Reputation: 133
How verify request of webhook are from Telegram?
I have a Telegram bot that is set to work with Telegram webhook mechanism but how trust requests and know if they are from Telegram?
base on Telegram docs I find out there is two way:
- limit them to telegam ip (this is dirty, if for some reason telegam change its ip my bot will shut down so it is not a option)
- set a private long url for webhook so only my server and telegram know the url (I don't think it's a good enough solution to secure my webhook, urls are public if for some reason my url leak, everyone can pretend they are telegram and send fake requests)
these two was what I found is there anything I miss? why Telegram don't provide a rsa public key like OAuth2 or some trusted token or signature like Github for its webhook? is private url enough for security?
Upvotes: 7
Views: 9066
Answers (3)
Reputation: 38576
As of Bot API 6.1, there is a new optional secret_token string parameter to the setWebhook method:
A secret token to be sent in a header “X-Telegram-Bot-Api-Secret-Token” in every webhook request, 1-256 characters. Only characters A-Z, a-z, 0-9, _ and - are allowed. The header is useful to ensure that the request comes from a webhook set by you.
So you would pass this parameter when setting the webhook, then on each incoming request you would verify that the X-Telegram-Bot-Api-Secret-Token header matches.
Upvotes: 17
Reputation: 107
You could attach a secret auth token as a query parameter to your webhook's URL. i.e. https://example.com/telegram_webhook?auth=12345 that you would then verify on your server.
This is somewhat more secure if you worry that your base URL is too easy to obtain.
...most ideally, you'd want Mutual TLS (mTLS), but I'm not aware of Telegram supporting that.
Upvotes: 0
Reputation: 1939
Regarding the IP limit here:
Accepts incoming POSTs from subnets 149.154.160.0/20 and 91.108.4.0/22 on port 443, 80, 88, or 8443.
If you decide to limit traffic to our specific range of addresses, keep an eye on this document whenever you seem to run into trouble. Our IP-range might change in the future.
Telegram always inform users about important changes before applying them, so if you subscribe to their BotNews channel, you wouldn't miss news about the ip-range changes. So I think it's still is a good option.
Regarding
urls are public if for some reason my url leak, everyone can pretend they are telegram and send fake requests
Your argument is correct I think, but the possibility of a private url leakage is not that high and it is somehow brute-force safe. Based on what we know about how Telegram cares about security, if they receive reports of fake webhook requests they would offer solutions.
Though if you're still worried, you can use a Local Bot Api Server where you could only trust your internal ip address.
Upvotes: 0
Related Questions
- How do I "say" to the Telegram API that I got their webhook request successfully?
- In webhook what is has_custom_certificate: false?
- python-telegram-bot using webhook
- HTTP POST using Telegram Webhook
- how to i can to find webhook address in my telegram bot?
- Telegram bot webhook send only commands
- Telegram bot message read callback
- What is the web request to send a message to my telegram bot?
- How To Response To telegram bot Webhook Request? Same Request Are Coming Repeatedly
- Why not send telegrams request to webhook?