Add allowed subnets constraint

[i7an]

To secure webhooks

[printercu]

I believe you can implement it using rails routing or rack middleware. This doesn't seem to be related to the bot itself.

[i7an]

Yes you are right. But it would be more convenient if the constraint rule was included into the gem. Wdyt?

[printercu]

I think secret_token is a better option for checking that request comes from telegram.

[printercu]

Although route path is already secret which provides enough security.

[i7an]

Im not a security expect. I just think that this is not a bad idea to add this IP constraint. For example Stripe webhooks security guide suggests the same thing:

Verify webhook signatures to confirm that received events are sent from Stripe. Additionally, Stripe sends webhook events from a set list of IP addresses. Only trust events coming from these IP addresses.

What concerns you? This could be simply an optional constraint which would come out of the box.