+	"log"
 	"net/url"
+	"strconv"
 )
 
 type Module struct {
 	BotID string
+	Token string
 	Origin string
 	Callback func(data *LoginData)*modweb.User
 }
@@ -22,6 +28,8 @@ func (m Module) Name() string {
 }
 
 func (m Module) Init(mm *modweb.ModuleManager) {
+	secretSum := sha256.Sum256([]byte(m.Token))
+
 	app := mm.Fiber()
 	app.Post("/callback", func(ctx *fiber.Ctx) error {
 		session := mm.Session(ctx)
@@ -42,6 +50,18 @@ func (m Module) Init(mm *modweb.ModuleManager) {
 			return ctx.Status(200).JSON(fiber.Map{"ok": false})
 		}
 
+		h := hmac.New(sha256.New, secretSum[:])
+		h.Write([]byte("auth_date=" + strconv.Itoa(data.Result.AuthDate) + "\n"))
+		h.Write([]byte("first_name=" + data.Result.FirstName + "\n"))
+		h.Write([]byte("id=" + strconv.Itoa(data.Result.ID) + "\n"))
+		h.Write([]byte("photo_url=" + data.Result.PhotoURL + "\n"))
+		h.Write([]byte("username=" + data.Result.Username))
+		hash := hex.EncodeToString(h.Sum(nil))
+		if hash != data.Result.Hash {
+			log.Println("hash mismatch", hash, data.Result.Hash)
+			return ctx.Status(200).JSON(fiber.Map{"ok": false})
+		}
+
 		user := m.Callback(&data)
 		if user != nil {
 			user.Save(session)

modules/auth/telegram/types.go

@@ -7,10 +7,10 @@ type LoginData struct {
 }
 
 type LoginDataResult struct {
-	ID        int    `json:"id"`
-	FirstName string `json:"first_name"`
-	Username  string `json:"username"`
-	PhotoURL  string `json:"photo_url"`
 	AuthDate  int    `json:"auth_date"`
+	FirstName string `json:"first_name"`
 	Hash      string `json:"hash"`
+	ID        int    `json:"id"`
+	PhotoURL  string `json:"photo_url"`
+	Username  string `json:"username"`
 }