feat(Telegram Trigger Node): Verify Webhook requests (#8383)

Co-authored-by: Jonathan Bennetts <jonathan.bennetts@gmail.com>
2025-03-05 20:50:17 -08:00 · 2024-01-19 09:09:11 +01:00 · 2024-01-19 09:09:11 +01:00 · 11176124b5
parent 25f51f4fd7
commit 11176124b5
2 changed files with 32 additions and 2 deletions
--- a/packages/nodes-base/nodes/Telegram/GenericFunctions.ts
+++ b/packages/nodes-base/nodes/Telegram/GenericFunctions.ts
@ -235,3 +235,9 @@ export function getImageBySize(photos: IDataObject[], size: string): IDataObject
 export function getPropertyName(operation: string) {
 	return operation.replace('send', '').toLowerCase();
 }
+
+export function getSecretToken(this: IHookFunctions | IWebhookFunctions) {
+	// Only characters A-Z, a-z, 0-9, _ and - are allowed.
+	const secret_token = `${this.getWorkflow().id}_${this.getNode().id}`;
+	return secret_token.replace(/[^a-zA-Z0-9\_\-]+/g, '');
+}
--- a/packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts
+++ b/packages/nodes-base/nodes/Telegram/TelegramTrigger.node.ts
@ -7,7 +7,7 @@ import type {
 	IWebhookResponseData,
 } from 'n8n-workflow';

-import { apiRequest, getImageBySize } from './GenericFunctions';
+import { apiRequest, getImageBySize, getSecretToken } from './GenericFunctions';

 import type { IEvent } from './IEvent';

@ -17,7 +17,8 @@ export class TelegramTrigger implements INodeType {
 		name: 'telegramTrigger',
 		icon: 'file:telegram.svg',
 		group: ['trigger'],
-		version: 1,
+		version: [1, 1.1],
+		defaultVersion: 1.1,
 		subtitle: '=Updates: {{$parameter["updates"].join(", ")}}',
 		description: 'Starts the workflow on a Telegram update',
 		defaults: {
@ -40,6 +41,13 @@ export class TelegramTrigger implements INodeType {
 			},
 		],
 		properties: [
+			{
+				displayName:
+					'Due to Telegram API limitations, you can use just one Telegram trigger for each bot at a time',
+				name: 'telegramTriggerNotice',
+				type: 'notice',
+				default: '',
+			},
 			{
 				displayName: 'Trigger On',
 				name: 'updates',
@ -188,9 +196,12 @@ export class TelegramTrigger implements INodeType {

 				const endpoint = 'setWebhook';

+				const secret_token = getSecretToken.call(this);
+
 				const body = {
 					url: webhookUrl,
 					allowed_updates: allowedUpdates,
+					secret_token,
 				};

 				await apiRequest.call(this, 'POST', endpoint, body);
@ -216,6 +227,19 @@ export class TelegramTrigger implements INodeType {
 		const credentials = await this.getCredentials('telegramApi');

 		const bodyData = this.getBodyData() as IEvent;
+		const headerData = this.getHeaderData();
+
+		const nodeVersion = this.getNode().typeVersion;
+		if (nodeVersion > 1) {
+			const secret = getSecretToken.call(this);
+			if (secret !== headerData['x-telegram-bot-api-secret-token']) {
+				const res = this.getResponseObject();
+				res.status(403).json({ message: 'Provided secret is not valid' });
+				return {
+					noWebhookResponse: true,
+				};
+			}
+		}

 		const additionalFields = this.getNodeParameter('additionalFields') as IDataObject;