Telegram bot user authentication

bogorad

I'm using FusionAuth to register users on my website using their google/apple/FB id. Now I want to communicate with them via a telegram bot. So I send them a link to my bot, but now I need to associate a new telegram chatID (created when they initiate contact with my bot) with their identity in FusionAuth.

My idea was to respond to a request from an unauthenticated bot user with a URL pointing to FusionAuth microservice - same as on the web:

they send:

/start

bot responds with

Please authenticate using this link; you will be redirected back when done:

https://auth.xxx.yyy/oauth2/authorize?client_id=aaa&response_type=code&redirect_uri=https%3A%2F%2Fxxx.yyy%2Fauth-redirect

I'm stuck with trying to pass the chatID (or any other parameter) to /oauth2/authrorize.

Or am I looking in the wrong place, and there's a better/more elegant way of doing it?

bogorad

This post is deleted!

bogorad

Should've RTFM first. The 'state' parameter is what I was looking for.

dan

Glad you found a solution.

Note that the state parameter is typically a random string which should be checked after the auth code is returned to protect against csrf attacks. See https://github.com/FusionAuth/fusionauth-example-node/blob/master/routes/index.js for a code example.

That said, you can leverage state for both, just add in a separator. FusionAuth doesn't process the state parameter in any way, whatever value you send is just echoed back. So you could pass

chatid:abc::state:1234asdf and just decode it yourself.

Another thing: you may want to store the chatid in the user.data or registration.data objects, which allow for storing arbitrary data in FusionAuth (as long as it can be represented in JSON). Then you could build your own protected endpoint (you could protect it by examining the JWT that FusionAuth generates on login and ensuring it was the same user) which would take a userid and look up the chat id from their user.data attribute.

bogorad

@dan thank you so much for pointing out "user.data". I'll incorporate it into my design.

speaking of user.data - I tried using PATCH, and it works, however - when one of the fields is an array, data is constantly added to it.

{
    "user": {
        "data": {
            "telegram_chat_id": 10101010101,
            "cameras": [
                {
                    "mac": "AA-3F-A1-00-00-00",
                    "name": "neocam1"
                },
                {
                    "mac": "FF-3F-A1-00-00-00",
                    "name": "neocam2"
                }
            ],
            "disarmed": 0
        }
    }
}

so after the first PATCH I've got 2 cameras, after the second PATCH I've got 4, etc.

Is this by design?

As to 'state' - I'm thinking about passing an encrypted string and decrypt it when it's back.

dan

so after the first PATCH I've got 2 cameras, after the second PATCH I've got 4, etc.

This is a known issue, unfortunately. See https://github.com/FusionAuth/fusionauth-issues/issues/441 for more details, including a workaround. (Please also upvote the issue or chime in if you have perspective to share, community feedback is a key part of our roadmap.)

As to 'state' - I'm thinking about passing an encrypted string and decrypt it when it's back.

What is the client that is going to be checking that state value?

bogorad

@dan said in Telegram bot user authentication:

What is the client that is going to be checking that state value?

I'm doing all my quick-and-dirty MVP stuff in node-red - however, finding a working encryption node suddenly proves to be a problem

dan

Awesome. Just wanted to make sure you weren't expecting to be able to encrypt anything in the browser and keep it secret .