smskin / laravel-tgwebapp-auth
Authentication guard for Telegram web app user integration
1.0.3
2024-11-13 09:55 UTC
Requires
- php: ^8.1
- laravel/framework: ^10 || ^11
Requires (Dev)
- friendsofphp/php-cs-fixer: ^3.62
- mockery/mockery: ^1.6
- orchestra/testbench: ^8 || ^9
- phpunit/phpunit: ^10.5
- vimeo/psalm: ^5.25
README
Use Case: When developing an API for a Telegram WebApp, it is necessary to verify that the user who sent the request to the API is indeed the one they claim to be (i.e., the request actually came from the Telegram WebApp).
How It Works
- The Telegram WebApp JS script retrieves the WebAppUser object from the API and sends it in every request to the API in the request header (the header name is configurable).
- The Guard receives the request and extracts the WebAppUser object from it.
- The Guard verifies the data signature using the BOT_TOKEN.
- The Guard looks for the user in the database:
- If the user is found, they are authenticated.
- If the user is not found:
- If automatic user creation is allowed, the user will be created and authenticated.
- If automatic user creation is disabled, a 403 error is returned.
Configuration
In the config/auth.php
file, the tgwebapp
guard must be registered.
Example of the file content after registering the guard:
...
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'tgwebapp' => [
'driver' => 'tgwebapp', // the name of the guard
'token' => env('TELEGRAM_BOT_TOKEN'), // bot token
'autoCreation' => true, // flag allowing automatic user creation
'userDataHeaderName' => 'X-TELEGRAM-USER-DATA', // header name from which the guard retrieves the WebAppUser object
'userModel' => \App\Models\User::class, // user model class
]
],
...
Usage
Include the guard in the routing file routes/web.php
.
...
Route::middleware('auth:tgwebapp')->group(function(){
Route::get('/me', function(){
return 'Hello!';
});
});
...
A GET request to /me will go through authentication via the Telegram WebApp guard.