initData validation API

madhead · madhead · commit c3cf7f219a4f · 2023-10-21T17:56:54.000+02:00
diff --git a/launcher/fly/requests.http b/launcher/fly/requests.http
@@ -9,6 +9,15 @@ Content-Type: application/json
   "url": "https://{{ngrok}}/{{telegram_token}}"
 }
 
+### Validate initData
+POST https://{{ngrok}}/app/api/auth/validation
+Authorization: Bearer {{api_token}}
+
+
 ### Get group members
-GET http://{{local}}/app/api/group/members
+GET https://{{ngrok}}/app/api/group/members
+Authorization: Bearer {{api_token}}
+
+### Get group currencies
+GET https://{{ngrok}}/app/api/group/currencies
 Authorization: Bearer {{api_token}}
diff --git a/launcher/fly/src/main/kotlin/me/madhead/tyzenhaus/launcher/fly/routes/MiniAppAPI.kt b/launcher/fly/src/main/kotlin/me/madhead/tyzenhaus/launcher/fly/routes/MiniAppAPI.kt
@@ -1,18 +1,24 @@
 package me.madhead.tyzenhaus.launcher.fly.routes
 
+import com.soywiz.krypto.HMAC
 import io.ktor.http.HttpStatusCode
+import io.ktor.http.decodeURLQueryComponent
 import io.ktor.server.application.call
 import io.ktor.server.auth.authenticate
 import io.ktor.server.auth.principal
 import io.ktor.server.config.ApplicationConfig
+import io.ktor.server.request.receiveText
 import io.ktor.server.response.respond
 import io.ktor.server.routing.Route
 import io.ktor.server.routing.get
 import io.ktor.server.routing.localPort
+import io.ktor.server.routing.post
 import io.ktor.server.routing.route
+import io.ktor.utils.io.core.toByteArray
 import me.madhead.tyzenhaus.core.service.GroupCurrenciesService
 import me.madhead.tyzenhaus.core.service.GroupMembersService
 import me.madhead.tyzenhaus.launcher.fly.security.APITokenPrincipal
+import org.koin.ktor.ext.get
 import org.koin.ktor.ext.inject
 
 /**
@@ -22,10 +28,37 @@ fun Route.miniAppAPI() {
     val config by inject<ApplicationConfig>()
     val groupMembersService by inject<GroupMembersService>()
     val groupCurrenciesService by inject<GroupCurrenciesService>()
+    val webAppDataSecretKeyHash by lazy {
+        HMAC.hmacSHA256(
+            "WebAppData".toByteArray(),
+            this@miniAppAPI.get<ApplicationConfig>().property("telegram.token").getString().toByteArray()
+        )
+    }
 
     localPort(config.property("deployment.port").getString().toInt()) {
         authenticate("api") {
             route("/app/api") {
+                route("auth") {
+                    post("validation") {
+                        val initData = call.receiveText()
+                        val fields = initData
+                            .decodeURLQueryComponent()
+                            .split("&")
+                        val preparedData = fields
+                            .filterNot { it.startsWith("hash=") }
+                            .sorted()
+                            .joinToString("\n")
+                        val computedHash = HMAC.hmacSHA256(webAppDataSecretKeyHash.bytes, preparedData.toByteArray()).hexLower
+                        val hash = fields.find { it.startsWith("hash=") }?.removePrefix("hash=")?.lowercase()
+
+                        if (computedHash == hash) {
+                            call.respond(HttpStatusCode.NoContent)
+                        } else {
+                            call.respond(HttpStatusCode.Unauthorized)
+                        }
+                    }
+                }
+
                 route("group") {
                     get("members") {
                         val principal = call.principal<APITokenPrincipal>()!!
diff --git a/mini-app/src/history/HistoryApp.tsx b/mini-app/src/history/HistoryApp.tsx
@@ -21,7 +21,7 @@ function HistoryApp() {
   return (
     <div>
       <h1>History</h1>
-      Data: {JSON.stringify(data)}
+      Init Data: {WebApp.initData}
     </div>
   );
 }

Original file line number	Diff line number	Diff line change
`@@ -21,7 +21,7 @@ function HistoryApp() {`
`21`	`21`	`return (`
`22`	`22`	`<div>`
`23`	`23`	`<h1>History</h1>`
`24`		`- Data: {JSON.stringify(data)}`
	`24`	`+ Init Data: {WebApp.initData}`
`25`	`25`	`</div>`
`26`	`26`	`);`
`27`	`27`	`}`