fix: Added checking the hash in Telegram auth response

This commit is contained in:
ptrcnull 2021-01-03 05:40:07 +01:00
parent f0baa5466e
commit 5fa5217128
2 changed files with 24 additions and 4 deletions

View file

@ -1,14 +1,20 @@
package telegram package telegram
import ( import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"git.ddd.rip/ptrcnull/modweb" "git.ddd.rip/ptrcnull/modweb"
"github.com/gofiber/fiber/v2" "github.com/gofiber/fiber/v2"
"html/template" "html/template"
"log"
"net/url" "net/url"
"strconv"
) )
type Module struct { type Module struct {
BotID string BotID string
Token string
Origin string Origin string
Callback func(data *LoginData)*modweb.User Callback func(data *LoginData)*modweb.User
} }
@ -22,6 +28,8 @@ func (m Module) Name() string {
} }
func (m Module) Init(mm *modweb.ModuleManager) { func (m Module) Init(mm *modweb.ModuleManager) {
secretSum := sha256.Sum256([]byte(m.Token))
app := mm.Fiber() app := mm.Fiber()
app.Post("/callback", func(ctx *fiber.Ctx) error { app.Post("/callback", func(ctx *fiber.Ctx) error {
session := mm.Session(ctx) session := mm.Session(ctx)
@ -42,6 +50,18 @@ func (m Module) Init(mm *modweb.ModuleManager) {
return ctx.Status(200).JSON(fiber.Map{"ok": false}) return ctx.Status(200).JSON(fiber.Map{"ok": false})
} }
h := hmac.New(sha256.New, secretSum[:])
h.Write([]byte("auth_date=" + strconv.Itoa(data.Result.AuthDate) + "\n"))
h.Write([]byte("first_name=" + data.Result.FirstName + "\n"))
h.Write([]byte("id=" + strconv.Itoa(data.Result.ID) + "\n"))
h.Write([]byte("photo_url=" + data.Result.PhotoURL + "\n"))
h.Write([]byte("username=" + data.Result.Username))
hash := hex.EncodeToString(h.Sum(nil))
if hash != data.Result.Hash {
log.Println("hash mismatch", hash, data.Result.Hash)
return ctx.Status(200).JSON(fiber.Map{"ok": false})
}
user := m.Callback(&data) user := m.Callback(&data)
if user != nil { if user != nil {
user.Save(session) user.Save(session)

View file

@ -7,10 +7,10 @@ type LoginData struct {
} }
type LoginDataResult struct { type LoginDataResult struct {
ID int `json:"id"`
FirstName string `json:"first_name"`
Username string `json:"username"`
PhotoURL string `json:"photo_url"`
AuthDate int `json:"auth_date"` AuthDate int `json:"auth_date"`
FirstName string `json:"first_name"`
Hash string `json:"hash"` Hash string `json:"hash"`
ID int `json:"id"`
PhotoURL string `json:"photo_url"`
Username string `json:"username"`
} }