sadiqsalau · April 1, 2025 10:45
diff --git a/TelegramValidator.php b/TelegramValidator.php
 <?php
 use Base64Url\Base64Url;
 use Elliptic\EdDSA;

 // composer require simplito/elliptic-php spomky-labs/base64url

 class TelegramValidator {
    /**
     * Check if is valid WebAppData
     * @param string $webAppData
     * @return bool
     */
    public static function isValidWebAppData(string $webAppData)
    {
        /** Calculate Secret */
        $secret = hash_hmac(
            "sha256",
            env('TELEGRAM_BOT_TOKEN', ''),
            "WebAppData",
            true
        );

        parse_str($webAppData, $data);

        $hash = $data["hash"];
        $check = collect($data)
            ->except('hash')
            ->sortKeys()
            ->map(fn($v, $k) => $k . '=' . $v)
            ->implode("\n");
        $compare = hash_hmac('sha256', $check, $secret);

        return hash_equals($hash, $compare);
    }

    /**
     * Check if is valid Ed25519 WebAppData
     * @param string $webAppData
     * @return bool
     */
    public static function isValidEd25519WebAppData(string $webAppData)
    {
        parse_str($webAppData, $data);

        $prefix = config('telegram.telegram_bot_id') . ":WebAppData\n";
        $check = collect($data)
            ->except(['hash', 'signature'])
            ->sortKeys()
            ->map(fn($v, $k) => $k . '=' . $v)
            ->implode("\n");

        $message = bin2hex($prefix . $check);
        $signature = bin2hex(Base64Url::decode($data["signature"]));

        $ec = new EdDSA('ed25519');
        $key = $ec->keyFromPublic(
            config('telegram.telegram_public_key')
        );

        return $key->verify($message, $signature);
    }
 }
	<?php
	use Base64Url\Base64Url;
	use Elliptic\EdDSA;

	// composer require simplito/elliptic-php spomky-labs/base64url

	class TelegramValidator {
	/**
	* Check if is valid WebAppData
	* @param string $webAppData
	* @return bool
	*/
	public static function isValidWebAppData(string $webAppData)
	{
	/** Calculate Secret */
	$secret = hash_hmac(
	"sha256",
	env('TELEGRAM_BOT_TOKEN', ''),
	"WebAppData",
	true
	);

	parse_str($webAppData, $data);

	$hash = $data["hash"];
	$check = collect($data)
	->except('hash')
	->sortKeys()
	->map(fn($v, $k) => $k . '=' . $v)
	->implode("\n");
	$compare = hash_hmac('sha256', $check, $secret);

	return hash_equals($hash, $compare);
	}

	/**
	* Check if is valid Ed25519 WebAppData
	* @param string $webAppData
	* @return bool
	*/
	public static function isValidEd25519WebAppData(string $webAppData)
	{
	parse_str($webAppData, $data);

	$prefix = config('telegram.telegram_bot_id') . ":WebAppData\n";
	$check = collect($data)
	->except(['hash', 'signature'])
	->sortKeys()
	->map(fn($v, $k) => $k . '=' . $v)
	->implode("\n");

	$message = bin2hex($prefix . $check);
	$signature = bin2hex(Base64Url::decode($data["signature"]));

	$ec = new EdDSA('ed25519');
	$key = $ec->keyFromPublic(
	config('telegram.telegram_public_key')
	);

	return $key->verify($message, $signature);
	}
	}