Skip to content

Instantly share code, notes, and snippets.

/check_authorization.php

Created February 3, 2018 16:21
Star You must be signed in to star a gist
Save anonymous/6516521b1fb3b464534fbc30ea3573c2 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
check_authorization.php
<?php
define('BOT_TOKEN', 'XXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXX'); // place bot token of your bot here
function checkTelegramAuthorization($auth_data) {
$check_hash = $auth_data['hash'];
unset($auth_data['hash']);
$data_check_arr = [];
foreach ($auth_data as $key => $value) {
$data_check_arr[] = $key . '=' . $value;
}
sort($data_check_arr);
$data_check_string = implode("\n", $data_check_arr);
$secret_key = hash('sha256', BOT_TOKEN, true);
$hash = hash_hmac('sha256', $data_check_string, $secret_key);
if (strcmp($hash, $check_hash) !== 0) {
throw new Exception('Data is NOT from Telegram');
}
if ((time() - $auth_data['auth_date']) > 86400) {
throw new Exception('Data is outdated');
}
return $auth_data;
}
function saveTelegramUserData($auth_data) {
$auth_data_json = json_encode($auth_data);
setcookie('tg_user', $auth_data_json);
}
try {
$auth_data = checkTelegramAuthorization($_GET);
saveTelegramUserData($auth_data);
} catch (Exception $e) {
die ($e->getMessage());
}
header('Location: login_example.php');
?>
Raw
login_example.php
<?php
define('BOT_USERNAME', 'XXXXXXXXXX'); // place username of your bot here
function getTelegramUserData() {
if (isset($_COOKIE['tg_user'])) {
$auth_data_json = urldecode($_COOKIE['tg_user']);
$auth_data = json_decode($auth_data_json, true);
return $auth_data;
}
return false;
}
if ($_GET['logout']) {
setcookie('tg_user', '');
header('Location: login_example.php');
}
$tg_user = getTelegramUserData();
if ($tg_user !== false) {
$first_name = htmlspecialchars($tg_user['first_name']);
$last_name = htmlspecialchars($tg_user['last_name']);
if (isset($tg_user['username'])) {
$username = htmlspecialchars($tg_user['username']);
$html = "<h1>Hello, <a href=\"https://t.me/{$username}\">{$first_name} {$last_name}</a>!</h1>";
} else {
$html = "<h1>Hello, {$first_name} {$last_name}!</h1>";
}
if (isset($tg_user['photo_url'])) {
$photo_url = htmlspecialchars($tg_user['photo_url']);
$html .= "<img src=\"{$photo_url}\">";
}
$html .= "<p><a href=\"?logout=1\">Log out</a></p>";
} else {
$bot_username = BOT_USERNAME;
$html = <<<HTML
<h1>Hello, anonymous!</h1>
<script async src="https://telegram.org/js/telegram-widget.js?2" data-telegram-login="{$bot_username}" data-size="large" data-auth-url="check_authorization.php"></script>
HTML;
}
echo <<<HTML
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Login Widget Example</title>
</head>
<body><center>{$html}</center></body>
</html>
HTML;
?>
@MarvinMiles
Copy link

We need a Web Implementation. Why it's Shitty PHP. Who use PHP. ? Give us a example for javascript.

@HNazmul-IV https://gist.github.com/MarvinMiles/f041205d872b0d8547d054eafeafe2a5

@Dadamuhames
Copy link

There is an example for django or drf?

@alhomsidev
Copy link

why this error Data is NOT from Telegram??

@Papapattbot
Copy link

[Https://HahahaqqBot](t.me/HahahaqqBot)

@alexeydovolny
Copy link 

  $data_check_arr = [];
  foreach ($auth_data as $key => $value) {
    $data_check_arr[] = $key . '=' . $value;
  }
  sort($data_check_arr);
  $data_check_string = implode("\n", $data_check_arr);

Равно:

ksort($auth_data);
$data_check_string = urldecode(http_build_query($auth_data, "", "\n"));

I've been puzzling for 4 hours why the hashes don't converge. And it worked. Genius.

@AN3Orik
Copy link

AN3Orik commented Jun 26, 2023

Who's genius idea was been create LOGIN widget with session in inaccessible cookie without LOGOUT possibility? It's a bad joke.

@useeerfotopaketbot
Copy link

5881736589:AAGzcD0kY3hFJevZ4tdWsvweltCdlOTicsI

@useeerfotopaketbot
Copy link

5881736589:AAGzcD0kY3hFJevZ4tdWsvweltCdlOTicsI

@useeerfotopaketbot
Copy link

5881736589:AAGzcD0kY3hFJevZ4tdWsvweltCdlOTicsI

@useeerfotopaketbot
Copy link

Fhoto paket

@useeerfotopaketbot
Copy link

https://gist.github.com/anonymous/6516521b1fb3b464534fbc30ea3573c2?permalink_comment_id=4613493#gistcomment-4613493

@Botkubot
Copy link

Botkubot commented Jul 3, 2023

https://t.me/your_bot?startgroup=spaceship6120715150:AAH7D-GjJc6NxtY65Qnb6neYySF0tTrHMcM6120715150:AAH7D-GjJc6NxtY65Qnb6neYySF0tTrHMcM

@CrazyTapok-bit
Copy link

We need a Web Implementation. Why it's Shitty PHP. Who use PHP. ? Give us a example for javascript.

JavaScript? Don't joke like that. It will not fit at least because you will have to make your bot token available to everyone, and it will simply be stolen from you. Yes, you can make a separate JavaScript frontend, but you will always need a backend to verify and authorize the user. TgWebValid on PHP will make it easy, nice and simple. I recommend you try it

@S8137
Copy link

S8137 commented Aug 3, 2023

https://t.me/your_bot?startgroup=spaceship6120715150:AAH7D-GjJc6NxtY65Qnb6neYySF0tTrHMcM6120715150:AAH7D-GjJc6NxtY65Qnb6neYySF0tTrHMcM

@Neykuratick
Copy link

Neykuratick commented Aug 22, 2023
edited

it works when the data is formatted like this:

request_data = {
  "id": XXXXXXXXX,
  "first_name": "John",
  "last_name": "Smith",
  "username": "john_smith",
  "photo_url": "https://t.me/i/userpic/320/XjskdfasdfHGCAShsfgasdf.jpg",
  "auth_date": 1571890000,
  "hash": "a0c34b50c96acbcbf358b34d30a0ad69c5a5ced90427f34729499938b1faf02e"
}

but doesn't work when it formatted like this:

data = {
  "query_id": "AAAAAAAAAAA",
  "user": {
    "id": XXXXXXXXX,
    "first_name": "John",
    "last_name": "",
    "username": "john_smith",
    "language_code": "en",
    "is_premium": true,
    "allows_write_to_pm": true
  },
  "auth_date": "1692686970",
  "hash": "4317efd665c01a62973e1abd82aabe4128ca73ac67d0dba57d80656b8150dca5"
}

one of them must be data-onauth

@BAIZID-171
Copy link

Jk

@acebergiceberg
Copy link

How can I get code just by email cause my sim is deactivated

@acebergiceberg
Copy link

Can I receive code just by this email- [email protected] cause my number 09772813957 is deactivated due to unregistered sim

@munirwjira89
Copy link

[email protected] 0944747844

@datoharry
Copy link

Nice

@070876
Copy link

070876 commented Sep 30, 2023

Сколько будет стоить такой ( папа бот)?

@Shahriyor-m14
Copy link

Сколько будет стоить такой ( папа бот)?

десятка

@mpotrich
Copy link

someone that implemented this in java?

@soni1541
Copy link

Because the fields "id", "first_name", "last_name", "username", "photo_url" and "auth_date" are required (!!!) to build a hash check
I understand :)
Telegrams do not always send all fields

I have the same problem. How did you manage to solve the hash mismatch issue?

@CrazyTapok-bit
Copy link

I have the same problem. How did you manage to solve the hash mismatch issue?

If you write code in PHP, I advise you to use the library tgWebValid to verify the user. It is light, simple and will do everything for you

@culda
Copy link

culda commented Nov 25, 2023
edited

bot token is not necessary. Bot name is enough. see https://github.dev/manzoorwanijk/telegram-auth for a simple TS implementation. It's in React but you can just copy the files and use in any framework

To verify the hash only the bot token's hash is needed, which can be public

@Jaroslove
Copy link

Does anybody know how I can LOGOUT (or terminate session) in my browser tab via js?

@inilim
Copy link

inilim commented Jan 4, 2024
edited

If something, the "id" value can be used as a "chat_id" to send a message via a bot

@ledboot
Copy link

ledboot commented Jan 10, 2024

i got a error Bot domain invalid

@CrazyTapok-bit
Copy link

i got a error Bot domain invalid

Check if you are using https

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment