diff --git a/modules/auth/telegram/main.go b/modules/auth/telegram/main.go index 5e15185..eb7f9d7 100644 --- a/modules/auth/telegram/main.go +++ b/modules/auth/telegram/main.go @@ -1,14 +1,20 @@ package telegram import ( + "crypto/hmac" + "crypto/sha256" + "encoding/hex" "git.ddd.rip/ptrcnull/modweb" "github.com/gofiber/fiber/v2" "html/template" + "log" "net/url" + "strconv" ) type Module struct { BotID string + Token string Origin string Callback func(data *LoginData)*modweb.User } @@ -22,6 +28,8 @@ func (m Module) Name() string { } func (m Module) Init(mm *modweb.ModuleManager) { + secretSum := sha256.Sum256([]byte(m.Token)) + app := mm.Fiber() app.Post("/callback", func(ctx *fiber.Ctx) error { session := mm.Session(ctx) @@ -42,6 +50,18 @@ func (m Module) Init(mm *modweb.ModuleManager) { return ctx.Status(200).JSON(fiber.Map{"ok": false}) } + h := hmac.New(sha256.New, secretSum[:]) + h.Write([]byte("auth_date=" + strconv.Itoa(data.Result.AuthDate) + "\n")) + h.Write([]byte("first_name=" + data.Result.FirstName + "\n")) + h.Write([]byte("id=" + strconv.Itoa(data.Result.ID) + "\n")) + h.Write([]byte("photo_url=" + data.Result.PhotoURL + "\n")) + h.Write([]byte("username=" + data.Result.Username)) + hash := hex.EncodeToString(h.Sum(nil)) + if hash != data.Result.Hash { + log.Println("hash mismatch", hash, data.Result.Hash) + return ctx.Status(200).JSON(fiber.Map{"ok": false}) + } + user := m.Callback(&data) if user != nil { user.Save(session) diff --git a/modules/auth/telegram/types.go b/modules/auth/telegram/types.go index 70fcb34..38bcbd4 100644 --- a/modules/auth/telegram/types.go +++ b/modules/auth/telegram/types.go @@ -7,10 +7,10 @@ type LoginData struct { } type LoginDataResult struct { - ID int `json:"id"` - FirstName string `json:"first_name"` - Username string `json:"username"` - PhotoURL string `json:"photo_url"` AuthDate int `json:"auth_date"` + FirstName string `json:"first_name"` Hash string `json:"hash"` + ID int `json:"id"` + PhotoURL string `json:"photo_url"` + Username string `json:"username"` }