Skip to content

Commit

Permalink
Improve webapp sample comments and usage (#171)
Browse files Browse the repository at this point in the history
  • Loading branch information
PaulSonOfLars authored Jul 7, 2024
1 parent a9b43ef commit 422f716
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 10 deletions.
10 changes: 8 additions & 2 deletions samples/webappBot/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,16 @@
<script>
Telegram.WebApp.ready()

// The frontend is OK displaying "unsafe" data, as long as we only use it for display reasons, and not as input.
document.getElementById("name").innerHTML = "your name is: " + Telegram.WebApp.initDataUnsafe.user.first_name
document.getElementById("id").innerHTML = "your id is: " + Telegram.WebApp.initDataUnsafe.user.id

fetch("{{ .WebAppURL }}/validate?" + Telegram.WebApp.initData).then(function (response) {
// For any input, we must always pass the initData string, which will be validated by the backend.
fetch("{{ .WebAppURL }}/validate", {
headers: {
"X-Auth": Telegram.WebApp.initData
}
}).then(function (response) {
return response.text();
}).then(function (text) {
document.getElementById("valid").innerHTML = "result: " + text;
Expand All @@ -36,4 +42,4 @@
});
</script>
</body>
</html>
</html>
41 changes: 33 additions & 8 deletions samples/webappBot/routes.go
Original file line number Diff line number Diff line change
@@ -1,9 +1,13 @@
package main

import (
"encoding/json"
"fmt"
"net/http"
"net/url"
"text/template"

"github.com/PaulSonOfLars/gotgbot/v2"
"github.com/PaulSonOfLars/gotgbot/v2/ext"
)

Expand All @@ -24,17 +28,38 @@ func index(webappURL string) func(writer http.ResponseWriter, request *http.Requ
}

func validate(token string) func(writer http.ResponseWriter, request *http.Request) {
return func(writer http.ResponseWriter, request *http.Request) {
ok, err := ext.ValidateWebAppQuery(request.URL.Query(), token)
return func(w http.ResponseWriter, r *http.Request) {
// Our index.html sends the WebApp.initData field over the X-Auth header.
// We parse this string as a URL query.
authQuery, err := url.ParseQuery(r.Header.Get("X-Auth"))
if err != nil {
writer.WriteHeader(http.StatusBadRequest)
writer.Write([]byte("validation failed; error: " + err.Error()))
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("validation failed; failed to parse auth query: " + err.Error()))
}

// We validate that the query has been hashed correctly, ensuring data can be trusted.
ok, err := ext.ValidateWebAppQuery(authQuery, token)
if err != nil {
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte("validation failed; error: " + err.Error()))
return
}
if !ok {
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte("validation failed; data cannot be trusted."))
return
}
if ok {
writer.Write([]byte("validation success; user is authenticated."))
} else {
writer.Write([]byte("validation failed; data cannot be trusted."))

// Once we've confirmed the data can be trusted, we unmarshal any data we may need to use.
var u gotgbot.User
err = json.Unmarshal([]byte(authQuery.Get("user")), &u)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
w.Write([]byte("validation failed; failed to unmarshal user: " + err.Error()))
return
}

// And then we can choose to either return it, or work with it.
w.Write([]byte(fmt.Sprintf("validation success; user '%s' is authenticated (id: %d).", u.FirstName, u.Id)))
}
}

0 comments on commit 422f716

Please sign in to comment.