First draft of the Telegram strategy #152
Open
+438
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
danschultzer
force-pushed
the
telegram_strategy
branch
from
b242217 to
e61f04a
Compare
|
Thanks! I've refactored the strategy to conform with how other strategies are set up. There actually is a URL that can be used so I think we should just use that and have the script in the docs. This is in line with other strategies like Facebook and Apple where a JS widget can be used as well. I have tested with this the Login Widget which works well, but haven't tested with the mini app. |
danschultzer
force-pushed
the
telegram_strategy
branch
2 times, most recently
from
eeef2f1 to
ba6e07d
Compare
danschultzer
force-pushed
the
telegram_strategy
branch
from
ba6e07d to
37ae300
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Resolves #153
Telegram offers a convenient way of authenticating users by allowing them to enter their Telegram phone number and confirm the request directly in the Telegram messenger app without a password.
However, they don’t support the traditional method of redirecting to their OAuth server to enter credentials. Instead, it is necessary to include their JS library on the page and either use an embedded iframe with a standard button (with limited styles) or - via an undocumented method - directly call the
auth(callback)function with a callback to get the results. The official login widget also supports the redirect mode to a provided callback URL. This means that theauthorize_url/1call is useless for this implementation (more on this later).Additionally, Telegram has published the Web Mini App API. This API allows direct interaction with many internal Telegram features. The Mini Web App is intended to be opened directly from the messenger app and to work inside the app.
To authenticate a user of a web app, Telegram sends a URL-encoded query string (protected by a hash) that contains all the initial data when opening the web app. This string doesn’t pass through a WebView instance and should be collected inside the frontend and sent to the backend for authentication. The backend needs to check the data’s authenticity by calculating the hash of the string and comparing it with the provided one, as well as validating the authentication date.
Returning to the
authorization_url/1: it is possible to use it to create a script to embed in the HTML page. The generator, depending on config parameters, can then generate different embedding options. However, this contradicts the meaning ofauthorization_url.But current functionality is full and works.
WDYT?