Created
February 3, 2018 16:21
-
Star
(487)
You must be signed in to star a gist -
Fork
(196)
You must be signed in to fork a gist
-
-
Save anonymous/6516521b1fb3b464534fbc30ea3573c2 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| define('BOT_USERNAME', 'XXXXXXXXXX'); // place username of your bot here | |
| function getTelegramUserData() { | |
| if (isset($_COOKIE['tg_user'])) { | |
| $auth_data_json = urldecode($_COOKIE['tg_user']); | |
| $auth_data = json_decode($auth_data_json, true); | |
| return $auth_data; | |
| } | |
| return false; | |
| } | |
| if ($_GET['logout']) { | |
| setcookie('tg_user', ''); | |
| header('Location: login_example.php'); | |
| } | |
| $tg_user = getTelegramUserData(); | |
| if ($tg_user !== false) { | |
| $first_name = htmlspecialchars($tg_user['first_name']); | |
| $last_name = htmlspecialchars($tg_user['last_name']); | |
| if (isset($tg_user['username'])) { | |
| $username = htmlspecialchars($tg_user['username']); | |
| $html = "<h1>Hello, <a href=\"https://t.me/{$username}\">{$first_name} {$last_name}</a>!</h1>"; | |
| } else { | |
| $html = "<h1>Hello, {$first_name} {$last_name}!</h1>"; | |
| } | |
| if (isset($tg_user['photo_url'])) { | |
| $photo_url = htmlspecialchars($tg_user['photo_url']); | |
| $html .= "<img src=\"{$photo_url}\">"; | |
| } | |
| $html .= "<p><a href=\"?logout=1\">Log out</a></p>"; | |
| } else { | |
| $bot_username = BOT_USERNAME; | |
| $html = <<<HTML | |
| <h1>Hello, anonymous!</h1> | |
| <script async src="https://telegram.org/js/telegram-widget.js?2" data-telegram-login="{$bot_username}" data-size="large" data-auth-url="check_authorization.php"></script> | |
| HTML; | |
| } | |
| echo <<<HTML | |
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <meta charset="utf-8"> | |
| <title>Login Widget Example</title> | |
| </head> | |
| <body><center>{$html}</center></body> | |
| </html> | |
| HTML; | |
| ?> |
why this error Data is NOT from Telegram??
the right check auth as blow <?php define('BOT_TOKEN', '7171119555:AAE4K6DSoKFXub-vBr1GkT63_VclRCpZYBY'); // place bot token of your bot here function checkTelegramAuthorization($auth_data) { echo('<br/>auth_data:'.$auth_data); echo("<br/>####"); $check_hash = $auth_data['hash']; unset($auth_data['hash']); $data_check_arr = []; foreach ($auth_data as $key => $value) { $data_check_arr[] = $key . '=' . $value; } sort($data_check_arr); $data_check_string = implode("\n", $data_check_arr); echo('<br/>hash:'.$data_check_string); ////////the bigest reason zzzzzz no need ret hex string, is bytes.... $secret_key = hash_hmac('sha256', BOT_TOKEN,"WebAppData",true); echo('<br/>secret_key:'.$secret_key); $hash = hash_hmac('sha256',$data_check_string, $secret_key); echo('<br/>hash:'.$check_hash); echo('<br/>hashString:'.$hash); if (strcmp($hash, $check_hash) !== 0) { throw new Exception('<br/>Data is NOT from Telegram'); } if ((time() - $auth_data['auth_date']) > 86400) { throw new Exception('<br/>Data is outdated'); } return $auth_data; } function saveTelegramUserData($auth_data) { $auth_data_json = json_encode($auth_data); setcookie('tg_user', $auth_data_json); } try { $auth_data = checkTelegramAuthorization($_GET); saveTelegramUserData($auth_data); } catch (Exception $e) { die ($e->getMessage()); } header('Location: login_example.php'); ?>
🛑 Stop suffering!!! Use the tgWebValid package, which will do all the checks and make your life much easier. I will also provide convenient access to user data 😉
Hello, {$first_name} {$last_name}!";
} else {
$html = "
Hello, {$first_name} {$last_name}!
"; } if (isset($tg_user['photo_url'])) { $photo_url = htmlspecialchars($tg_user['photo_url']); $html .= "
I just want to apeciate this unique simplisity, its much more simple than discord or twitter and yet secure.
Hgj
I am always stuckup at "import PHP settings". Can someone help?
I'm back 🌄
iam back
Ihg
I happy
Halp
Cara mengaktifkan akun telegram kena spam di blockir bagaimana brow
@POWERFULLGOLDUK_BOT
Stay updated with the latest gold prices in real-time! 📊 Get instant notifications and market trends right in your Telegram.
📢 Live Gold Price Updates – Join Now!
<script src="https://gist.github.com/anonymous/6516521b1fb3b464534fbc30ea3573c2.js"></script>
Here's a TypeScript/Node.js implementation of this:
import crypto from "node:crypto";
const BOT_TOKEN = "XXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXX";
const MAX_AGE = 300; // 5 minutes
/**
* The raw Telegram login payload received from the client.
*
* All values are strings or undefined. The `hash` field is required
* to validate the data using HMAC-SHA256 with the bot token.
*/
export interface TelegramAuthData {
/**
* Unique user identifier (Telegram ID)
*/
id: string;
/**
* User’s first name
*/
first_name?: string;
/**
* User’s last name
*/
last_name?: string;
/**
* Telegram username
*/
username?: string;
/**
* Optional URL to the user’s Telegram profile picture
*/
photo_url?: string;
/**
* UNIX timestamp in seconds when the auth data was generated
*/
auth_date: string;
/**
* HMAC-SHA256 hash for verifying data integrity
*/
hash: string;
/**
* Any additional properties included in the request
*/
[key: string]: string | undefined;
}
/**
* Verified and normalized Telegram user identity after integrity checks.
*/
export interface TelegramVerifiedData {
/**
* Unique Telegram user ID
*/
id: string;
/**
* User’s first name
*/
firstName?: string;
/**
* User’s last name
*/
lastName?: string;
/**
* Telegram username
*/
username?: string;
/**
* Profile picture URL
*/
photoUrl?: string;
/**
* Parsed auth date as a JavaScript `Date` object
*/
authDate: Date;
/**
* Original payload (with guaranteed non-undefined string values)
*/
raw: Record<string, string>;
}
/**
* Verifies Telegram login data using Telegram’s secure login protocol.
* Performs HMAC-based hash verification and auth_date freshness check.
*/
function verify(input: Record<string, string>): TelegramVerifiedData {
const { hash: checkHash, ...data } = input as TelegramAuthData;
if (!checkHash) {
throw new Error("Missing hash in Telegram login data");
}
/**
* The `TelegramAuthData`'s hash should match against the sorted `key=val` list of its entries.
* {@link https://core.telegram.org/widgets/login#checking-authorization}
*/
const sorted = Object.entries(data)
.map(([k, v]) => `${k}=${v}`)
.sort()
.join("\n");
/**
* Port of sample PHP provided by Telegram organization to Javascript:
* {@link https://gist.github.com/anonymous/6516521b1fb3b464534fbc30ea3573c2}
*/
const secretKey = crypto.createHash("sha256").update(BOT_TOKEN).digest();
const computedHash = crypto.createHmac("sha256", secretKey).update(sorted).digest("hex");
if (computedHash !== checkHash) {
throw new Error("Telegram data integrity check failed (hash mismatch)");
}
const authDate = parseInt(data.auth_date || "", 10);
if (!authDate || Date.now() / 1000 - authDate > MAX_AGE) {
throw new Error("Telegram login data is outdated");
}
const raw = Object.fromEntries(Object.entries(data).filter(([, v]) => typeof v === "string")) as Record<string, string>;
return {
id: data.id,
firstName: data.first_name,
lastName: data.last_name,
username: data.username,
photoUrl: data.photo_url,
authDate: new Date(authDate * 1000),
raw,
};
}// Simple callback for Express.js can be used with other frameworks too.
/**
* Verifies Telegram login payload sent via client-side POST
*/
export function handleCallback(req: Request, res: Response) {
try {
// import `verify()`
const user = verify(req.body as Record<string, string>);
res.json({ message: "Verified successfully", user });
} catch (error) {
res.status(400).json({
message: "Telegram login failed",
error: error instanceof Error ? error.message : error,
});
}
}
Muhammadparyup
Login
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Leave comment