Telegram Web Bots data validation in JavaScript - Telegram API

VasyaFam
April 26, 2022
215 views
0 votes
2 Answers

I’ve tried to do user verification script for telegram web app for bots. I have no idea how to fix it.

import sha256 from 'js-sha256'

const telegram = window.Telegram.WebApp
const bot_token = '<bot-token>'
const data_check_string = telegram.initData

    var secret_key = sha256.hmac.create(bot_token).update("WebAppData")
    var hash = sha256.hmac.create(data_check_string).update(secret_key).hex();

   if ( hash == telegram.initDataUnsafe.hash) {
       // data is from Telegram
   }

Answers

- Konstantin
- April 29, 2022 at 2:06 pm
- 0 votes
0
Try to look to node js implementation, I tried to well comment it using official telegram pseudocode. Maybe it helps you.

But in my convinience this validation need to execute at backend because in another case you compromise your bot secret token

https://gist.github.com/konstantin24121/49da5d8023532d66cc4db1136435a885

Login or Signup to reply.

- ShayanFaghani
- April 29, 2022 at 2:20 pm
- 0 votes
0
The stated code to be used for validation in the official documentation is this:
```
data_check_string = ...
secret_key = HMAC_SHA256(<bot_token>, "WebAppData")
if (hex(HMAC_SHA256(data_check_string, secret_key)) == hash) {
  // data is from Telegram
}
```
please try to implement it as it is documented.

The link referring to this problem is:
Telegram API validation
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Telegram Web Bots data validation in JavaScript – Telegram API

Answers